A Formal Approach to Exploiting Multi-Stage Attacks based on File-System Vulnerabilities of Web Applications (Extended Version)

Web applications require access to the file-system for many different tasks. When analyzing the security of a web application, secu- rity analysts should thus consider the impact that file-system operations have on the security of the whole application. Moreover, the analysis should take into consideration how file-system vulnerabilities might in- teract with other vulnerabilities leading an attacker to breach into the web application. In this paper, we first propose a classification of file- system vulnerabilities, and then, based on this classification, we present a formal approach that allows one to exploit file-system vulnerabilities. We give a formal representation of web applications, databases and file- systems, and show how to reason about file-system vulnerabilities. We also show how to combine file-system vulnerabilities and SQL-Injection vulnerabilities for the identification of complex, multi-stage attacks. We have developed an automatic tool that implements our approach and we show its efficiency by discussing several real-world case studies, which are witness to the fact that our tool can generate, and exploit, complex attacks that, to the best of our knowledge, no other state-of-the-art-tool for the security of web applications can find

Assessing the Impact of Script Gadgets on CSP at Scale

The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data through social networks or full-fledged office Web applications. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in which an attacker is able to inject their malicious JavaScript code into a Web application, giving this code full access to the victimized site. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. Deploying such a policy enables a Web developer to whitelist from where script code can be loaded, essentially constraining the capabilities of the attacker to only be able to execute injected code from said whitelist. As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. These small snippets of benign JavaScript code transform non-script markup contained in a page into executable JavaScript, opening the door for bypasses of a deployed CSP. Especially in combination with CSP’s logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise secure policy. In this paper, we therefore ask the question: is deploying CSP in a secure fashion even possible without a priori knowledge of all files hosted on even a partially trusted origin?To answer this question, we investigate the severity of the findings of Lekies et al., showing real-world Web sites on which, even in the presence of CSP and without code containing such gadgets being added by the developer, an attacker can sideload libraries with known script gadgets, as long as the hosting site is whitelisted in the CSP. In combination with the aforementioned redirect logic, this enables us to bypass 10% of otherwise secure CSPs in the wild. To further answer our main research question, we conduct a hypothetical what-if analysis. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties which also host such libraries

Identification of Lineage-Uncommitted, Long-Lived, Label-Retaining Cells in Healthy Human Esophagus and Stomach, and in Metaplastic Esophagus

Background & Aims The existence of slowly cycling, adult stem cells has been challenged by the identification of actively cycling cells. We investigated the existence of uncommitted, slowly cycling cells by tracking 5-iodo-2'-deoxyuridine (IdU) label-retaining cells (LRCs) in normal esophagus, Barrett's esophagus (BE), esophageal dysplasia, adenocarcinoma, and healthy stomach tissues from patients. Methods Four patients (3 undergoing esophagectomy, 1 undergoing esophageal endoscopic mucosal resection for dysplasia and an esophagectomy for esophageal adenocarcinoma) received intravenous infusion of IdU (200 mg/m2 body surface area; maximum dose, 400 mg) over a 30-minute period; the IdU had a circulation half-life of 8 hours. Tissues were collected at 7, 11, 29, and 67 days after infusion, from regions of healthy esophagus, BE, dysplasia, adenocarcinoma, and healthy stomach; they were analyzed by in situ hybridization, flow cytometry, and immunohistochemical analyses. Results No LRCs were found in dysplasias or adenocarcinomas, but there were significant numbers of LRCs in the base of glands from BE tissue, in the papillae of the basal layer of the esophageal squamous epithelium, and in the neck/isthmus region of healthy stomach. These cells cycled slowly because IdU was retained for at least 67 days and co-labeling with Ki-67 was infrequent. In glands from BE tissues, most cells did not express defensin-5, Muc-2, or chromogranin A, indicating that they were not lineage committed. Some cells labeled for endocrine markers and IdU at 67 days; these cells represented a small population (<0.1%) of epithelial cells at this time point. The epithelial turnover time of the healthy esophageal mucosa was approximately 11 days (twice that of the intestine). Conclusions LRCs of human esophagus and stomach have many features of stem cells (long lived, slow cycling, uncommitted, and multipotent), and can be found in a recognized stem cell niche. Further analyses of these cells, in healthy and metaplastic epithelia, is required

Movements of Diadromous Fish in Large Unregulated Tropical Rivers Inferred from Geochemical Tracers

Patterns of migration and habitat use in diadromous fishes can be highly variable among individuals. Most investigations into diadromous movement patterns have been restricted to populations in regulated rivers, and little information exists for those in unregulated catchments. We quantified movements of migratory barramundi Lates calcarifer (Bloch) in two large unregulated rivers in northern Australia using both elemental (Sr/Ba) and isotope (87Sr/86Sr) ratios in aragonitic ear stones, or otoliths. Chemical life history profiles indicated significant individual variation in habitat use, particularly among chemically distinct freshwater habitats within a catchment. A global zoning algorithm was used to quantify distinct changes in chemical signatures across profiles. This algorithm identified between 2 and 6 distinct chemical habitats in individual profiles, indicating variable movement among habitats. Profiles of 87Sr/86Sr ratios were notably distinct among individuals, with highly radiogenic values recorded in some otoliths. This variation suggested that fish made full use of habitats across the entire catchment basin. Our results show that unrestricted movement among freshwater habitats is an important component of diadromous life histories for populations in unregulated systems

Genomic evidence of widespread admixture from polar bears into brown bears during the last ice age

Recent genomic analyses have provided substantial evidence for past periods of gene flow from polar bears (Ursus maritimus) into Alaskan brown bears (Ursus arctos), with some analyses suggesting a link between climate change and genomic introgression. However, because it has mainly been possible to sample bears from the present day, the timing, frequency, and evolutionary significance of this admixture remains unknown. Here, we analyze genomic DNA from three additional and geographically distinct brown bear populations, including two that lived temporally close to the peak of the last ice age. We find evidence of admixture in all three populations, suggesting that admixture between these species has been common in their recent evolutionary history. In addition, analyses of ten fossil bears from the now-extinct Irish population indicate that admixture peaked during the last ice age, when brown bear and polar bear ranges overlapped. Following this peak, the proportion of polar bear ancestry in Irish brown bears declined rapidly until their extinction. Our results support a model in which ice age climate change created geographically widespread conditions conducive to admixture between polar bears and brown bears, as is again occurring today. We postulate that this model will be informative for many admixing species pairs impacted by climate change. Our results highlight the power of paleogenomics to reveal patterns of evolutionary change that are otherwise masked in contemporary data

Model-Based Detection of CSRF

Part 1: Intrusion DetectionInternational audienceCross-Site Request Forgery (CSRF) is listed in the top ten list of the Open Web Application Security Project (OWASP) as one of the most critical threats to web security. A number of protection mechanisms against CSRF exist, but an attacker can often exploit the complexity of modern web applications to bypass these protections by abusing other flaws. We present a formal model-based technique for automatic detection of CSRF. We describe how a web application should be specified in order to facilitate the exposition of CSRF-related vulnerabilities. We use an intruder model, à la Dolev-Yao, and discuss how CSRF attacks may result from the interactions between the intruder and the cryptographic protocols underlying the web application. We demonstrate the effectiveness and usability of our technique with three real-world case studies

Recording and Replaying Navigations on AJAX Web Sites

Recording and replaying user navigations greatly simplifies the testing process of web applications and, consequently, greatly contributes to improving usability, robustness and assurance of these applications. Implementing such replaying functionalities with modern web technologies such as AJAX is very hard: the GUI may change dynamically as a result of a myriad of different events beyond the control of the replaying machinery and even locating a given GUI element across different executions may be impossible. In this work we propose a tool that overcomes these problems and is able to handle real-world web sites based on AJAX technology. Recording occurs automatically, i.e., the user navigates with a normal browser and need not take any specific action. Replaying a previously recorded trace occurs programmatically, based on several heuristics that make the tool robust with respect to DOM variance while at the same time maintaining the ability to detect whether replaying has become impossible---perhaps because the target web site has changed too much since the recording. The entire procedure is fully transparent to the target web site. We also describe the use of our tool on several web applications including Facebook, Amazon and others

Efficacy of a subsurface-flow wetland using the estuarine sedge to treat effluent from inland saline aquaculture

The major environmental issue facing the inland saline aquaculture industry of Western Australia is the treatment of nutrient and salt-enriched aquaculture effluent. Constructed wetland treatment systems could provide a simple and low-cost mechanism to remove these pollutants. Replicate plots of a pilot-scale, subsurface-flow wetland treatment system incorporating the estuarine sedge Juncus kraussii were constructed to test the relative efficacy of total nitrogen (TN), total phosphorus (TP) and sodium chloride (NaCl) removal. After 38 days, the wetland plots removed up to 69% of the TN load and 88.5% of the TP load, with active uptake by the soil-plant ecosystem being greatest at high nutrient levels. TN removal increased markedly over time, whereas TP removal remained relatively constant. Salinity did not affect TN removal, but did reduce TP removal. Although up to 54.8% of NaCl load was removed by the wetland plots, this appeared to be a passive consequence of water uptake. NaCl removal increased over time, but was not affected by either nutrient or salinity concentration. Growth traits of J. kraussii were adversely affected by salinity concentration but not by nutrient level