Escrow: A large-scale web vulnerability assessment tool

The reliance on Web applications has increased rapidly over the years. At the same time, the quantity and impact of application security vulnerabilities have grown as well. Amongst these vulnerabilities, SQL Injection has been classified as the most common, dangerous and prevalent web application flaw. In this paper, we propose Escrow, a large-scale SQL Injection detection tool with an exploitation module that is light-weight, fast and platform-independent. Escrow uses a custom search implementation together with a static code analysis module to find potential target web applications. Additionally, it provides a simple to use graphical user interface (GUI) to navigate through a vulnerable remote database. Escrow is implementation-agnostic, i.e. It can perform analysis on any web application regardless of the server-side implementation (PHP, ASP, etc.). Using our tool, we discovered that it is indeed possible to identify and exploit at least 100 databases per 100 minutes, without prior knowledge of their underlying implementation. We observed that for each query sent, we can scan and detect dozens of vulnerable web applications in a short space of time, while providing a means for exploitation. Finally, we provide recommendations for developers to defend against SQL injection and emphasise the need for proactive assessment and defensive coding practices

An Extensible Web Application Vulnerability Assessment and Testing Framework

The process of identifying vulnerabilities in web services plays an integral role in reducing risk to an organisation that seeks to protect their intellectual property and data. The process itself generally involves an automated scan that looks for software misconfigurations, outdated services and exposures that may lead to defacement, data loss or system compromise. However, even with myriad open-source and commercial applications that provide automated vulnerability assessments, the frequency of large scale data breaches and exploitation by adversaries is continuing to increase. This thesis presents a framework that enables not only the skilled security professional to accurately assess the risk of vulnerabilities in web servers, but also empowers non-technical users to scan their web servers and find out the implications of vulnerabilities in their systems. This is achieved by building a user-centric solution which addresses the gaps identified in previous work, and focuses on the most critical vulnerabilities outlined by two major security research organisations

Security as a service (SecaaS)—An overview

With cloud computing facilitating the migration of platforms, infrastructure and software to the cloud, security services are now following suit. Security as a service (SecaaS) is inherently a business model in which organizations can purchase on-demand security solutions to protect their data, applications, and systems, while taking advantage of what cloud computing has on offer. This chapter explores the evolution from traditional on-premise and managed security solutions to the SecaaS model, and evaluates the supporting and opposing arguments for the adoption of cloud security services. Furthermore, an overview is given for cloud security services categories with additional focus areas presented, and critical gaps identified in the literature

A Global, Empirical Analysis of the Shellshock Vulnerability in Web Applications

Large-scale Internet scanning has become increasingly common in the research community shedding light on the state of security at a global level. However, scans in the past have typically focused on addressing on the adoption of services and the ubiquity of protocols, with few focusing on the extent of vulnerability and exposures on the Internet. This paper explores the shellshock vulnerability in web applications by analysing the Alexa Top 1 Million, public-facing websites in the world to ascertain the pervasiveness and severity of shellshock. We achieved this by developing an algorithm that uses simple heuristics with multi-threading capabilities empowering us to perform rapid large-scale web application scanning across various hosts over the HTTP protocol. The results of our global scan were interesting, and illustrated the pervasiveness of shellshock and the potential impact it can have on an organisation - despite this vulnerability being a known vulnerability at the time of our global scan. The results of which show that certain Web server configurations are particularly susceptible, and illustrates which popular top level domains and country's were most affected. Our findings also showed that while shellshock is easily detectable from an observational standpoint, there exists certain server configurations that allow the bug to be exploited even where cgi scripts are non-existent in the web server. We also discuss remediation guidelines and defensive security practices to protect hosts and organisations from such web-based attack vectors