jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications

Web application scanners are popular tools to perform black box testing and are widely used to discover bugs in websites. For them to work effectively, they either rely on a set of URLs that they can test, or use their own implementation of a crawler that discovers new parts of a web application. Traditional crawlers would extract new URLs by parsing HTML documents and applying static regular expressions. While this approach can extract URLs in classic web applications, it fails to explore large parts of modern JavaScript-based applications. In this paper, we present a novel technique to explore web applications based on the dynamic analysis of the client-side JavaScript program. We use dynamic analysis to hook JavaScript APIs, which enables us to detect the registration of events, the use of network communication APIs, and dynamically-generated URLs or user forms. We then propose to use a navigation graph to perform further crawling. Based on this new crawling technique, we present j¨Ak, a web application scanner. We compare jÄk against four existing web-application scanners on 13 web applications. The experiments show that our approach can explore a surface of the web applications that is 86% larger than with existing approaches

Learning Deterministic Finite Automata from Infinite Alphabets

We proposes an algorithm to learn automata infinite alphabets, or at least too large to enumerate. We apply it to define a generic model intended for regression, with transitions constrained by intervals over the alphabet. The algorithm is based on the Red \& Blue framework for learning from an input sample. We show two small case studies where the alphabets are respectively the natural and real numbers, and show how nice properties of automata models like interpretability and graphical representation transfer to regression where typical models are hard to interpret

Who Controls the Internet? Analyzing Global Threats using Property Graph Traversals

The Internet is built on top of intertwined network services, e.g., email, DNS, and content distribution networks operated by private or governmental organizations. Recent events have shown that these organizations may, knowingly or unknowingly, be part of global-scale security incidents including state-sponsored mass surveillance programs and large-scale DDoS attacks. For example, in March 2015 the Great Cannon attack has shown that an Internet service provider can weaponize millions of Web browsers and turn them into DDoS bots by injecting malicious JavaScript code into transiting TCP connections. While attack techniques and root cause vulnerabilities are routinely studied, we still lack models and algorithms to study the intricate dependencies between services and providers, reason on their abuse, and assess the attack impact. To close this gap, we present a technique that models services, providers, and dependencies as a property graph. Moreover, we present a taint-style propagation-based technique to query the model, and present an evaluation of our framework on the top 100k Alexa domains

Uses and Abuses of Server-Side Requests

More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that—if not properly implemented—this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole. To shed some light on the risks of this communication pattern, we present the first extensive study of the security implication of SSRs. We propose a classification and four new attack scenarios that describe different ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and find that the majority can be abused to perform malicious activities, ranging from server-side code execution to amplification DoS attacks. Finally, we distill our findings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way

Diagnostic and therapeutic aspects of hemiplegic migraine

Hemiplegic migraine (HM) is a clinically and genetically heterogeneous condition with attacks of headache and motor weakness which may be associated with impaired consciousness, cerebellar ataxia and intellectual disability. Motor symptoms usually last <72 hours and are associated with visual or sensory manifestations, speech impairment or brainstem aura. HM can occur as a sporadic HM or familiar HM with an autosomal dominant mode of inheritance. Mutations in CACNA1A, ATP1A2 and SCN1A encoding proteins involved in ion transport are implicated. The pathophysiology of HM is close to the process of typical migraine with aura, but appearing with a lower threshold and more severity. We reviewed epidemiology, clinical presentation, diagnostic assessment, differential diagnosis and treatment of HM to offer the best evidence of this rare condition. The differential diagnosis of HM is broad, including other types of migraine and any condition that can cause transitory neurological signs and symptoms. Neuroimaging, cerebrospinal fluid analysis and electroencephalography are useful, but the diagnosis is clinical with a genetic confirmation. The management relies on the control of triggering factors and even hospitalisation in case of long-lasting auras. As HM is a rare condition, there are no randomised controlled trials, but the evidence for the treatment comes from small studies

Efficient Learning of Communication Profiles from IP Flow Records

The task of network traffic monitoring has evolved drastically with the ever-increasing amount of data flowing in large scale networks. The automated analysis of this tremendous source of information often comes with using simpler models on aggregated data (e.g. IP flow records) due to time and space constraints. A step towards utilizing IP flow records more effectively are stream learning techniques. We propose a method to collect a limited yet relevant amount of data in order to learn a class of complex models, finite state machines, in real-time. These machines are used as communication profiles to fingerprint, identify or classify hosts and services and offer high detection rates while requiring less training data and thus being faster to compute than simple models

Occurrence and diversity of arbuscular mycorrhizal fungi colonising of‑season and in‑season weeds and their relationship with maize yield under conservation agriculture

Weeds are responsible for major crop losses worldwide but can provide beneficial agroecosystem services. This study aimed to elucidate how arbuscular mycorrhizal fungi (AMF) in weeds respond to host identity and conservation agricultural practices. The study was carried out at two locations in Southern Africa during off-season and in-season maize cultivation. Off-season AMF root colonisation, diversity indices and community composition significantly differed among weed species at both locations. Glomus sp. VTX00280 explains most of the AMF community differences. In-season, implementation of conventional tillage with mulching alone (CT + M) or together with crop rotation (CT + M + R) resulted in a 20% increase in AMF colonisation of the constantly occurring weed species, Bidens pilosa (BIDPI) and Richardia scabra (RCHSC), compared with conventional tillage plus rotations (CT + R). The diversity of AMF was highest under no-tillage plus mulching (NT + M). Off-season and in-season AMF structures of both BIDPI and RCHSC were not related, but 39% of the taxa were shared. Structural equation modelling showed a significant effect of the cropping system on weed AMF diversity parameters and weed and maize root colonisation, but no significant influence of weed root AMF traits and maize colonisation was detected on maize yield. This may be explained by the improvement in weed competitive ability, which may have offset the AMF-mediated benefits on yield. Our findings highlight that implementing M and CR to CT and NT positively affected weed AMF colonisation and diversity. The similarity between the off-season and in-season AMF composition of weeds supports the fact that weeds functionally host AMF during the non-crop period

Didn’t You Hear Me? — Towards More Successful Web Vulnerability Notifications

After treating the notification of affected parties as mere side-notes in research, our community has recently put more focus on how vulnerability disclosure can be conducted at scale. The first works in this area have shown that while notifications are helpful to a significant fraction of operators, the vast majority of systems remain unpatched. In this paper, we build on these previous works, aiming to understand why the effects are not more significant. To that end, we report on a notification experiment targeting more than 24,000 domains, which allowed us to analyze what technical and human aspects are roadblocks to a successful campaign. As part of this experiment, we explored potential alternative notification channels beyond email, including social media and phone. In addition, we conducted an anonymous survey with the notified operators, investigating their perspectives on our notifications. We show the pitfalls of email-based communications, such as the impact of anti-spam filters, the lack of trust by recipients, and hesitations to fix vulnerabilities despite awareness. However, our exploration of alternative communication channels did not suggest a more promising medium. Seeing these results, we pinpoint future directions in improving security notifications

Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Large-scale discovery of thousands of vulnerable Web sites has become a frequent event, thanks to recent advances in security research and the rise in maturity of Internet-wide scanning tools. The issues related to disclosing the vulnerability information to the affected parties, however, have only been treated as a side note in prior research. In this paper, we systematically examine the feasibility and efficacy of large-scale notification campaigns. For this, we comprehensively survey existing communication channels and evaluate their usability in an automated notification process. Using a data set of over 44,000 vulnerable Web sites, we measure success rates, both with respect to the total number of fixed vulnerabilities and to reaching responsible parties, with the following high-level results: Although our campaign had a statistically significant impact compared to a control group, the increase in the fix rate of notified domains is marginal. If a notification report is read by the owner of the vulnerable application, the likelihood of a subsequent resolution of the issues is sufficiently high: about 40%. But, out of 35,832 transmitted vulnerability reports, only 2,064 (5.8%) were actually received successfully, resulting in an unsatisfactory overall fix rate, leaving 74.5% of Web applications exploitable after our month-long experiment. Thus, we conclude that currently no reliable notification channels exist, which significantly inhibits the success and impact of large-scale notification