Defeating Script Injection Attacks with Browser Enforced Embedded Policies

Web sites that accept and display content such as wiki articles or comments typically filter the content to prevent injected script code from running in browsers that view the site. The diversity of browser rendering algorithms and the desire to allow rich content makes filtering quite difficult, however, and attacks such as the Samy and Yamanner worms have exploited filtering weaknesses. To solve this problem, this paper proposes a simple mechanism called Browser-Enforced Embedded Policies (BEEP). The idea is that a web site can embed a policy inside its pages that specifies which scripts are allowed to run. The browser, which knows exactly when it will run a script, can enforce this policy perfectly. We have added BEEP support to several browsers, and built tools to simplify adding policies to web applications. We found that supporting BEEP in browsers requires only small and localized modifications, modifying web applications requires minimal effort, and enforcing policies is generally lightweight

Secure end-to-end browsing system with mobile composition

To fix the more and more serious leakage problem in remote access to confidential data, the paper designs and implements a secure end-to-end browsing system with mobile composition. It enables mobile-authenticated users to browse confidential files stored at server side using their personal computers securely. The authentication function is in real-time such that the system can stop the browsing function once it detects that the authenticated mobile is out of the communication range of user's personal computer. © 2011 IEEE.published_or_final_versio

Cultural Issues in Software Estimation: From Intuition to Model Based Estimation in Upgrade Projects

This paper discusses issues related to change in culture that happens when software estimation becomes scientific, methodical and predictive. From a person based intuitive approach to model based estimation techniques, the approach necessitates a change in mindset and culture. This change in culture has been noticed in upgrade projects. Upgrades play an important role in product life cycle. A product is released with required features to meet immediate requirements of the customers. Any additional or modifications to features are carried through upgrade projects. These upgrades planned well in advance by the product developing organizations are made available to customers through published road map for the products. And hence it is important to be able to predict the effort required for these upgrade projects accurately and consistently. The objective of this research was to study cultural issues while developing an estimation model that would increase accuracy, predictability of estimation in upgrade projects. The methodology adopted in this research work was to use primary sources of data to develop an estimation model for upgrade projects and test this model in live upgrade projects. The results from the research showed that the level of accuracy for estimation increased, predictability in delivery was higher without comprising quality of final deliverables. The culture also went through a change through training and mentoring

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks

We present a technique for finding security vulnerabilitiesin Web applications. SQL Injection (SQLI) and cross-sitescripting (XSS) attacks are widespread forms of attackin which the attacker crafts the input to the application toaccess or modify user data and execute malicious code. Inthe most serious attacks (called second-order, or persistent,XSS), an attacker can corrupt a database so as to causesubsequent users to execute malicious code.This paper presents an automatic technique for creatinginputs that expose SQLI and XSS vulnerabilities. The techniquegenerates sample inputs, symbolically tracks taintsthrough execution (including through database accesses),and mutates the inputs to produce concrete exploits. Oursis the first analysis of which we are aware that preciselyaddresses second-order XSS attacks.Our technique creates real attack vectors, has few falsepositives, incurs no runtime overhead for the deployed application,works without requiring modification of applicationcode, and handles dynamic programming-languageconstructs. We implemented the technique for PHP, in a toolArdilla. We evaluated Ardilla on five PHP applicationsand found 68 previously unknown vulnerabilities (23 SQLI,33 first-order XSS, and 12 second-order XSS)

Nouvelles méthodes pour la publicité ciblée et le traçage des utilisateurs sur Internet

International audienceInternet usage is increasing every day. Nowadays, since the advent of smartphones, smart tablets and smart watches, people tend to be permanently online, even in mobility conditions. Free Wi-Fi connectivity is provided in public areas such as parks, coffee shops and airports, and is becoming the norm: people are expecting it.This trend led free Wi-Fi providers and other network agents to look for ways of monetizing their networks through targeted advertising and user tracking. However, this may be problematic because of the resulting privacy concerns.In this thesis, we identify the possible ways of carrying out such actions, as well as methods that have been designed by the research community to study their impact.We then present WALTER, a tool which focuses on detecting content injection in downstream HTTP traffic.L’utilisation d’Internet grandit de jour en jour. Aujourd’hui, depuis l’apparition des smartphones, tablettes et montres connectées, les internautes ont tendance à rester en ligne de façon permanente, même en mobilité. Les points d’accès Wi-Fi publics sont de plus en plus présents dans les parcs, les cafés et les aéroports : avoir un accès à Internet gratuitement dans les lieux publics devient la norme.Cette tendance incite les fournisseurs d’accès et intermédiaires réseau à élaborer des moyens de rentabiliser leurs infrastructures réseaux grâce à la publicité ciblée et le traçage des utilisateurs. Cependant, cela pose des problèmes de confidentialité et de vie privée.Dans ce rapport, nous identifions les moyens techniques permettant aux intermédiaires réseau de mettre en oeuvre de telles pratiques. Nous analysons également les méthodes qui ont été développées par la communauté scientifique pour étudier leur impact.Nous présentons ensuite WALTER, un outil dont le but est de détecter l’injection de contenu dans le trafic HTTP descendant

ESCUDO: A Fine-grained Protection Model for Web Browsers

Web applications are no longer simple hyperlinked documents. They have progressively evolved to become highly complex---web pages combine content from several sources (with varying levels of trustworthiness), and incorporate significant portions of client-side code. However, the prevailing web protection model, the same-origin policy, has not adequately evolved to manage the security consequences of this additional complexity. As a result, web applications have become attractive targets of exploitation. We argue that this disconnection between the protection needs of modern web applications and the protection models used by web browsers that manage those applications amounts to a failure of access control. In this paper, we present Escudo, a new web browser protection model designed based on established principles of mandatory access control. We describe our implementation of a prototype of Escudo in the Lobo web browser, and illustrate how web applications can use Escudo for securing their resources. Our evaluation results indicate that Escudo incurs low overhead. To support backwards compatibility, Escudo defaults to the same-origin policy for legacy applications

Automated removal of cross site scripting vulnerabilities in web applications

Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects

Next Generation Black-Box Web Application Vulnerability Analysis Framework

abstract: Web applications are an incredibly important aspect of our modern lives. Organizations and developers use automated vulnerability analysis tools, also known as scanners, to automatically find vulnerabilities in their web applications during development. Scanners have traditionally fallen into two types of approaches: black-box and white-box. In the black-box approaches, the scanner does not have access to the source code of the web application whereas a white-box approach has access to the source code. Today’s state-of-the-art black-box vulnerability scanners employ various methods to fuzz and detect vulnerabilities in a web application. However, these scanners attempt to fuzz the web application with a number of known payloads and to try to trigger a vulnerability. This technique is simple but does not understand the web application that it is testing. This thesis, presents a new approach to vulnerability analysis. The vulnerability analysis module presented uses a novel approach of Inductive Reverse Engineering (IRE) to understand and model the web application. IRE first attempts to understand the behavior of the web application by giving certain number of input/output pairs to the web application. Then, the IRE module hypothesizes a set of programs (in a limited language specific to web applications, called AWL) that satisfy the input/output pairs. These hypotheses takes the form of a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt to detect vulnerabilities in this DAG. Further, it generates the payload based on the DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability (based on our understanding of the program). It then tests this potential vulnerability using the generated payload on the actual web application, and creates a verification procedure to see if the potential vulnerability is actually vulnerable, based on the web application’s response.Dissertation/ThesisMasters Thesis Computer Science 201