3,432 research outputs found
Escrow: A large-scale web vulnerability assessment tool
The reliance on Web applications has increased rapidly over the years. At the same time, the quantity and impact of application security vulnerabilities have grown as well. Amongst these vulnerabilities, SQL Injection has been classified as the most common, dangerous and prevalent web application flaw. In this paper, we propose Escrow, a large-scale SQL Injection detection tool with an exploitation module that is light-weight, fast and platform-independent. Escrow uses a custom search implementation together with a static code analysis module to find potential target web applications. Additionally, it provides a simple to use graphical user interface (GUI) to navigate through a vulnerable remote database. Escrow is implementation-agnostic, i.e. It can perform analysis on any web application regardless of the server-side implementation (PHP, ASP, etc.). Using our tool, we discovered that it is indeed possible to identify and exploit at least 100 databases per 100 minutes, without prior knowledge of their underlying implementation. We observed that for each query sent, we can scan and detect dozens of vulnerable web applications in a short space of time, while providing a means for exploitation. Finally, we provide recommendations for developers to defend against SQL injection and emphasise the need for proactive assessment and defensive coding practices
The Transitivity of Trust Problem in the Interaction of Android Applications
Mobile phones have developed into complex platforms with large numbers of
installed applications and a wide range of sensitive data. Application security
policies limit the permissions of each installed application. As applications
may interact, restricting single applications may create a false sense of
security for the end users while data may still leave the mobile phone through
other applications. Instead, the information flow needs to be policed for the
composite system of applications in a transparent and usable manner. In this
paper, we propose to employ static analysis based on the software architecture
and focused data flow analysis to scalably detect information flows between
components. Specifically, we aim to reveal transitivity of trust problems in
multi-component mobile platforms. We demonstrate the feasibility of our
approach with Android applications, although the generalization of the analysis
to similar composition-based architectures, such as Service-oriented
Architecture, can also be explored in the future
The Construction of a Static Source Code Scanner Focused on SQL Injection Vulnerabilties in Java
SQL injection attacks are a significant threat to web application security, allowing attackers to execute arbitrary SQL commands and gain unauthorized access to sensitive data. Static source code analysis is a widely used technique to identify security vulnerabilities in software, including SQL injection attacks. However, existing static source code scanners often produce false positives and require a high level of expertise to use effectively. This thesis presents the design and implementation of a static source code scanner for SQL injection vulnerabilities in Java queries. The scanner uses a combination of pattern matching and data flow analysis to detect SQL injection vulnerabilities in code. The scanner identifies vulnerable code by analyzing method calls, expressions, and variable declarations to detect potential vulnerabilities.
To evaluate the scanner, malicious SQL code is manually injected in queries to test the scanner\u27s ability to detect vulnerabilities. The results showed that the scanner could identify a high percentage of SQL injection vulnerabilities.
The limitations of the scanner include the inability to detect runtime user input validation and the reliance on predefined patterns and heuristics to identify vulnerabilities. Despite these limitations, the scanner provides a useful tool for junior developers to identify and address SQL injection vulnerabilities in their code.
This thesis presents a static source code scanner that can effectively detect SQL injection vulnerabilities in Java web applications. The scanner\u27s design and implementation provide a useful contribution to the field of software security, and future work could focus on improving the scanner\u27s precision and addressing its limitations
ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing
Java deserialization vulnerability is a severe threat in practice.
Researchers have proposed static analysis solutions to locate candidate
vulnerabilities and fuzzing solutions to generate proof-of-concept (PoC)
serialized objects to trigger them. However, existing solutions have limited
effectiveness and efficiency. In this paper, we propose a novel hybrid solution
ODDFUZZ to efficiently discover Java deserialization vulnerabilities. First,
ODDFUZZ performs lightweight static taint analysis to identify candidate gadget
chains that may cause deserialization vulner-abilities. In this step, ODDFUZZ
tries to locate all candidates and avoid false negatives. Then, ODDFUZZ
performs directed greybox fuzzing (DGF) to explore those candidates and
generate PoC testcases to mitigate false positives. Specifically, ODDFUZZ
applies a structure-aware seed generation method to guarantee the validity of
the testcases, and adopts a novel hybrid feedback and a step-forward strategy
to guide the directed fuzzing. We implemented a prototype of ODDFUZZ and
evaluated it on the popular Java deserialization repository ysoserial. Results
show that, ODDFUZZ could discover 16 out of 34 known gadget chains, while two
state-of-the-art baselines only identify three of them. In addition, we
evaluated ODDFUZZ on real-world applications including Oracle WebLogic Server,
Apache Dubbo, Sonatype Nexus, and protostuff, and found six previously
unreported exploitable gadget chains with five CVEs assigned.Comment: To appear in the Main Track of IEEE S&P 202
Cross-Programming Language Taint Analysis for the IoT Ecosystem
The Internet of Things (IoT) is a key component for the next disruptive technologies. However, IoT merges together several diverse software layers: embedded, enterprise, and cloud programs interact with each other. In addition, security and privacy vulnerabilities of IoT software might be particularly dangerous due to the pervasiveness and physical nature of these systems. During the last decades, static analysis, and in particular taint analysis, has been widely applied to detect software vulnerabilities. Unfortunately, these analyses assume that software is entirely written in a single programming language, and they are not immediately suitable to detect IoT vulnerabilities where many different software components, written in different programming languages, interact. This paper discusses how to leverage existing static taint analyses to a cross-programming language scenario
- âŠ