Monitoring web applications for vulnerability discovery and removal under attack

Tese de mestrado, Engenharia Informática (Arquitetura, Sistemas e Redes de Computadores) Universidade de Lisboa, Faculdade de Ciências, 2018Web applications are ubiquitous in our everyday lives, as they are deployed in the most diverse contexts and support a variety of services. The correctness of these applications, however, can be compromised by vulnerabilities left in their source code, often incurring in nefarious consequences, such as the theft of private data and the adulteration of information. This dissertation proposes a solution for the automatic detection and removal of vulnerabilities in web applications programmed in the PHP language. By monitoring the user interactions with the web applications with traditional attack discovery tools, it is possible to identify malicious inputs that are eventually provided by attackers. These in- puts are then explored by a directed static analysis approach, allowing for the discovery of potential security issues and the correction of bugs in the program. The solution was implemented and validated with a set of vulnerable web applications. The experimental results demonstrate that the tool is capable of detecting and correcting SQL Injection and XSS vulnerabilities. In total 174 vulnerabilities were found in 5 web applications, where 2 of these were previously unknown by the research community(i.e., they were ”zero-day” vulnerabilities)

Método para la detección y prevención de ataques web mediante la parametrización de un proxy reverso basado en software libre.

El Objetivo fue proponer un método para detectar y prevenir ataques web más comunes mediante la parametrización de directivas y reglas sobre un servidor web para que funcione como un proxy reverso basado en software libre. Las infraestructuras utilizadas como proxy reverso fueron; Apache+Mod_Security, Nginx+Naxsi y Hiawatha, estas poseen características de seguridad que fueron estudias, analizadas y validas mediantes pruebas de laboratorio en diferentes escenarios. Al comparar las tres infraestructuras protegidas se observó que la herramienta Apache+Mod_security es la que ofrece una mayor capacidad de detección y prevención a los tipos de ataques web efectuados como; SQLi, XSS, fuerza bruta, inyección de comandos, CSRF, entre otros, ya que detectó el 90% de los ataques y contrarrestó al 80% de los mismos. A diferencia de la herramienta Nginx+Naxsi que detecta y corrige el 60% de los ataques y del Hiawatha que lo hace en el 70% de los casos. Se concluyó que el proxy reverso basado en la infraestructura Apache+Mod_security brinda mayores prestaciones para la detección y prevención de los riesgos más críticos en aplicaciones web de acuerdo al Top 10 de OWASP, por lo tanto se creó un paquete instalador que contiene la parametrización de dicha herramienta basada en software libre, y así aportar al personal inmiscuido en el área de la seguridad informática un método que sirva para mejorar la defensa de sitios dinámicos ante ataques web. Así mismo se recomienda la utilización del proxy reverso como seguridad complementaria más no como seguridad principal ante una aplicación web, la seguridad principal se la debe abarcar en la fase de desarrollo de una aplicación web.The aim was to propose a method to detect and prevent the more common web attacks through parameterizing directives and rules on a web server to function as a reverse proxy based on free software. The infrastructures used as a reverse proxy were; Apache+Mod_Security, Nginx+Naxsi and Hiawatha, these have characteristics of security that were studied, analysed and validated through laboratory tests in different scenarios. When comparing the three protected infrastructures, it was observed that the Apache+Mood_security tool is the one that offers a greater capacity of detection and prevention to the types of web attacks carried out such as; SQLi, XSS, brute force, command injection, CSRF, among others, since it detected the 90% of the attacks and neutralized the 80% of them. Unlike the Nginx+Naxsi tool detects and corrects 60% of attacks and Hiawatha that does so in 70% of cases. It was concluded that the reverse proxy was based on infrastructure Apache+Mod_security provided greater benefits for the detection and prevention of the most critical risks in web applications according to the top 10 of the OWASP principle, therefore, it was created a package that contains the parameterization of the mentioned tool based on free software, and thus provide to the computer security immersed staff a method that serves to improve the defence of dynamic sites against web attacks. The use of the reverse proxy is recommended as complementary security, but not as a main security in front of a web application. The main security must be approached in the development phase of a web application

Anomaly detection of web-based attacks

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2010Para prevenir ataques com sucesso, é crucial que exista um sistema de detecção que seja preciso e completo. Os sistemas de detecção de intrusão (IDS) baseados em assinaturas são uma das abordagens mais conhecidas para o efeito, mas não são adequados para detectar ataques web ou ataques previamente desconhecidos. O objectivo deste projecto passa pelo estudo e desenho de um sistema de detecção de intrusão baseado em anomalias capaz de detectar esses tipos de ataques. Os IDS baseados em anomalias constroem um modelo de comportamento normal através de dados de treino, e em seguida utilizam-no para detectar novos ataques. Na maioria dos casos, este modelo é representativo de mais exemplos de comportamento normal do que os presentes nos dados de treino, característica esta a que chamamos generalização e que é fundamental para aumentar a precisão na detecção de anomalias. A precisão da detecção e, portanto, a utilidade destes sistemas, é consideravelmente influenciada pela fase de construção do modelo (muitas vezes chamada fase de treino), que depende da existência de um conjunto de dados sem ataques que se assemelhe ao comportamento normal da aplicação protegida. A construção de modelos correctos é particularmente importante, caso contrário, durante a fase de detecção, provavelmente serão geradas grandes quantidades de falsos positivos e falsos negativos pelo IDS. Esta dissertação detalha a nossa pesquisa acerca da utilização de métodos baseados em anomalias para detectar ataques contra servidores e aplicações web. As nossas contribuições incidem sobre três vertentes distintas: i) procedimentos avançados de treino que permitem aos sistemas de detecção baseados em anomalias um bom funcionamento, mesmo em presença de aplicações complexas e dinâmicas, ii) um sistema de detecção de intrusão que compreende diversas técnicas de detecção de anomalias capazes de reconhecer e identificar ataques contra servidores e aplicações web e iii) uma avaliação do sistema e das técnicas mais adequadas para a detecção de ataques, utilizando um elevado conjunto de dados reais de tráfego pertencentes a uma aplicação web de grandes dimensões alojada em servidores de produção num ISP Português.To successfully prevent attacks it is vital to have a complete and accurate detection system. Signature-based intrusion detection systems (IDS) are one of the most popular approaches, but they are not adequate for detection of web-based or novel attacks. The purpose of this project is to study and design an anomaly-based intrusion detection system capable of detecting those kinds of attacks. Anomaly-based IDS can create a model of normal behavior from a set of training data, and then use it to detect novel attacks. In most cases, this model represents more instances than those in the training data set, a characteristic that we designate as generalization and which is necessary for accurate anomaly detection. The accuracy of such systems, which determines their effectiveness, is considerably influenced by the model building phase (often called training), which depends on having data that is free from attacks resembling the normal operation of the protected application. Having good models is particularly important, or else significant amounts of false positives and false negatives will likely be generated by the IDS during the detection phase. This dissertation details our research on the use of anomaly-based methods to detect attacks against web servers and applications. Our contributions focus on three different strands: i) advanced training procedures that enable anomaly-based learning systems to perform well even in presence of complex and dynamic web applications; ii) a system comprising several anomaly detection techniques capable of recognizing and identifying attacks against web servers and applications and iii) an evaluation of the system and of the most suitable techniques for anomaly detection of web attacks, using a large data set of real-word traffic belonging to a web application of great dimensions hosted in production servers of a Portuguese ISP