150 research outputs found
Monitoring web applications for vulnerability discovery and removal under attack
Tese de mestrado, Engenharia Informática (Arquitetura, Sistemas e Redes de Computadores) Universidade de Lisboa, Faculdade de Ciências, 2018Web applications are ubiquitous in our everyday lives, as they are deployed in the most diverse contexts and support a variety of services. The correctness of these applications, however, can be compromised by vulnerabilities left in their source code, often incurring in nefarious consequences, such as the theft of private data and the adulteration of information. This dissertation proposes a solution for the automatic detection and removal of vulnerabilities in web applications programmed in the PHP language. By monitoring the user interactions with the web applications with traditional attack discovery tools, it is possible to identify malicious inputs that are eventually provided by attackers. These in- puts are then explored by a directed static analysis approach, allowing for the discovery of potential security issues and the correction of bugs in the program. The solution was implemented and validated with a set of vulnerable web applications. The experimental results demonstrate that the tool is capable of detecting and correcting SQL Injection and XSS vulnerabilities. In total 174 vulnerabilities were found in 5 web applications, where 2 of these were previously unknown by the research community(i.e., they were ”zero-day” vulnerabilities)
Método para la detección y prevención de ataques web mediante la parametrización de un proxy reverso basado en software libre.
El Objetivo fue proponer un método para detectar y prevenir ataques web más comunes
mediante la parametrización de directivas y reglas sobre un servidor web para que funcione
como un proxy reverso basado en software libre. Las infraestructuras utilizadas como proxy
reverso fueron; Apache+Mod_Security, Nginx+Naxsi y Hiawatha, estas poseen características
de seguridad que fueron estudias, analizadas y validas mediantes pruebas de laboratorio en
diferentes escenarios. Al comparar las tres infraestructuras protegidas se observó que la
herramienta Apache+Mod_security es la que ofrece una mayor capacidad de detección y
prevención a los tipos de ataques web efectuados como; SQLi, XSS, fuerza bruta, inyección de
comandos, CSRF, entre otros, ya que detectó el 90% de los ataques y contrarrestó al 80% de los
mismos. A diferencia de la herramienta Nginx+Naxsi que detecta y corrige el 60% de los
ataques y del Hiawatha que lo hace en el 70% de los casos. Se concluyó que el proxy reverso
basado en la infraestructura Apache+Mod_security brinda mayores prestaciones para la
detección y prevención de los riesgos más críticos en aplicaciones web de acuerdo al Top 10 de
OWASP, por lo tanto se creó un paquete instalador que contiene la parametrización de dicha
herramienta basada en software libre, y así aportar al personal inmiscuido en el área de la
seguridad informática un método que sirva para mejorar la defensa de sitios dinámicos ante
ataques web. Así mismo se recomienda la utilización del proxy reverso como seguridad
complementaria más no como seguridad principal ante una aplicación web, la seguridad
principal se la debe abarcar en la fase de desarrollo de una aplicación web.The aim was to propose a method to detect and prevent the more common web attacks
through parameterizing directives and rules on a web server to function as a reverse proxy based
on free software. The infrastructures used as a reverse proxy were; Apache+Mod_Security,
Nginx+Naxsi and Hiawatha, these have characteristics of security that were studied, analysed
and validated through laboratory tests in different scenarios. When comparing the three
protected infrastructures, it was observed that the Apache+Mood_security tool is the one that
offers a greater capacity of detection and prevention to the types of web attacks carried out such
as; SQLi, XSS, brute force, command injection, CSRF, among others, since it detected the 90%
of the attacks and neutralized the 80% of them. Unlike the Nginx+Naxsi tool detects and
corrects 60% of attacks and Hiawatha that does so in 70% of cases. It was concluded that the
reverse proxy was based on infrastructure Apache+Mod_security provided greater benefits for
the detection and prevention of the most critical risks in web applications according to the top
10 of the OWASP principle, therefore, it was created a package that contains the
parameterization of the mentioned tool based on free software, and thus provide to the computer
security immersed staff a method that serves to improve the defence of dynamic sites against
web attacks. The use of the reverse proxy is recommended as complementary security, but not
as a main security in front of a web application. The main security must be approached in the
development phase of a web application
Anomaly detection of web-based attacks
Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2010Para prevenir ataques com sucesso, é crucial que exista um sistema de detecção que seja preciso e completo. Os sistemas de detecção de intrusão (IDS) baseados em assinaturas são uma das abordagens mais conhecidas para o efeito, mas não são adequados para detectar ataques web ou ataques previamente desconhecidos. O objectivo deste projecto passa pelo estudo e desenho de um sistema de detecção de intrusão baseado em anomalias capaz de detectar esses tipos de ataques. Os IDS baseados em anomalias constroem um modelo de comportamento normal através de dados de treino, e em seguida utilizam-no para detectar novos ataques. Na maioria dos casos, este modelo é representativo de mais exemplos de comportamento normal do que os presentes nos dados de treino, característica esta a que chamamos generalização e que é fundamental para aumentar a precisão na detecção de anomalias. A precisão da detecção e, portanto, a utilidade destes sistemas, é consideravelmente influenciada pela fase de construção do modelo (muitas vezes chamada fase de treino), que depende da existência de um conjunto de dados sem ataques que se assemelhe ao comportamento normal da aplicação protegida. A construção de modelos correctos é particularmente importante, caso contrário, durante a fase de detecção, provavelmente serão geradas grandes quantidades de falsos positivos e falsos negativos pelo IDS. Esta dissertação detalha a nossa pesquisa acerca da utilização de métodos baseados em anomalias para detectar ataques contra servidores e aplicações web. As nossas contribuições incidem sobre três vertentes distintas: i) procedimentos avançados de treino que permitem aos sistemas de detecção baseados em anomalias um bom funcionamento, mesmo em presença de aplicações complexas e dinâmicas, ii) um sistema de detecção de intrusão que compreende diversas técnicas de detecção de anomalias capazes de reconhecer e identificar ataques contra servidores e aplicações web e iii) uma avaliação do sistema e das técnicas mais adequadas para a detecção de ataques, utilizando um elevado conjunto de dados reais de tráfego pertencentes a uma aplicação web de grandes dimensões alojada em servidores de produção num ISP Português.To successfully prevent attacks it is vital to have a complete and accurate detection system. Signature-based intrusion detection systems (IDS) are one of the most popular approaches, but they are not adequate for detection of web-based or novel attacks. The purpose of this project is to study and design an anomaly-based intrusion detection system capable of detecting those kinds of attacks. Anomaly-based IDS can create a model of normal behavior from a set of training data, and then use it to detect novel attacks. In most cases, this model represents more instances than those in the training data set, a characteristic that we designate as generalization and which is necessary for accurate anomaly detection. The accuracy of such systems, which determines their effectiveness, is considerably influenced by the model building phase (often called training), which depends on having data that is free from attacks resembling the normal operation of the protected application. Having good models is particularly important, or else significant amounts of false positives and false negatives will likely be generated by the IDS during the detection phase. This dissertation details our research on the use of anomaly-based methods to detect attacks against web servers and applications. Our contributions focus on three different strands: i) advanced training procedures that enable anomaly-based learning systems to perform well even in presence of complex and dynamic web applications; ii) a system comprising several anomaly detection techniques capable of recognizing and identifying attacks against web servers and applications and iii) an evaluation of the system and of the most suitable techniques for anomaly detection of web attacks, using a large data set of real-word traffic belonging to a web application of great dimensions hosted in production servers of a Portuguese ISP
- …