Securing web applications through vulnerability detection and runtime defenses

Social networks, eCommerce, and online news attract billions of daily users. The PHP interpreter powers a host of web applications, including messaging, development environments, news, and video games. The abundance of personal, financial, and other sensitive information held by these applications makes them prime targets for cyber attacks. Considering the significance of safeguarding online platforms against cyber attacks, researchers investigated different approaches to protect web applications. However, regardless of the community’s achievements in improving the security of web applications, new vulnerabilities and cyber attacks occur on a daily basis (CISA, 2021; Bekerman and Yerushalmi, 2020). In general, cyber security threat mitigation techniques are divided into two categories: prevention and detection. In this thesis, I focus on tackling challenges in both prevention and detection scenarios and propose novel contributions to improve the security of PHP applications. Specifically, I propose methods for holistic analyses of both the web applications and the PHP interpreter to prevent cyber attacks and detect security vulnerabilities in PHP web applications. For prevention techniques, I propose three approaches called Saphire, SQLBlock, and Minimalist. I first present Saphire, an integrated analysis of both the PHP interpreter and web applications to defend against remote code execution (RCE) attacks by creating a system call sandbox. The evaluation of Saphire shows that, unlike prior work, Saphire protects web applications against RCE attacks in our dataset. Next, I present SQLBlock, which generates SQL profiles for PHP web applications through a hybrid static-dynamic analysis to prevent SQL injection attacks. My third contribution is Minimalist, which removes unnecessary code from PHP web applications according to prior user interaction. My results demonstrate that, on average, Minimalist debloats 17.78% of the source-code in PHP web applications while removing up to 38% of security vulnerabilities. Finally, as a contribution to vulnerability detection, I present Argus, a hybrid static-dynamic analysis over the PHP interpreter, to identify a comprehensive set of PHP built-in functions that an attacker can use to inject malicious input to web applications (i.e., injection-sink APIs). I discovered more than 300 injection-sink APIs in PHP 7.2 using Argus, an order of magnitude more than the most exhaustive list used in prior work. Furthermore, I integrated Argus’ results with existing program analysis tools, which identified 13 previously unknown XSS and insecure deserialization vulnerabilities in PHP web applications. In summary, I improve the security of PHP web applications through a holistic analysis of both the PHP interpreter and the web applications. I further apply hybrid static-dynamic analysis techniques to the PHP interpreter as well as PHP web applications to provide prevention mechanisms against cyber attacks or detect previously unknown security vulnerabilities. These achievements are only possible due to the holistic analysis of the web stack put forth in my research

Bioassay-guided isolation in Salvia abrotanoides Karel. stem based on its anti-fungal and anti-trichomonas activity

Background and purpose: Salvia abrotanoides is considered a medicinal plant and has a broad distribution in Iran. In Iran's traditional medicine, it is also used to treat leishmaniasis, malaria, atherosclerosis, cardiovascular disease, and as a disinfectant. This research aimed to determine the anti-Candida component from S. abratonoides and anti-Trichomonas natural compounds from the stems of this plant. Experimental approach: The plant shoots were collected, dried, and after removing the leaves, grounded. Dried plant material was extracted in a maceration tank, concentrated by a Rotavap, degreased, and fractionated by normal column chromatography. Based on anti-fungal screening against Candida species, Fr. 4, with more anti-fungal activity, was selected for phytochemical analysis, by different chromatographic methods on the silica gel column and Sephadex LH-20. Isolated compounds were elucidated by NMR analysis, mass spectrum, and ultraviolet spectroscopy. Anti-fungal effects were investigated using the fungal suspension, incubation, and parasite-counting methods on purified compounds. Antibacterial effects were assessed using the Broth dilution test and reported according to the MIC parameter. Findings/Results: Two diterpenoid compounds named carnosol (compound 1), 11-hydroxy-12-methoxy-20-norabiata-8, 11, 13-trien (compound 2), and a flavonoid: 6,7-dimethoxy-5, 4′-dihydroxyflavone (compound 3) were isolated and identified. Compound 1 had selective anti-fungal effects against C. albicans, C. glabrata, and C. parapsilosis, but weak toxicity against Trichomonas vaginalis with IC50 of 675.8μg/mL, less than metronidazole with an IC50 of 13.2 μg/mL. Conclusion and implications: Carnosol as the main component was assayed against Candida, Aspergillus, Rhizopus, and Trichomanas species. The results confirmed its effect on Candida compared to standard drugs