SlideShare a Scribd company logo
CODE BLUE 2016
Presented by Isao Takaesu
Method of Detecting Vulnerability
in Web Apps
Using Machine Learning
About the speaker
• Occupation: Web security engineer
• Company: Mitsui Bussan Secure Directions
• Hobbies: Making scanners, Machine Learning
• Blog: http://www.mbsd.jp/blog/
• Presented in “Black Hat Asia 2016” Arsenal
• hosted “AISECjp”
Isao Takaesu
MBSD
(@bbr_bbq)
CODE BLUE 2016
Agenda
MBSD CODE BLUE 2016
1. Introduction
2. Objectives of research
3. Overview of SAIVS
4. Realized methods
5. Validation results
6. Demonstration
7. Future Prospects
Introduction
MBSD CODE BLUE 2016
In Japan, there is
a significant lack of security engineers.
MBSD CODE BLUE 2016
About 240,000 people short.
(according to a survey by IPA)
Introduction
MBSD CODE BLUE 2016
Are we facing the limit of
human-only resources?
Introduction
Objectives of research
MBSD CODE BLUE 2016
Fully automated information security.
MBSD CODE BLUE 2016
The first step is
Web application vulnerability assessment.
Objectives of research
What is web app vul assessment?
MBSD CODE BLUE 2016
Detect vulnerabilities on web apps.
MBSD
Security
engineer Web Server
Web Apps
Our company Client company
Pseudo-attack
Analyze response
CODE BLUE 2016
 Performs pseudo-attacks while crawling the pages of web apps.
 Analyzes the response and detects vulnerabilities.
What is web app vul assessment?
MBSD
Web Server
Web Apps
SQLi?
XSS?
CODE BLUE 2016
Our company Client company
Pseudo-attack
Analyze response
Security
engineer
 Performs pseudo-attacks while crawling the pages of web apps.
 Analyzes the response and detects vulnerabilities.
What is web app vul assessment?
Issues of web app vul assessment
MBSD CODE BLUE 2016
Depends on the skilled craftsmanship
of security engineers.
Our “GOAL”
Realize ALL MACHINE web app vulnerability assessment.
MBSD
The AI
Web Server
Web Apps
CODE BLUE 2016
Our company Client company
Pseudo-attack
Analyze response
SQLi?
XSS?
Overview of AI ”SAIVS”
MBSD
SAIVS
Spider Artificial Intelligence Vulnerability Scanner
CODE BLUE 2016
AI that performs web app vul assessment.
Abilities of SAIVS
MBSD
 Crawls web apps
 Detects vulnerabilities
CODE BLUE 2016
Abilities of SAIVS
MBSD
 Crawls web apps
 Detects vulnerabilities
CODE BLUE 2016
Importance of crawling
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
vulnerability
Send
message
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
It is necessary to log in correctly.
Importance of crawling
Send
message
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
Importance of crawling.
It is necessary to register correctly.
Send
message
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
It is important to exhaustively crawl pages.
Importance of crawling
Send
message
MBSD
Crawling web apps is difficult.
Why?
CODE BLUE 2016
What is the type of this page ?
MBSD CODE BLUE 2016
Humans : Easily recognize the page type.
Machine : Difficult. (Log in? Register?)
What has just happened?
MBSD
Humans : Recognize failed crawling attempts from the message.
Machine : Difficult to interpret the message.
CODE BLUE 2016
What are your input values to crawl to the next page ?
MBSD
crawl
Humans : Input correct values in the form.
Machine : Difficult to interpret the meaning of the form.
???
???
???
???
???
CODE BLUE 2016
MBSD
Crawling requires complex thinking.
CODE BLUE 2016
3 requirements for crawling
MBSD
 Recognize the page type
 Recognize the success/fail of crawling
 Input correct values in the forms
CODE BLUE 2016
MBSD CODE BLUE 2016
How do you achieve them?
Our approach
MBSD CODE BLUE 2016
Reverse engineering of the human brain.
MBSD CODE BLUE 2016
Each thinking pattern
implemented in machine learning.
Our approach
3 requirements for crawling
MBSD CODE BLUE 2016
 Recognize the page type
 Recognize the success/fail of crawling
 Input correct values in the forms
Page recognition by humans
MBSD CODE BLUE 2016
Page recognition by humans
MBSD CODE BLUE 2016
Recognize the keywords that characterize the page.
Page recognition by machines
MBSD CODE BLUE 2016
Using Naive Bayes.
What is Naive Bayes?
Naive Bayes is used for auto classification of texts.
Uses pre-defined categories & laws of probability.
MBSD
examples)
 Spam mail filter.
 Classify blog post genres.
 Improvement of defensive accuracy for WAF.
CODE BLUE 2016
MBSD
SPAM:0.672 ← Selected
HAM :0.03
limited
SPAM:40%
HAM :10%
Category
period
click
here
http://
wana.jp
SPAM:10%
HAM :30%
SPAM:70%
HAM :50%
SPAM:30%
HAM :40%
SPAM:80%
HAM :5%
Extracting a keyword from the mail text.
Example of the use of the spam e-mail filter.
CODE BLUE 2016
To calculate the probability of SPAM and HAM,
to select the probability is high category.
MBSD CODE BLUE 2016
Page recognition by Naive Bayes
Page recognition by Naive Bayes
MBSD
<h1>Sign in</h1>
<form action="/cyclone/sessions" method="post">
<label for="email">Email</label>
<input id="email" name="email" type="text" />
<label for="password">Password</label>
<input id="password" name="password" type="password" />
</form>
Extracts keywords that characterize the page.
Excludes “Stop words”.
CODE BLUE 2016
Category table for page recognition
MBSD
Categories Keywords
Log in Email, User ID, Password, Sign in …
Register user Email, Password, Confirm, Sign up …
Search Word, Text, String, Sort, Search …
Purchase goods Credit, Account, Expire, Purchase …
Change password Password, Old Password, Change …
CODE BLUE 2016
Selects the category that contain the many keywords.
Keywords : Sign in, Email, Password
MBSD
Categories Keywords
Log in Email, User ID, Password, Sign in …
Register user Email, Password, Confirm, Sign up …
Search Word, Text, String, Sort, Search …
Purchase goods Credit, Account, Expire, Purchase …
Change password Password, Old Password, Change …
CODE BLUE 2016
“Log in” category contains many of the keywords.
⇒ The highest probability of the category "Log in".
Category table for page recognition
MBSD CODE BLUE 2016
This page is
recognized as ”Log in”.
Page recognition by Naive Bayes
3 requirements for crawling
MBSD CODE BLUE 2016
 Recognize the page type (✔)
 Recognize the success/fail of crawling
 Input correct values in the forms
MBSD CODE BLUE 2016
Recognition of page crawling success/fail by humans
MBSD CODE BLUE 2016
Recognition of page crawling success/fail by humans
Recognizes the keywords that characterize failure.
MBSD CODE BLUE 2016
Using Naive Bayes.
Recognition of page crawling success/fail by machines
MBSD CODE BLUE 2016
Recognition of page crawling success/fail by machines
MBSD
<h2>2 errors prohibited this user from being saved </h2>
<p>There were problems with these fields:</p>
<ul>
<li> Password doesn't match confirmation </li>
<li> Email is invalid </li>
["Password doesn't match confirmation","Email is invalid
"]
</ul>
CODE BLUE 2016
Extracts keywords that characterize failure.
Excludes “Stop words”.
Recognition of page crawling success/fail by machines
Category table for page crawling success/fail
MBSD
Categories Keywords
Success
good, valid, success, normal, fine, clean, nice,
can, match, confirmation, ok, finish, thank …
Failure
bad, invalid, failure, error, problem, unmatch,
doesn’t match, can’t, too, wrong, ng, blank …
CODE BLUE 2016
Selects the category that contain the many keywords.
Keywords : errors, problem, doesn’t match, invalid
MBSD
Categories Keywords
Success
good, valid, success, normal, fine, clean, nice,
can, match, confirmation, ok, finish, thank …
Failure
bad, invalid, failure, error, problem, wrong,
doesn’t match, can’t, too, ng, blank …
CODE BLUE 2016
“Failure“ category contains many of the keywords.
⇒ The highest probability of the category "Failure".
Category table for page crawling success/fail
MBSD CODE BLUE 2016
This is recognized as a
page transition ”failure”.
Recognize the success/fail of crawling by machines
3 requirements for crawling
MBSD CODE BLUE 2016
 Recognize the page type (✔).
 Recognize the success/fail of crawling (✔).
 Input correct values in the forms.
MBSD CODE BLUE 2016
Interprets the meaning of the form and inputs correct values.
crawl
Isao Takaesu
isao123@mbsd.jp
mbsd1234
mbsd1234
Inputting correct values by humans
MBSD CODE BLUE 2016
Using multilayer perceptron &
Q-Learning.
Inputting correct values by machines
What is multilayer perceptron(MLP)?
MBSD
examples)
 Image recognition.
 Hand-written number recognition.
CODE BLUE 2016
MLP is used for image recognition.
The model simulates the neural structure and function.
・
・
・
・
・
・
・
・
・
Data Label
0
1
2
Training Data
Example of the use of the hand-written number recognition
CODE BLUE 2016MBSD
・
・
・
・
・
・
・
・
・
X₁
X₂
X784
X0
Y₁
Y₂
Y300
Y0
Z₁
Z₂
Z10
MLP
Learn
It can output the answer depending on the input data.
Learned MLP
014679 425970401967
CODE BLUE 2016MBSD
Example of the use of the hand-written number recognition
An algorithm that learns the best behavior of the agent.
Evaluates effectiveness of the behavior using the Q-value.
MBSD
examples)
 Locomotive learning in robots.
 Playing video games.
 Route search.
CODE BLUE 2016
What is Q-Learning?
Example of the use of the locomotive learning in robots
MBSD CODE BLUE 2016
Agent
Environment
a1 Forward
a2 Left turn
a3 Right turn
a4 Backward
Action
State s
・・・
Next state s’
Policy
( a | s )
Transition probability
( s’ | s, a )
hole in the front
of the eye …
Reward r = R( s, a, s’ )
Task : The goal to avoid obstacles.
Learn the policies that total of reward is the maximum.
Update Q( s, a )
Model to attain correct input values
MBSD
Learns correct input values while attempting to crawl.
CODE BLUE 2016
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
MBSD CODE BLUE 2016
Model to attain correct input values
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
Learns correct input values while attempting to crawl.
Patterns of input value
MBSD
Pattern Input value
Char abc, abcdef, aBc, aBcdEf, ABCDEF …
Num 123, 12345, 4111111111111111 …
Char,Num abc123, 123abc, aBc123, 1a2b3c …
Char,Symbol abc!, abc!#$, abcdef!, abcdef!#$ …
Num,Symbol 123!, 123!#$, 12345!, !#$12345 …
Char,Num,Symbol abc123!, 123abc!, abc!123, !#$%&a1 …
Mail address abc@hoge.com, abc123@hoge.com …
CODE BLUE 2016
Set a combination of input values to the parameter.
Target : INPUT TYPE = text, password
MBSD
Inputs ”current" and "next" page to MLP.
CODE BLUE 2016
Learning flow
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
MBSD
Selects any input pattern from the input of MLP.
CODE BLUE 2016
Learning flow
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
MBSD
Attempts to crawl using the selected input pattern of MLP.
CODE BLUE 2016
Learning flow
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
MBSD
Observe the result of crawling.
CODE BLUE 2016
Learning flow
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
MBSD
Gives a reward depending on the result of crawling.
CODE BLUE 2016
Learning flow
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
MBSD
Update the weight of MLP using backpropagation.
CODE BLUE 2016
Learning flow
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
MBSD
Learning can be completed at approx. 300 attempts.
CODE BLUE 2016
Learning flow
・
・
・
・
・
・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
Problem
MBSD CODE BLUE 2016
300 attempts ⇒ Inefficient
MBSD CODE BLUE 2016
Pre-training.
Solution
Web apps for pre-training(one example).
MBSD
OWASP Broken Web Apps
CODE BLUE 2016
Training SAIVS
MBSD CODE BLUE 2016
BodgeIt peruggia WackoPicko Yazd
SAIVS
Web Apps
Attempts crawling & learning
⇒ Each 300 times
Achieves the correct input values for each form.
・・・
Achieved correct input values (one example).
MBSD
Input form Correct input value
ID abc, abcdef, aBc, aBcdEf, ABCDEF …
Password abc123!, 123abc!, abc!123, !#$%&a1 …
FirstName abc, abcdef, aBc, aBcdEf, ABCDEF …
LastName abc, abcdef, aBc, aBcdEf, ABCDEF …
Email address abc@hoge.com, abc123@hoge.com …
Username abc, abcdef, aBc, aBcdEf, ABCDEF …
Signature abc, abcdef, aBc, aBcdEf, ABCDEF …
CODE BLUE 2016
Problem:mismatch of form strings
MBSD CODE BLUE 2016
Used in Training Used in actual assessment
Mismatch!!
MBSD CODE BLUE 2016
Calculate the
similarity of form strings.
Solution
Calculate similarity
MBSD CODE BLUE 2016
Using word2vec.
What is word2vec?
Calculation method for similar words in NLP.
A word is represented by a vector.
MBSD CODE BLUE 2016
examples)
 Adding and subtracting words
word cos distance
email 0.956302
mail 0.927386
reply 0.920610
formula answer
Iraq - Violence Jordan
Human - Animal Ethics
Japan – Tokyo + France Paris
 Similarity between words
Input : e-mail
Example of the use of the similarity calculation
MBSD CODE BLUE 2016
Calculate similarity using words around the word of interest.
Training data)
interpretation further. However, if anyone wishes to discuss this, I‘m certainly willing
(either offline - e-mail - or Stephen In article bevans@carina.unm.edu (Mathemagician)
writes: Just what do gay people do that straight・・・
carries archives of old alt.atheism.moderated articles and assorted other files. For more
information, send mail to archive-server@mantis.co.uk saying help send atheism/index
and it will mail back a reply. mathew An・・・
send mail to archive-server@mantis.co.uk saying help send atheism/index and it will
mail back a reply. mathew An Introduction to Atheism by Mathew. This article attempts
to provide a general introduction・・・
The similarity of the "e-mail", "mail", "reply" is high.
Word2vec training data
MBSD CODE BLUE 2016
The 20 Newsgroups data set.
A collection of newsgroups : about 20,000 news.
examples of newsgroup)
 Computer(Graphics, MS-Windows, Hardware)
 Science(Cryptography, Electronics, Space)
 Hobby(Motorcycles, Baseball, Hockey)
MBSD CODE BLUE 2016
Windows Crypt Hardware Space
SAIVS
The 20 Newsgroups data set
Learns the similarity
Learns the similarity between the words.
word2vec
Training SAIVS
・・・
MBSD
candidate similarity
email 0.956302
mail 0.927386
E-mail 0.900249
address 0.893337
reply 0.865438
contact 0.846801
message 0.792930
chat 0.754903
newsgroup 0.747636
CODE BLUE 2016
candidate similarity
names 0.962508
username 0.939661
nickname 0.933694
naming 0.898254
surname 0.863966
initials 0.861093
firstname 0.849641
lastname 0.847604
title 0.782467
candidate similarity
homepage 0.794415
blog 0.752945
site 0.708534
webpage 0.701838
portal 0.701374
forum 0.692067
com 0.641086
archive 0.537914
org 0.531096
Extracts candidate words of Top 10.
Learned similarities in the training
Target :websiteTarget :nameTarget : e-mail
MBSD
candidate similarity
email 0.956302
mail 0.927386
E-mail 0.900249
address 0.893337
reply 0.865438
contact 0.846801
message 0.792930
chat 0.754903
newsgroup 0.747636
CODE BLUE 2016
candidate similarity
names 0.962508
username 0.939661
nickname 0.933694
naming 0.898254
surname 0.863966
initials 0.861093
firstname 0.849641
lastname 0.847604
title 0.782467
candidate similarity
homepage 0.794415
blog 0.752945
site 0.708534
webpage 0.701838
portal 0.701374
forum 0.692067
com 0.641086
archive 0.537914
org 0.531096
Selects a candidate word that matches the form string of training.
Learned similarities in the training
Target :websiteTarget :nameTarget : e-mail
MBSD
candidate similarity
email 0.956302
mail 0.927386
E-mail 0.900249
address 0.893337
reply 0.865438
contact 0.846801
message 0.792930
chat 0.754903
newsgroup 0.747636
CODE BLUE 2016
candidate similarity
names 0.962508
username 0.939661
nickname 0.933694
naming 0.898254
surname 0.863966
initials 0.861093
firstname 0.849641
lastname 0.847604
title 0.782467
candidate similarity
homepage 0.794415
blog 0.752945
site 0.708534
webpage 0.701838
portal 0.701374
forum 0.692067
com 0.641086
archive 0.537914
org 0.531096
Learned similarities in the training
Target :websiteTarget :nameTarget : e-mail
⇒ abc@hoge.com ⇒ aBcdEf ⇒ http://hoge.com
MBSD CODE BLUE 2016
3 requirements for crawling
 Recognize the page type (✔).
 Recognize the success/fail of crawling (✔).
 Input correct values in the forms (✔).
Demonstration of crawling
MBSD
Target:OWASP Broken Web Apps Cyclone
CODE BLUE 2016
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create a login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
vulnerability
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create a login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create a login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
Demonstration of crawling
1.Create a login account in "register".
2.Log in.
3.Search users.
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
MBSD CODE BLUE 2016
https://www.youtube.com/watch?v=aXw3vgXbl1U
Demonstration movie of crawling
Abilities of SAIVS
MBSD
 Crawls web apps. (✔)
 Detects vulnerabilities.
CODE BLUE 2016
MBSD CODE BLUE 2016
To detect vulnerabilities with less trouble.
Objective of this research
MBSD CODE BLUE 2016
There are many web application
vulnerabilities...
MBSD CODE BLUE 2016
Reflected Cross-Site Scripting
(RXSS)
Target vulnerability of this research
Example of RXSS Pattern 1:very vulnerable web app
MBSD
<html>
<head>
<meta http-equiv="Content-Type" content="text/html">
<title>Case 3 - RXSS</title>
</head>
<body>
<input type="text" value="testData">
</body>
</html>
http://xxx/case3/?input=testData
Input value is echoed in the "VALUE" attribute of the INPUT tag.
CODE BLUE 2016
MBSD
<html>
<head>
<meta http-equiv="Content-Type" content="text/html">
<title>Case 3 - RXSS</title>
</head>
<body>
<input type="text"
value=""/><script>alert('XSS');</script>">
</body>
</html>
http://xxx/case3/?input="/><script>alert(‘XSS');</script>
JavaScript is inserted in the HTML syntax.
CODE BLUE 2016
Example of RXSS Pattern 1:attacking a web app
Example of RXSS Pattern 2:a little more secure web app
MBSD
<html>
<head>
<meta http-equiv="Content-Type" content="text/html">
<title>Case 4 - RXSS</title>
</head>
<body>
<input type="text" value=""/> alert('XSS');">
</body>
</html>
SCRIPT tag is sanitized by the web app.
http://xxx/case4/?input="/><script>alert(‘XSS');</script>
CODE BLUE 2016
Example of RXSS Pattern 2:attacking web app
MBSD
<html>
<head>
<meta http-equiv="Content-Type" content="text/html">
<title>Case 4 - RXSS</title>
</head>
<body>
<input type="text" value=""onmouseout=alert('XSS')"">
</body>
</html>
JavaScript is inserted to avoid sanitization.
http://xxx/case4/?input=“onmouseout=alert(‘XSS')”
CODE BLUE 2016
MBSD
 Understanding HTML syntax.
 Understanding JavaScript syntax.
 Avoiding sanitization.
CODE BLUE 2016
3 requirements for detecting RXSS
MBSD CODE BLUE 2016
How do you achieve them?
Our approach
MBSD CODE BLUE 2016
Reverse engineering the human brain.
MBSD CODE BLUE 2016
Each thinking pattern
implemented in machine learning.
Our approach
MBSD
 Understanding HTML syntax.
 Understanding JavaScript syntax.
 Avoiding sanitization.
CODE BLUE 2016
3 requirements for detecting RXSS
MBSD
Understanding of HTML/JavaScript syntax by machines
Using LSTM
CODE BLUE 2016
What is LSTM(Long-Short Term Memory)?
It can learn chronological data.
It can learn dependencies in short & long term data.
MBSD
examples)
 Machine translation.
 Text generation. (novel, lyrics, source code)
 Sound generation. (music, human voice)
CODE BLUE 2016
What is LSTM(Long-Short Term Memory)?
It can learn chronological data.
It can learn dependencies in short & long term data.
MBSD
examples)
 Machine translation.
 Text generation. (novel, Lyrics, source code)
 Sound generation. (music, human voice)
CODE BLUE 2016
Example of the use of the text generation.
MBSD CODE BLUE 2016
Generation of source code.(from Andrej Karpathy blog)
static int indicate_policy(void)
{
int error;
if (fd == MARN_EPT) {
if (ss->segment < mem_total)
unblock_set_blocked();
else
ret = 1;
goto bail;
}
segaddr = in_SB(in.addr);
selector = seg / 16;
・・・
Training Data
static void settings(struct *tty)
{
if (tty == tty)
disable_single_st_p(dev);
pci_disable_spool(port);
return 0;
}
static void command(struct seq_file *m)
{
int column = 32 << (cmd[2] & 0x80);
if (state)
・・・
Generated source code by LSTM
It can generate a code from the starting point (seed).
Why LSTM?
MBSD
<!doctype html><html><head><title>Reflected XSS in
textarea (textarea1)</title></head><body>
<H2>Textarea injection test</H2>
<FORM>
<textarea name="in" rows="5" cols="60">xxx</textarea>
・・・
http://xxx/textarea1?in=xxx
CODE BLUE 2016
Input value is echoed in the TEXTAREA tag.
MBSD
<!doctype html><html><head><title>Reflected XSS in
textarea (textarea1)</title></head><body>
<H2>Textarea injection test</H2>
<FORM>
<textarea name="in" rows="5" cols="60">
<script>alert('XSS');</script></textarea>
・・・
http://xxx/textarea1?in=<script>alert(‘XSS’);</script>
JavaScript doesn’t run.
⇒ Simple script injection is not allowed.
CODE BLUE 2016
Why LSTM?
MBSD
<!doctype html><html><head><title>Reflected XSS in
textarea (textarea1)</title></head><body>
<H2>Textarea injection test</H2>
<FORM>
<textarea name="in" rows="5" cols="60">xxx</textarea>
・・・
http://xxx/textarea1?in=xxx
“Is JavaScript inserted after closing the TEXTAREA tag ?”
CODE BLUE 2016
Why LSTM?
MBSD
<!doctype html><html><head><title>Reflected XSS in
textarea (textarea1)</title></head><body>
<H2>Textarea injection test</H2>
<FORM>
<textarea name="in" rows="5"
cols="60"></textarea><script>alert('XSS');</script></t
extarea>
・・・
http://xxx/textarea1?in=</textarea><script>alert(‘XSS’);</script>
CODE BLUE 2016
Understands the context of HTML and inserts a script.
⇒ JavaScript run.
Why LSTM?
MBSD CODE BLUE 2016
How can LSTM be learned ?
Learning data for LSTM (HTML)
MBSD
<abbr class="" data-utime="" title=""></abbr>
<abbr class='' title=''></abbr>
<abbr data-utime='' title=''></abbr>
・・・
<input name="" type="" value=""/>
<input alt="" id="" onclick="" src="" type=""/>
<input alt='' id="" src='' type=''/>
<input alt='' name='' src='' type=''/>
・・・
<video autoplay="" loop="" muted=""></video>
<video class="" height="" id="" width=""></video>
<video src='' tabindex=''></video>
<video src=''></video>
20,000 pages of HTML syntax. (about 12,000 types)
CODE BLUE 2016
MBSD
_satellite.pageBottom();']
(function(window) {
var _gaq = _gaq || [];
var methods = ['log', 'dir', 'trace'];
if (typeof window.console === 'undefined') {
window.console = {};
}
for (var i in methods) {
if (!(methods[i] in window.console)) {
window.console[methods[i]] = function() {};
}
}
}(window));
CODE BLUE 2016
10,000 pages of JavaScript syntax.
Learning data for LSTM (JavaScript)
Generated syntax by learned LSTM (one example)
MBSD
Seed Generated syntax
<textarea cols="60">xxx </textarea>
<!– mbsdtest xxx -->
<input type="" value=“xxx ">
var hoge = ['log', ‘xxx red’];¥r¥n
/* mbsdtest xxx */
function(){ xxx }¥r¥n
CODE BLUE 2016
It can generate a syntax from the seeds.
MBSD
 Understanding HTML syntax (✔).
 Understanding JavaScript syntax (✔).
 Avoiding sanitization.
CODE BLUE 2016
3 requirements for detecting RXSS
Avoidance of sanitization by machines
MBSD CODE BLUE 2016
Using Multilayer perceptron &
Q-Learning.
MBSD
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
Model to avoid sanitization
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
Learns the pattern of avoiding sanitization while attempting to test.
CODE BLUE 2016
observe
state
evaluate
update
weight
MBSD
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
Model to avoid sanitization.
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
CODE BLUE 2016
observe
state
evaluate
update
weight
Patterns of Output point
MBSD
Output point Example
attribute value :「”」 <~value="xxx">
attribute value :「'」 <~value='xxx'>
attribute value : noquote <~value=xxx>
JavaScript <script>xxx</script>
outside of HTML tags <~>xxx</~>
CODE BLUE 2016
MBSD CODE BLUE 2016
Model to avoid sanitization
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Patterns of sanitization
MBSD
Sanitization Example
「“」: translate entity reference, exclude 「”」⇒「&quot;」
「‘」: translate entity reference, exclude 「’」⇒「&apos;」
「<」: translate entity reference, exclude 「<」⇒「&lt;」
「>」: translate entity reference, exclude 「>」⇒「&gt;」
「alert();」: exclude 「alert();」⇒「」
CODE BLUE 2016
MBSD CODE BLUE 2016
Model to avoid sanitization
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Test patterns(one example)
MBSD
Output point Test pattern
attribute value :「”」
attribute value :「'」
attribute value : noquote
outside of HTML tags
“event handler
"><sCriPt>xxx
"><img src=xxx
‘event handler
‘><sCriPt>xxx
<svg/onload=alert()>
<sCriPt>xxx</sCriPt>
JavaScript
";alert();//
[CR][LF]alert();
¥";alert();//
CODE BLUE 2016
MBSD
Inputs ”Output point" and "pattern of sanitization" to MLP.
CODE BLUE 2016
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Learning flow
MBSD CODE BLUE 2016
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Learning flow
Selects any test pattern from the input of MLP.
MBSD CODE BLUE 2016
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Learning flow
Attempts to test using the selected test pattern of MLP.
MBSD CODE BLUE 2016
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Learning flow
Observe the result of the test.
MBSD CODE BLUE 2016
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Learning flow
Gives a reward depending on the result of the test.
MBSD CODE BLUE 2016
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Learning flow
Update the weight of MLP using backpropagation.
MBSD CODE BLUE 2016
・
・
・
・
・
・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL
encode
Test pattern
Event
handler
・
・
・
Q-Learning
・
・
・
“ ⇒ &quot;
< ⇒ &lt;
・・・
Sanitize
> ⇒ &gt;
observe
state
evaluate
update
weight
Learning flow.
Learning is completed at approx. 100 attempts.
Problem
MBSD CODE BLUE 2016
100 attempts ⇒ Inefficient
MBSD CODE BLUE 2016
Pre-training.
Solution
MBSD
WAVSEP
CODE BLUE 2016
ReflectedXSS GET Input Vector
Case06 output :SRC attr value of IMG tag.
sanitize :< , > ⇒ &lt; , &gt;
testing value:"onmouseover=alert(3122);"
Case10 output :onClick value of SCRIPT tag.
sanitize :“ , < , > ⇒ &quot; , &lt; , &gt;
testing value:';alert(3122);//
Case27 output :single line comment of JavaScript
sanitize :comment out
testing value:[CR][LF]alert(3122);//
Web Apps for pre-training(one example).
MBSD CODE BLUE 2016
Case06 Case08 Case10 Case27
SAIVS
WAVSEP
Achieve the best test string to avoid each sanitize pattern.
Training SAIVS
Attempts testing & learning
⇒ Each 100 times.
・・・
MBSD
 Understanding HTML syntax (✔).
 Understanding JavaScript syntax (✔).
 Avoiding sanitization (✔).
CODE BLUE 2016
3 requirements for detecting RXSS
MBSD
Test flow of SAIVS
 Primary inspection.
 Secondary inspection.
CODE BLUE 2016
Sends normal request to examine the output point.
MBSD
Web Server
Web Apps
SAIVS
Sends normal request
CODE BLUE 2016
Primary inspection
Recognizes the output point of the input value.
MBSD
Web Server
Web Apps
SAIVS
Sends normal request
Analyzes response
CODE BLUE 2016
<~value="xxx">
Primary inspection.
Extracts the seed based on the output point.
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
<~value="xxx">
Primary inspection
Sends normal request
Analyzes response
Generates HTML / JavaScript syntax
from the seed. (using learned LSTM)
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
<~value=“”>
Primary inspection
Sends normal request
Analyzes response
Adds the script to the generated HTML syntax.
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
<~value=“”><script>alert(3122);</script>
Primary inspection
Analyzes response
Sends normal request
Sends test request to detect RXSS.
MBSD
Web Server
Web Apps
SAIVS
Sends test request
CODE BLUE 2016
<~value=“”><script>alert(3122);</script>
Primary inspection
Determines the presence or absence of RXSS.
RXSS detected ⇒ Test finishes.
Not detected⇒ Secondary inspection.
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
RXSS?
Analyzes response
Sends test request
Primary inspection
Recognizes the sanitizing pattern.
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
<~value=“”&gt;&lt;script&gt;alert(3122);・・・
Secondary inspection
Analyzes response
Sends test request
Selects the test pattern to avoid sanitization.
(Using learned MLP)
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
Event handler?
Secondary inspection
Analyzes response
Sends test request
Sends the test request to avoid sanitization.
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
Event handler?
Secondary inspection
Resends test request
MBSD
Web Server
Web Apps
SAIVS
CODE BLUE 2016
Secondary inspection
Analyzes response
Sends test request
RXSS?
Determines presence or absence of RXSS.
RXSS detected ⇒ Test finishes.
Not detected ⇒ Repeat secondary inspection.
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1
output : BODY tag
sanitize : none
/reflect/textarea1
output : TEXTAREA tag
sanitize : none
/reflect/onmouseover
output : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dq
output : SCRIPT tag
sanitize : none
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1
output : BODY tag
sanitize : none
/reflect/textarea1
output : TEXTAREA tag
sanitize : none
/reflect/onmouseover
output : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dq
output : SCRIPT tag
sanitize : none
MBSD
<!doctype html><html><head><title>Full Javascript
Injection (full.1)</title></head><body>
Hello!<BR>
The value of cgi parameter &quot;in&quot;
is:saivs12345
</body></html>
http://xxx/reflect/full1?in=saivs12345
output :BODY tag
sanitize : None
Case1:Sending normal request
CODE BLUE 2016
MBSD
<!doctype html><html><head><title>Full Javascript
Injection (full.1)</title></head><body>
Hello!<BR>
The value of cgi parameter &quot;in&quot; is:
lasther=''></form>D0i7Q"VW53N'nT7t0<script>alert(3122)
;kc5i3</script>ueFj8
</body></html>
http://xxx/reflect/full1?in=lasther=''%3E%3C/form%3ED0i7Q%22VW
53N'nT7t0%3Cscript%3Ealert(3122);kc5i3%3C/script%3EueFj8
attempted times:1
Case1:Sending test request
CODE BLUE 2016
MBSD
Case1:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=3RkhSED5DQU
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1
output : BODY tag
sanitize : none
/reflect/textarea1
output : TEXTAREA tag
sanitize : none
/reflect/onmouseover
output : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dq
output : SCRIPT tag
sanitize : none
MBSD
<!doctype html><html><head><title>Reflected XSS in
textarea (textarea1)</title></head><body>
<H2>Textarea injection test</H2>
<p>
<FORM>
<textarea name="in" rows="5" cols="60">saivs12345
</textarea>
<p>
http://xxx/reflect/textarea1?in=saivs12345
CODE BLUE 2016
Case2:Sending normal request
output :TEXTAREA tag
sanitize : None
MBSD
<!doctype html><html><head><title>Reflected XSS in
textarea (textarea1)</title></head><body>
<H2>Textarea injection test</H2>
<p>
<FORM>
<textarea name="in" rows="5" cols="60"></textarea>7Q7p
N"MBPcc'PA6tz<script>alert(3122);WKr8J</script>fowCP</
textarea>
<p>
http://xxx/reflect/textarea1?in=%3C/textarea%3E7Q7pN%22MBPcc'
PA6tz%3Cscript%3Ealert(3122);WKr8J%3C/script%3EfowCP
CODE BLUE 2016
Case2:Sending test request
attempted times:1
MBSD
Case2:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=6UHbMGdqr_0
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1
output : BODY tag
sanitize : none
/reflect/textarea1
output : TEXTAREA tag
sanitize : none
/reflect/onmouseover
output : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dq
output : SCRIPT tag
sanitize : none
MBSD
<!doctype html><html>
<head><title>Reflected XSS - attribute injection in ta
gs (dq.2)</title></head><body>
<H2>Update Your Preferences</H2><p>
<FORM>
Homepage: <input value=""><script>alert()" name="in" s
ize="40"><BR>
http://xxx/xss/reflect/onmouseover?in=”><script>alert()</script>
CODE BLUE 2016
Case 3:Sending normal request
output :INPUT tag
sanitize : exclude “</script>”
MBSD
<!doctype html><html>
<head><title>Reflected XSS - attribute injection in
tags (dq.2)</title></head><body>
<H2>Update Your Preferences</H2><p>
<FORM>
Homepage: <input value=""> <option s onmouseover=alert
(3122);//" name="in" size="40"><BR>
http://xxx/xss/reflect/onmouseover?in=%22%3E%3C/option%3E%3
Coption%20s%20onmouseover=alert(3122);//
CODE BLUE 2016
Case 3:Sending test request.
attempted times:3
MBSD
Case 3:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=-r3C1moUVqU
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1
output : BODY tag
sanitize : none
/reflect/textarea1
output : TEXTAREA tag
sanitize : none
/reflect/onmouseover
output : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dq
output : SCRIPT tag
sanitize : none
MBSD
<!doctype html><html><head><title>JavaScript and
double-quote injection in JS block (js.4)</title>
</head><body>
<script language="javascript">
var f = {
date: "",
week: "1",
bad: "saivs12345",
phase: "2",
http://xxx/xss/reflect/js4_dq?in=saivs12345
CODE BLUE 2016
Case 4:Sending normal request
output :SCRIPT tag
sanitize : None
MBSD
<!doctype html><html><head><title>JavaScript and
double-quote injection in JS block (js.4)</title>
</head><body>
<script language="javascript">
var f = {
date: "",
week: "1",
bad: "6",
skuI;alert(3122);//1VU7k",
phase: "2",
http://xxx/xss/reflect/js4_dq?in=6%22,%0A%20%20%20%20%20%20
%20%20%20%20%20%20skuI;alert(3122);//1VU7k
CODE BLUE 2016
Case 4:Sending test request
attempted times:1
MBSD
Case 4:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=Pf2lSB25C3M
Abilities of SAIVS
MBSD
 Crawls web apps. (✔)
 Detects vulnerabilities. (✔)
CODE BLUE 2016
MBSD CODE BLUE 2016
“Detect RXSS while crawling web apps.”
Realized fully automatically.
Abilities of SAIVS
MBSD
Target:OWASP Broken Web Apps Google Gruyere
CODE BLUE 2016
Demonstration of SAIVS
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
Profile
New snippet
register
Profile
update
Demonstration of SAIVS
vulnerability
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
Profile
New snippet
register
Profile
update
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
Demonstration of SAIVS
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
Profile
New snippet
register
Profile
update
Demonstration of SAIVS
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
Profile
New snippet
register
Profile
update
Demonstration of SAIVS
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
MBSD CODE BLUE 2016
Top Sign up
Login
Sign up
complete
Profile Profile
update
New snippet
New snippet
register
Demonstration of SAIVS
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
MBSD CODE BLUE 2016
Function name Overview
New snippet register
output : BODY tag
sanitize : exclude SCRIPT tag
Profile update
output : A tag
sanitize : < , > ⇒ &lt; , &gt;
Demonstration of SAIVS
MBSD CODE BLUE 2016
Demonstration of SAIVS
https://www.youtube.com/watch?v=N5d9oM0NcM0
MBSD
 Strengthening the page crawling capability.
 Responding to complex web apps.
 Responding to CAPTCHA.
CODE BLUE 2016
Future prospects
 Strengthening the detecting vulnerabilities capability.
 Responding to complex RXSS patterns.
 Responding to other vulnerabilities.
• Download “.PDF” version of this document:
≫ http://www.mbsd.jp
MBSD

More Related Content

What's hot

How to Evaluate, Rollout, and Operationalize Your SD-WAN Projects
How to Evaluate, Rollout, and Operationalize Your SD-WAN ProjectsHow to Evaluate, Rollout, and Operationalize Your SD-WAN Projects
How to Evaluate, Rollout, and Operationalize Your SD-WAN Projects
ThousandEyes
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
Jorge Sebastiao
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklist
backdoor
 
WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ
BGA Cyber Security
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
BGA Cyber Security
 
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiMitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
BGA Cyber Security
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & Phishing
GrittyCC
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial Services
Kevin Duffey
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
CSRF Basics
CSRF BasicsCSRF Basics
Kesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaKesif ve Zafiyet Tarama
Kesif ve Zafiyet Tarama
Ferhat Ozgur Catak
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
ControlScan, Inc.
 
Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)
Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)
Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)
Mehmet Kelepçe
 

What's hot (20)

How to Evaluate, Rollout, and Operationalize Your SD-WAN Projects
How to Evaluate, Rollout, and Operationalize Your SD-WAN ProjectsHow to Evaluate, Rollout, and Operationalize Your SD-WAN Projects
How to Evaluate, Rollout, and Operationalize Your SD-WAN Projects
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklist
 
WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
 
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiMitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & Phishing
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial Services
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Kesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaKesif ve Zafiyet Tarama
Kesif ve Zafiyet Tarama
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
 
Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)
Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)
Web Güvenlik Açıkları ve Kullanımı (Geniş Anlatım)
 

Viewers also liked

AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
Isao Takaesu
 
Meeting management (ppt)
Meeting management (ppt) Meeting management (ppt)
Meeting management (ppt)
ING
 
introduce "Stealing Machine Learning Models via Prediction APIs"
introduce "Stealing Machine Learning Models  via Prediction APIs"introduce "Stealing Machine Learning Models  via Prediction APIs"
introduce "Stealing Machine Learning Models via Prediction APIs"
Isao Takaesu
 
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
Isao Takaesu
 
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
Isao Takaesu
 
Discussion AIの脆弱性について
Discussion AIの脆弱性についてDiscussion AIの脆弱性について
Discussion AIの脆弱性について
Isao Takaesu
 
機械学習を使ったハッキング手法
機械学習を使ったハッキング手法機械学習を使ったハッキング手法
機械学習を使ったハッキング手法
Isao Takaesu
 
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Andrew Petukhov
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
Nurul Haszeli Ahmad
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
Papitha Velumani
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security
Raleigh ISSA
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application Vulnerabilities
Yuji Kosuga
 
ITエンジニアのための機械学習理論入門 第5章
ITエンジニアのための機械学習理論入門 第5章ITエンジニアのための機械学習理論入門 第5章
ITエンジニアのための機械学習理論入門 第5章
Isao Takaesu
 
Aiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみるAiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみる
Isao Takaesu
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Andrew Petukhov
 
Codeblue
CodeblueCodeblue
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 

Viewers also liked (20)

AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
 
Meeting management (ppt)
Meeting management (ppt) Meeting management (ppt)
Meeting management (ppt)
 
introduce "Stealing Machine Learning Models via Prediction APIs"
introduce "Stealing Machine Learning Models  via Prediction APIs"introduce "Stealing Machine Learning Models  via Prediction APIs"
introduce "Stealing Machine Learning Models via Prediction APIs"
 
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
 
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
 
Discussion AIの脆弱性について
Discussion AIの脆弱性についてDiscussion AIの脆弱性について
Discussion AIの脆弱性について
 
機械学習を使ったハッキング手法
機械学習を使ったハッキング手法機械学習を使ったハッキング手法
機械学習を使ったハッキング手法
 
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application Vulnerabilities
 
ITエンジニアのための機械学習理論入門 第5章
ITエンジニアのための機械学習理論入門 第5章ITエンジニアのための機械学習理論入門 第5章
ITエンジニアのための機械学習理論入門 第5章
 
Aiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみるAiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみる
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
 
Codeblue
CodeblueCodeblue
Codeblue
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 

Similar to CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps

Using AEM in a customer global multi-channel program
Using AEM in a customer global multi-channel programUsing AEM in a customer global multi-channel program
Using AEM in a customer global multi-channel program
Meryll Blanchet
 
Mi0039 e-commerce
Mi0039  e-commerceMi0039  e-commerce
Mi0039 e-commerce
smumbahelp
 
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE
 
Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)
Vincent Moreau
 
Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)
Vincent Moreau
 
Qr code (quick response code)
Qr code (quick response code)Qr code (quick response code)
Qr code (quick response code)
Rohan Sawant
 
Becoming an Experience Business
Becoming an Experience BusinessBecoming an Experience Business
Becoming an Experience Business
Jamie Brighton
 
How to generate sequential, random and constant series barcodes?
How to generate sequential, random and constant series barcodes?How to generate sequential, random and constant series barcodes?
How to generate sequential, random and constant series barcodes?
Tarun Tyagi
 
La trasformazione digitale è una questione di customer experience e d’innovaz...
La trasformazione digitale è una questione di customer experience e d’innovaz...La trasformazione digitale è una questione di customer experience e d’innovaz...
La trasformazione digitale è una questione di customer experience e d’innovaz...
InSide Training
 
Business canva-nov-15
Business canva-nov-15Business canva-nov-15
Business canva-nov-15
hassanAli327774
 
Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...
Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...
Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...
Andy Betts
 
Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...
Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...
Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...
Marketo
 
Manual para el uso de Codigo Qr
Manual para el uso de Codigo QrManual para el uso de Codigo Qr
Manual para el uso de Codigo Qr
Silvia Cardona
 
Gateway to Agile: XP and BDD
Gateway to Agile: XP and BDD Gateway to Agile: XP and BDD
Gateway to Agile: XP and BDD
Gervais Johnson, Advisor
 
Smart Data with Google's Universal Analytics
Smart Data with Google's Universal AnalyticsSmart Data with Google's Universal Analytics
Smart Data with Google's Universal Analytics
Adrian Vender
 
Simmethod from software as a service to outcomes as a service, oracle, sap an...
Simmethod from software as a service to outcomes as a service, oracle, sap an...Simmethod from software as a service to outcomes as a service, oracle, sap an...
Simmethod from software as a service to outcomes as a service, oracle, sap an...
SIMMETHOD: Converting Information Into Assets
 
Talent Brand Trends: What's in store for 2016? [Webcast}
Talent Brand Trends: What's in store for 2016? [Webcast}Talent Brand Trends: What's in store for 2016? [Webcast}
Talent Brand Trends: What's in store for 2016? [Webcast}
LinkedIn Talent Solutions
 
Cyber Warrior - Business in Gulf 2017
Cyber Warrior - Business in Gulf  2017Cyber Warrior - Business in Gulf  2017
Cyber Warrior - Business in Gulf 2017
CTM360
 
Oli Gardner SMD Warsaw 2014 - Advanced Landing Page Optimization With Conve...
Oli Gardner  SMD Warsaw 2014  - Advanced Landing Page Optimization With Conve...Oli Gardner  SMD Warsaw 2014  - Advanced Landing Page Optimization With Conve...
Oli Gardner SMD Warsaw 2014 - Advanced Landing Page Optimization With Conve...
Joanna Gęsicka
 
Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...
Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...
Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...
DigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 

Similar to CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps (20)

Using AEM in a customer global multi-channel program
Using AEM in a customer global multi-channel programUsing AEM in a customer global multi-channel program
Using AEM in a customer global multi-channel program
 
Mi0039 e-commerce
Mi0039  e-commerceMi0039  e-commerce
Mi0039 e-commerce
 
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
 
Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)
 
Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)Introduction to-lead-management (force plus - march 2016)(en)
Introduction to-lead-management (force plus - march 2016)(en)
 
Qr code (quick response code)
Qr code (quick response code)Qr code (quick response code)
Qr code (quick response code)
 
Becoming an Experience Business
Becoming an Experience BusinessBecoming an Experience Business
Becoming an Experience Business
 
How to generate sequential, random and constant series barcodes?
How to generate sequential, random and constant series barcodes?How to generate sequential, random and constant series barcodes?
How to generate sequential, random and constant series barcodes?
 
La trasformazione digitale è una questione di customer experience e d’innovaz...
La trasformazione digitale è una questione di customer experience e d’innovaz...La trasformazione digitale è una questione di customer experience e d’innovaz...
La trasformazione digitale è una questione di customer experience e d’innovaz...
 
Business canva-nov-15
Business canva-nov-15Business canva-nov-15
Business canva-nov-15
 
Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...
Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...
Adobe Summit, Andy Betts @andybetts1 @PeterKrmpotic Content Optimization Fram...
 
Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...
Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...
Creating Epic Customer Experiences - Jamie Anderson - Adobe Summit 2019 - Mar...
 
Manual para el uso de Codigo Qr
Manual para el uso de Codigo QrManual para el uso de Codigo Qr
Manual para el uso de Codigo Qr
 
Gateway to Agile: XP and BDD
Gateway to Agile: XP and BDD Gateway to Agile: XP and BDD
Gateway to Agile: XP and BDD
 
Smart Data with Google's Universal Analytics
Smart Data with Google's Universal AnalyticsSmart Data with Google's Universal Analytics
Smart Data with Google's Universal Analytics
 
Simmethod from software as a service to outcomes as a service, oracle, sap an...
Simmethod from software as a service to outcomes as a service, oracle, sap an...Simmethod from software as a service to outcomes as a service, oracle, sap an...
Simmethod from software as a service to outcomes as a service, oracle, sap an...
 
Talent Brand Trends: What's in store for 2016? [Webcast}
Talent Brand Trends: What's in store for 2016? [Webcast}Talent Brand Trends: What's in store for 2016? [Webcast}
Talent Brand Trends: What's in store for 2016? [Webcast}
 
Cyber Warrior - Business in Gulf 2017
Cyber Warrior - Business in Gulf  2017Cyber Warrior - Business in Gulf  2017
Cyber Warrior - Business in Gulf 2017
 
Oli Gardner SMD Warsaw 2014 - Advanced Landing Page Optimization With Conve...
Oli Gardner  SMD Warsaw 2014  - Advanced Landing Page Optimization With Conve...Oli Gardner  SMD Warsaw 2014  - Advanced Landing Page Optimization With Conve...
Oli Gardner SMD Warsaw 2014 - Advanced Landing Page Optimization With Conve...
 
Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...
Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...
Top Tips to Increase Website Organic Traffic in 2022 - Russ Macumber, Impress...
 

More from Isao Takaesu

Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
Isao Takaesu
 
OSSで作る機械学習を用いたペネトレーションテストツール
OSSで作る機械学習を用いたペネトレーションテストツールOSSで作る機械学習を用いたペネトレーションテストツール
OSSで作る機械学習を用いたペネトレーションテストツール
Isao Takaesu
 
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
Isao Takaesu
 
ハニーポッター技術交流会
ハニーポッター技術交流会ハニーポッター技術交流会
ハニーポッター技術交流会
Isao Takaesu
 
サイバーセキュリティ錬金術
サイバーセキュリティ錬金術サイバーセキュリティ錬金術
サイバーセキュリティ錬金術
Isao Takaesu
 
GAとGANによる検査値の自動生成
GAとGANによる検査値の自動生成GAとGANによる検査値の自動生成
GAとGANによる検査値の自動生成
Isao Takaesu
 
Pythonと機械学習によるWebセキュリティの自動化
Pythonと機械学習によるWebセキュリティの自動化Pythonと機械学習によるWebセキュリティの自動化
Pythonと機械学習によるWebセキュリティの自動化
Isao Takaesu
 
脆弱性診断データの活用例 - Webアプリケーション診断編 -
脆弱性診断データの活用例 - Webアプリケーション診断編 -脆弱性診断データの活用例 - Webアプリケーション診断編 -
脆弱性診断データの活用例 - Webアプリケーション診断編 -
Isao Takaesu
 
RECOMMENDER for Web security engineers - 中級編 -
RECOMMENDER for Web security engineers - 中級編 -RECOMMENDER for Web security engineers - 中級編 -
RECOMMENDER for Web security engineers - 中級編 -
Isao Takaesu
 
RECOMMENDER for Web security engineers - 初級編 -
RECOMMENDER for Web security engineers - 初級編 -RECOMMENDER for Web security engineers - 初級編 -
RECOMMENDER for Web security engineers - 初級編 -
Isao Takaesu
 
Convolutional Neural Networkに対する攻撃手法
Convolutional Neural Networkに対する攻撃手法Convolutional Neural Networkに対する攻撃手法
Convolutional Neural Networkに対する攻撃手法
Isao Takaesu
 
機械学習関連情報の収集方法
機械学習関連情報の収集方法機械学習関連情報の収集方法
機械学習関連情報の収集方法
Isao Takaesu
 

More from Isao Takaesu (12)

Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
 
OSSで作る機械学習を用いたペネトレーションテストツール
OSSで作る機械学習を用いたペネトレーションテストツールOSSで作る機械学習を用いたペネトレーションテストツール
OSSで作る機械学習を用いたペネトレーションテストツール
 
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
 
ハニーポッター技術交流会
ハニーポッター技術交流会ハニーポッター技術交流会
ハニーポッター技術交流会
 
サイバーセキュリティ錬金術
サイバーセキュリティ錬金術サイバーセキュリティ錬金術
サイバーセキュリティ錬金術
 
GAとGANによる検査値の自動生成
GAとGANによる検査値の自動生成GAとGANによる検査値の自動生成
GAとGANによる検査値の自動生成
 
Pythonと機械学習によるWebセキュリティの自動化
Pythonと機械学習によるWebセキュリティの自動化Pythonと機械学習によるWebセキュリティの自動化
Pythonと機械学習によるWebセキュリティの自動化
 
脆弱性診断データの活用例 - Webアプリケーション診断編 -
脆弱性診断データの活用例 - Webアプリケーション診断編 -脆弱性診断データの活用例 - Webアプリケーション診断編 -
脆弱性診断データの活用例 - Webアプリケーション診断編 -
 
RECOMMENDER for Web security engineers - 中級編 -
RECOMMENDER for Web security engineers - 中級編 -RECOMMENDER for Web security engineers - 中級編 -
RECOMMENDER for Web security engineers - 中級編 -
 
RECOMMENDER for Web security engineers - 初級編 -
RECOMMENDER for Web security engineers - 初級編 -RECOMMENDER for Web security engineers - 初級編 -
RECOMMENDER for Web security engineers - 初級編 -
 
Convolutional Neural Networkに対する攻撃手法
Convolutional Neural Networkに対する攻撃手法Convolutional Neural Networkに対する攻撃手法
Convolutional Neural Networkに対する攻撃手法
 
機械学習関連情報の収集方法
機械学習関連情報の収集方法機械学習関連情報の収集方法
機械学習関連情報の収集方法
 

Recently uploaded

find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
LINUS PROJECTS (INDIA)
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 

Recently uploaded (20)

find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 

CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps

  • 1. CODE BLUE 2016 Presented by Isao Takaesu Method of Detecting Vulnerability in Web Apps Using Machine Learning
  • 2. About the speaker • Occupation: Web security engineer • Company: Mitsui Bussan Secure Directions • Hobbies: Making scanners, Machine Learning • Blog: http://www.mbsd.jp/blog/ • Presented in “Black Hat Asia 2016” Arsenal • hosted “AISECjp” Isao Takaesu MBSD (@bbr_bbq) CODE BLUE 2016
  • 3. Agenda MBSD CODE BLUE 2016 1. Introduction 2. Objectives of research 3. Overview of SAIVS 4. Realized methods 5. Validation results 6. Demonstration 7. Future Prospects
  • 4. Introduction MBSD CODE BLUE 2016 In Japan, there is a significant lack of security engineers.
  • 5. MBSD CODE BLUE 2016 About 240,000 people short. (according to a survey by IPA) Introduction
  • 6. MBSD CODE BLUE 2016 Are we facing the limit of human-only resources? Introduction
  • 7. Objectives of research MBSD CODE BLUE 2016 Fully automated information security.
  • 8. MBSD CODE BLUE 2016 The first step is Web application vulnerability assessment. Objectives of research
  • 9. What is web app vul assessment? MBSD CODE BLUE 2016 Detect vulnerabilities on web apps.
  • 10. MBSD Security engineer Web Server Web Apps Our company Client company Pseudo-attack Analyze response CODE BLUE 2016  Performs pseudo-attacks while crawling the pages of web apps.  Analyzes the response and detects vulnerabilities. What is web app vul assessment?
  • 11. MBSD Web Server Web Apps SQLi? XSS? CODE BLUE 2016 Our company Client company Pseudo-attack Analyze response Security engineer  Performs pseudo-attacks while crawling the pages of web apps.  Analyzes the response and detects vulnerabilities. What is web app vul assessment?
  • 12. Issues of web app vul assessment MBSD CODE BLUE 2016 Depends on the skilled craftsmanship of security engineers.
  • 13. Our “GOAL” Realize ALL MACHINE web app vulnerability assessment. MBSD The AI Web Server Web Apps CODE BLUE 2016 Our company Client company Pseudo-attack Analyze response SQLi? XSS?
  • 14. Overview of AI ”SAIVS” MBSD SAIVS Spider Artificial Intelligence Vulnerability Scanner CODE BLUE 2016 AI that performs web app vul assessment.
  • 15. Abilities of SAIVS MBSD  Crawls web apps  Detects vulnerabilities CODE BLUE 2016
  • 16. Abilities of SAIVS MBSD  Crawls web apps  Detects vulnerabilities CODE BLUE 2016
  • 17. Importance of crawling MBSD CODE BLUE 2016 Top Login Register Confirm Contact Us My Page Complete vulnerability Send message
  • 18. MBSD CODE BLUE 2016 Top Login Register Confirm Contact Us My Page Complete It is necessary to log in correctly. Importance of crawling Send message
  • 19. MBSD CODE BLUE 2016 Top Login Register Confirm Contact Us My Page Complete Importance of crawling. It is necessary to register correctly. Send message
  • 20. MBSD CODE BLUE 2016 Top Login Register Confirm Contact Us My Page Complete It is important to exhaustively crawl pages. Importance of crawling Send message
  • 21. MBSD Crawling web apps is difficult. Why? CODE BLUE 2016
  • 22. What is the type of this page ? MBSD CODE BLUE 2016 Humans : Easily recognize the page type. Machine : Difficult. (Log in? Register?)
  • 23. What has just happened? MBSD Humans : Recognize failed crawling attempts from the message. Machine : Difficult to interpret the message. CODE BLUE 2016
  • 24. What are your input values to crawl to the next page ? MBSD crawl Humans : Input correct values in the form. Machine : Difficult to interpret the meaning of the form. ??? ??? ??? ??? ??? CODE BLUE 2016
  • 25. MBSD Crawling requires complex thinking. CODE BLUE 2016
  • 26. 3 requirements for crawling MBSD  Recognize the page type  Recognize the success/fail of crawling  Input correct values in the forms CODE BLUE 2016
  • 27. MBSD CODE BLUE 2016 How do you achieve them?
  • 28. Our approach MBSD CODE BLUE 2016 Reverse engineering of the human brain.
  • 29. MBSD CODE BLUE 2016 Each thinking pattern implemented in machine learning. Our approach
  • 30. 3 requirements for crawling MBSD CODE BLUE 2016  Recognize the page type  Recognize the success/fail of crawling  Input correct values in the forms
  • 31. Page recognition by humans MBSD CODE BLUE 2016
  • 32. Page recognition by humans MBSD CODE BLUE 2016 Recognize the keywords that characterize the page.
  • 33. Page recognition by machines MBSD CODE BLUE 2016 Using Naive Bayes.
  • 34. What is Naive Bayes? Naive Bayes is used for auto classification of texts. Uses pre-defined categories & laws of probability. MBSD examples)  Spam mail filter.  Classify blog post genres.  Improvement of defensive accuracy for WAF. CODE BLUE 2016
  • 35. MBSD SPAM:0.672 ← Selected HAM :0.03 limited SPAM:40% HAM :10% Category period click here http:// wana.jp SPAM:10% HAM :30% SPAM:70% HAM :50% SPAM:30% HAM :40% SPAM:80% HAM :5% Extracting a keyword from the mail text. Example of the use of the spam e-mail filter. CODE BLUE 2016 To calculate the probability of SPAM and HAM, to select the probability is high category.
  • 36. MBSD CODE BLUE 2016 Page recognition by Naive Bayes
  • 37. Page recognition by Naive Bayes MBSD <h1>Sign in</h1> <form action="/cyclone/sessions" method="post"> <label for="email">Email</label> <input id="email" name="email" type="text" /> <label for="password">Password</label> <input id="password" name="password" type="password" /> </form> Extracts keywords that characterize the page. Excludes “Stop words”. CODE BLUE 2016
  • 38. Category table for page recognition MBSD Categories Keywords Log in Email, User ID, Password, Sign in … Register user Email, Password, Confirm, Sign up … Search Word, Text, String, Sort, Search … Purchase goods Credit, Account, Expire, Purchase … Change password Password, Old Password, Change … CODE BLUE 2016 Selects the category that contain the many keywords. Keywords : Sign in, Email, Password
  • 39. MBSD Categories Keywords Log in Email, User ID, Password, Sign in … Register user Email, Password, Confirm, Sign up … Search Word, Text, String, Sort, Search … Purchase goods Credit, Account, Expire, Purchase … Change password Password, Old Password, Change … CODE BLUE 2016 “Log in” category contains many of the keywords. ⇒ The highest probability of the category "Log in". Category table for page recognition
  • 40. MBSD CODE BLUE 2016 This page is recognized as ”Log in”. Page recognition by Naive Bayes
  • 41. 3 requirements for crawling MBSD CODE BLUE 2016  Recognize the page type (✔)  Recognize the success/fail of crawling  Input correct values in the forms
  • 42. MBSD CODE BLUE 2016 Recognition of page crawling success/fail by humans
  • 43. MBSD CODE BLUE 2016 Recognition of page crawling success/fail by humans Recognizes the keywords that characterize failure.
  • 44. MBSD CODE BLUE 2016 Using Naive Bayes. Recognition of page crawling success/fail by machines
  • 45. MBSD CODE BLUE 2016 Recognition of page crawling success/fail by machines
  • 46. MBSD <h2>2 errors prohibited this user from being saved </h2> <p>There were problems with these fields:</p> <ul> <li> Password doesn't match confirmation </li> <li> Email is invalid </li> ["Password doesn't match confirmation","Email is invalid "] </ul> CODE BLUE 2016 Extracts keywords that characterize failure. Excludes “Stop words”. Recognition of page crawling success/fail by machines
  • 47. Category table for page crawling success/fail MBSD Categories Keywords Success good, valid, success, normal, fine, clean, nice, can, match, confirmation, ok, finish, thank … Failure bad, invalid, failure, error, problem, unmatch, doesn’t match, can’t, too, wrong, ng, blank … CODE BLUE 2016 Selects the category that contain the many keywords. Keywords : errors, problem, doesn’t match, invalid
  • 48. MBSD Categories Keywords Success good, valid, success, normal, fine, clean, nice, can, match, confirmation, ok, finish, thank … Failure bad, invalid, failure, error, problem, wrong, doesn’t match, can’t, too, ng, blank … CODE BLUE 2016 “Failure“ category contains many of the keywords. ⇒ The highest probability of the category "Failure". Category table for page crawling success/fail
  • 49. MBSD CODE BLUE 2016 This is recognized as a page transition ”failure”. Recognize the success/fail of crawling by machines
  • 50. 3 requirements for crawling MBSD CODE BLUE 2016  Recognize the page type (✔).  Recognize the success/fail of crawling (✔).  Input correct values in the forms.
  • 51. MBSD CODE BLUE 2016 Interprets the meaning of the form and inputs correct values. crawl Isao Takaesu isao123@mbsd.jp mbsd1234 mbsd1234 Inputting correct values by humans
  • 52. MBSD CODE BLUE 2016 Using multilayer perceptron & Q-Learning. Inputting correct values by machines
  • 53. What is multilayer perceptron(MLP)? MBSD examples)  Image recognition.  Hand-written number recognition. CODE BLUE 2016 MLP is used for image recognition. The model simulates the neural structure and function.
  • 54. ・ ・ ・ ・ ・ ・ ・ ・ ・ Data Label 0 1 2 Training Data Example of the use of the hand-written number recognition CODE BLUE 2016MBSD ・ ・ ・ ・ ・ ・ ・ ・ ・ X₁ X₂ X784 X0 Y₁ Y₂ Y300 Y0 Z₁ Z₂ Z10 MLP Learn It can output the answer depending on the input data.
  • 55. Learned MLP 014679 425970401967 CODE BLUE 2016MBSD Example of the use of the hand-written number recognition
  • 56. An algorithm that learns the best behavior of the agent. Evaluates effectiveness of the behavior using the Q-value. MBSD examples)  Locomotive learning in robots.  Playing video games.  Route search. CODE BLUE 2016 What is Q-Learning?
  • 57. Example of the use of the locomotive learning in robots MBSD CODE BLUE 2016 Agent Environment a1 Forward a2 Left turn a3 Right turn a4 Backward Action State s ・・・ Next state s’ Policy ( a | s ) Transition probability ( s’ | s, a ) hole in the front of the eye … Reward r = R( s, a, s’ ) Task : The goal to avoid obstacles. Learn the policies that total of reward is the maximum. Update Q( s, a )
  • 58. Model to attain correct input values MBSD Learns correct input values while attempting to crawl. CODE BLUE 2016 ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 59. MBSD CODE BLUE 2016 Model to attain correct input values ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight Learns correct input values while attempting to crawl.
  • 60. Patterns of input value MBSD Pattern Input value Char abc, abcdef, aBc, aBcdEf, ABCDEF … Num 123, 12345, 4111111111111111 … Char,Num abc123, 123abc, aBc123, 1a2b3c … Char,Symbol abc!, abc!#$, abcdef!, abcdef!#$ … Num,Symbol 123!, 123!#$, 12345!, !#$12345 … Char,Num,Symbol abc123!, 123abc!, abc!123, !#$%&a1 … Mail address abc@hoge.com, abc123@hoge.com … CODE BLUE 2016 Set a combination of input values to the parameter. Target : INPUT TYPE = text, password
  • 61. MBSD Inputs ”current" and "next" page to MLP. CODE BLUE 2016 Learning flow ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 62. MBSD Selects any input pattern from the input of MLP. CODE BLUE 2016 Learning flow ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 63. MBSD Attempts to crawl using the selected input pattern of MLP. CODE BLUE 2016 Learning flow ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 64. MBSD Observe the result of crawling. CODE BLUE 2016 Learning flow ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 65. MBSD Gives a reward depending on the result of crawling. CODE BLUE 2016 Learning flow ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 66. MBSD Update the weight of MLP using backpropagation. CODE BLUE 2016 Learning flow ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 67. MBSD Learning can be completed at approx. 300 attempts. CODE BLUE 2016 Learning flow ・ ・ ・ ・ ・ ・ Current page MLP Input values Q-Learning Next page p1=abc, xyz・・・ p1=123, 12a・・・ p1=abc@xxx・・・ observe state evaluate update weight
  • 68. Problem MBSD CODE BLUE 2016 300 attempts ⇒ Inefficient
  • 69. MBSD CODE BLUE 2016 Pre-training. Solution
  • 70. Web apps for pre-training(one example). MBSD OWASP Broken Web Apps CODE BLUE 2016
  • 71. Training SAIVS MBSD CODE BLUE 2016 BodgeIt peruggia WackoPicko Yazd SAIVS Web Apps Attempts crawling & learning ⇒ Each 300 times Achieves the correct input values for each form. ・・・
  • 72. Achieved correct input values (one example). MBSD Input form Correct input value ID abc, abcdef, aBc, aBcdEf, ABCDEF … Password abc123!, 123abc!, abc!123, !#$%&a1 … FirstName abc, abcdef, aBc, aBcdEf, ABCDEF … LastName abc, abcdef, aBc, aBcdEf, ABCDEF … Email address abc@hoge.com, abc123@hoge.com … Username abc, abcdef, aBc, aBcdEf, ABCDEF … Signature abc, abcdef, aBc, aBcdEf, ABCDEF … CODE BLUE 2016
  • 73. Problem:mismatch of form strings MBSD CODE BLUE 2016 Used in Training Used in actual assessment Mismatch!!
  • 74. MBSD CODE BLUE 2016 Calculate the similarity of form strings. Solution
  • 75. Calculate similarity MBSD CODE BLUE 2016 Using word2vec.
  • 76. What is word2vec? Calculation method for similar words in NLP. A word is represented by a vector. MBSD CODE BLUE 2016 examples)  Adding and subtracting words word cos distance email 0.956302 mail 0.927386 reply 0.920610 formula answer Iraq - Violence Jordan Human - Animal Ethics Japan – Tokyo + France Paris  Similarity between words Input : e-mail
  • 77. Example of the use of the similarity calculation MBSD CODE BLUE 2016 Calculate similarity using words around the word of interest. Training data) interpretation further. However, if anyone wishes to discuss this, I‘m certainly willing (either offline - e-mail - or Stephen In article bevans@carina.unm.edu (Mathemagician) writes: Just what do gay people do that straight・・・ carries archives of old alt.atheism.moderated articles and assorted other files. For more information, send mail to archive-server@mantis.co.uk saying help send atheism/index and it will mail back a reply. mathew An・・・ send mail to archive-server@mantis.co.uk saying help send atheism/index and it will mail back a reply. mathew An Introduction to Atheism by Mathew. This article attempts to provide a general introduction・・・ The similarity of the "e-mail", "mail", "reply" is high.
  • 78. Word2vec training data MBSD CODE BLUE 2016 The 20 Newsgroups data set. A collection of newsgroups : about 20,000 news. examples of newsgroup)  Computer(Graphics, MS-Windows, Hardware)  Science(Cryptography, Electronics, Space)  Hobby(Motorcycles, Baseball, Hockey)
  • 79. MBSD CODE BLUE 2016 Windows Crypt Hardware Space SAIVS The 20 Newsgroups data set Learns the similarity Learns the similarity between the words. word2vec Training SAIVS ・・・
  • 80. MBSD candidate similarity email 0.956302 mail 0.927386 E-mail 0.900249 address 0.893337 reply 0.865438 contact 0.846801 message 0.792930 chat 0.754903 newsgroup 0.747636 CODE BLUE 2016 candidate similarity names 0.962508 username 0.939661 nickname 0.933694 naming 0.898254 surname 0.863966 initials 0.861093 firstname 0.849641 lastname 0.847604 title 0.782467 candidate similarity homepage 0.794415 blog 0.752945 site 0.708534 webpage 0.701838 portal 0.701374 forum 0.692067 com 0.641086 archive 0.537914 org 0.531096 Extracts candidate words of Top 10. Learned similarities in the training Target :websiteTarget :nameTarget : e-mail
  • 81. MBSD candidate similarity email 0.956302 mail 0.927386 E-mail 0.900249 address 0.893337 reply 0.865438 contact 0.846801 message 0.792930 chat 0.754903 newsgroup 0.747636 CODE BLUE 2016 candidate similarity names 0.962508 username 0.939661 nickname 0.933694 naming 0.898254 surname 0.863966 initials 0.861093 firstname 0.849641 lastname 0.847604 title 0.782467 candidate similarity homepage 0.794415 blog 0.752945 site 0.708534 webpage 0.701838 portal 0.701374 forum 0.692067 com 0.641086 archive 0.537914 org 0.531096 Selects a candidate word that matches the form string of training. Learned similarities in the training Target :websiteTarget :nameTarget : e-mail
  • 82. MBSD candidate similarity email 0.956302 mail 0.927386 E-mail 0.900249 address 0.893337 reply 0.865438 contact 0.846801 message 0.792930 chat 0.754903 newsgroup 0.747636 CODE BLUE 2016 candidate similarity names 0.962508 username 0.939661 nickname 0.933694 naming 0.898254 surname 0.863966 initials 0.861093 firstname 0.849641 lastname 0.847604 title 0.782467 candidate similarity homepage 0.794415 blog 0.752945 site 0.708534 webpage 0.701838 portal 0.701374 forum 0.692067 com 0.641086 archive 0.537914 org 0.531096 Learned similarities in the training Target :websiteTarget :nameTarget : e-mail ⇒ abc@hoge.com ⇒ aBcdEf ⇒ http://hoge.com
  • 83. MBSD CODE BLUE 2016 3 requirements for crawling  Recognize the page type (✔).  Recognize the success/fail of crawling (✔).  Input correct values in the forms (✔).
  • 84. Demonstration of crawling MBSD Target:OWASP Broken Web Apps Cyclone CODE BLUE 2016
  • 85. MBSD CODE BLUE 2016 Top Login Register Confirm User Search Complete 1.Create a login account in "register". 2.Log in. 3.Search users. Demonstration of crawling vulnerability
  • 86. MBSD CODE BLUE 2016 Top Login Register Confirm User Search Complete 1.Create a login account in "register". 2.Log in. 3.Search users. Demonstration of crawling
  • 87. MBSD CODE BLUE 2016 Top Login Register Confirm User Search Complete 1.Create a login account in "register". 2.Log in. 3.Search users. Demonstration of crawling
  • 88. MBSD CODE BLUE 2016 Top Login Register Confirm User Search Complete Demonstration of crawling 1.Create a login account in "register". 2.Log in. 3.Search users.
  • 89. MBSD CODE BLUE 2016 Top Login Register Confirm User Search Complete 1.Create login account in "register". 2.Log in. 3.Search users. Demonstration of crawling
  • 90. MBSD CODE BLUE 2016 https://www.youtube.com/watch?v=aXw3vgXbl1U Demonstration movie of crawling
  • 91. Abilities of SAIVS MBSD  Crawls web apps. (✔)  Detects vulnerabilities. CODE BLUE 2016
  • 92. MBSD CODE BLUE 2016 To detect vulnerabilities with less trouble. Objective of this research
  • 93. MBSD CODE BLUE 2016 There are many web application vulnerabilities...
  • 94. MBSD CODE BLUE 2016 Reflected Cross-Site Scripting (RXSS) Target vulnerability of this research
  • 95. Example of RXSS Pattern 1:very vulnerable web app MBSD <html> <head> <meta http-equiv="Content-Type" content="text/html"> <title>Case 3 - RXSS</title> </head> <body> <input type="text" value="testData"> </body> </html> http://xxx/case3/?input=testData Input value is echoed in the "VALUE" attribute of the INPUT tag. CODE BLUE 2016
  • 96. MBSD <html> <head> <meta http-equiv="Content-Type" content="text/html"> <title>Case 3 - RXSS</title> </head> <body> <input type="text" value=""/><script>alert('XSS');</script>"> </body> </html> http://xxx/case3/?input="/><script>alert(‘XSS');</script> JavaScript is inserted in the HTML syntax. CODE BLUE 2016 Example of RXSS Pattern 1:attacking a web app
  • 97. Example of RXSS Pattern 2:a little more secure web app MBSD <html> <head> <meta http-equiv="Content-Type" content="text/html"> <title>Case 4 - RXSS</title> </head> <body> <input type="text" value=""/> alert('XSS');"> </body> </html> SCRIPT tag is sanitized by the web app. http://xxx/case4/?input="/><script>alert(‘XSS');</script> CODE BLUE 2016
  • 98. Example of RXSS Pattern 2:attacking web app MBSD <html> <head> <meta http-equiv="Content-Type" content="text/html"> <title>Case 4 - RXSS</title> </head> <body> <input type="text" value=""onmouseout=alert('XSS')""> </body> </html> JavaScript is inserted to avoid sanitization. http://xxx/case4/?input=“onmouseout=alert(‘XSS')” CODE BLUE 2016
  • 99. MBSD  Understanding HTML syntax.  Understanding JavaScript syntax.  Avoiding sanitization. CODE BLUE 2016 3 requirements for detecting RXSS
  • 100. MBSD CODE BLUE 2016 How do you achieve them?
  • 101. Our approach MBSD CODE BLUE 2016 Reverse engineering the human brain.
  • 102. MBSD CODE BLUE 2016 Each thinking pattern implemented in machine learning. Our approach
  • 103. MBSD  Understanding HTML syntax.  Understanding JavaScript syntax.  Avoiding sanitization. CODE BLUE 2016 3 requirements for detecting RXSS
  • 104. MBSD Understanding of HTML/JavaScript syntax by machines Using LSTM CODE BLUE 2016
  • 105. What is LSTM(Long-Short Term Memory)? It can learn chronological data. It can learn dependencies in short & long term data. MBSD examples)  Machine translation.  Text generation. (novel, lyrics, source code)  Sound generation. (music, human voice) CODE BLUE 2016
  • 106. What is LSTM(Long-Short Term Memory)? It can learn chronological data. It can learn dependencies in short & long term data. MBSD examples)  Machine translation.  Text generation. (novel, Lyrics, source code)  Sound generation. (music, human voice) CODE BLUE 2016
  • 107. Example of the use of the text generation. MBSD CODE BLUE 2016 Generation of source code.(from Andrej Karpathy blog) static int indicate_policy(void) { int error; if (fd == MARN_EPT) { if (ss->segment < mem_total) unblock_set_blocked(); else ret = 1; goto bail; } segaddr = in_SB(in.addr); selector = seg / 16; ・・・ Training Data static void settings(struct *tty) { if (tty == tty) disable_single_st_p(dev); pci_disable_spool(port); return 0; } static void command(struct seq_file *m) { int column = 32 << (cmd[2] & 0x80); if (state) ・・・ Generated source code by LSTM It can generate a code from the starting point (seed).
  • 108. Why LSTM? MBSD <!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body> <H2>Textarea injection test</H2> <FORM> <textarea name="in" rows="5" cols="60">xxx</textarea> ・・・ http://xxx/textarea1?in=xxx CODE BLUE 2016 Input value is echoed in the TEXTAREA tag.
  • 109. MBSD <!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body> <H2>Textarea injection test</H2> <FORM> <textarea name="in" rows="5" cols="60"> <script>alert('XSS');</script></textarea> ・・・ http://xxx/textarea1?in=<script>alert(‘XSS’);</script> JavaScript doesn’t run. ⇒ Simple script injection is not allowed. CODE BLUE 2016 Why LSTM?
  • 110. MBSD <!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body> <H2>Textarea injection test</H2> <FORM> <textarea name="in" rows="5" cols="60">xxx</textarea> ・・・ http://xxx/textarea1?in=xxx “Is JavaScript inserted after closing the TEXTAREA tag ?” CODE BLUE 2016 Why LSTM?
  • 111. MBSD <!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body> <H2>Textarea injection test</H2> <FORM> <textarea name="in" rows="5" cols="60"></textarea><script>alert('XSS');</script></t extarea> ・・・ http://xxx/textarea1?in=</textarea><script>alert(‘XSS’);</script> CODE BLUE 2016 Understands the context of HTML and inserts a script. ⇒ JavaScript run. Why LSTM?
  • 112. MBSD CODE BLUE 2016 How can LSTM be learned ?
  • 113. Learning data for LSTM (HTML) MBSD <abbr class="" data-utime="" title=""></abbr> <abbr class='' title=''></abbr> <abbr data-utime='' title=''></abbr> ・・・ <input name="" type="" value=""/> <input alt="" id="" onclick="" src="" type=""/> <input alt='' id="" src='' type=''/> <input alt='' name='' src='' type=''/> ・・・ <video autoplay="" loop="" muted=""></video> <video class="" height="" id="" width=""></video> <video src='' tabindex=''></video> <video src=''></video> 20,000 pages of HTML syntax. (about 12,000 types) CODE BLUE 2016
  • 114. MBSD _satellite.pageBottom();'] (function(window) { var _gaq = _gaq || []; var methods = ['log', 'dir', 'trace']; if (typeof window.console === 'undefined') { window.console = {}; } for (var i in methods) { if (!(methods[i] in window.console)) { window.console[methods[i]] = function() {}; } } }(window)); CODE BLUE 2016 10,000 pages of JavaScript syntax. Learning data for LSTM (JavaScript)
  • 115. Generated syntax by learned LSTM (one example) MBSD Seed Generated syntax <textarea cols="60">xxx </textarea> <!– mbsdtest xxx --> <input type="" value=“xxx "> var hoge = ['log', ‘xxx red’];¥r¥n /* mbsdtest xxx */ function(){ xxx }¥r¥n CODE BLUE 2016 It can generate a syntax from the seeds.
  • 116. MBSD  Understanding HTML syntax (✔).  Understanding JavaScript syntax (✔).  Avoiding sanitization. CODE BLUE 2016 3 requirements for detecting RXSS
  • 117. Avoidance of sanitization by machines MBSD CODE BLUE 2016 Using Multilayer perceptron & Q-Learning.
  • 118. MBSD ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning Model to avoid sanitization ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; Learns the pattern of avoiding sanitization while attempting to test. CODE BLUE 2016 observe state evaluate update weight
  • 119. MBSD ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning Model to avoid sanitization. ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; CODE BLUE 2016 observe state evaluate update weight
  • 120. Patterns of Output point MBSD Output point Example attribute value :「”」 <~value="xxx"> attribute value :「'」 <~value='xxx'> attribute value : noquote <~value=xxx> JavaScript <script>xxx</script> outside of HTML tags <~>xxx</~> CODE BLUE 2016
  • 121. MBSD CODE BLUE 2016 Model to avoid sanitization ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight
  • 122. Patterns of sanitization MBSD Sanitization Example 「“」: translate entity reference, exclude 「”」⇒「&quot;」 「‘」: translate entity reference, exclude 「’」⇒「&apos;」 「<」: translate entity reference, exclude 「<」⇒「&lt;」 「>」: translate entity reference, exclude 「>」⇒「&gt;」 「alert();」: exclude 「alert();」⇒「」 CODE BLUE 2016
  • 123. MBSD CODE BLUE 2016 Model to avoid sanitization ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight
  • 124. Test patterns(one example) MBSD Output point Test pattern attribute value :「”」 attribute value :「'」 attribute value : noquote outside of HTML tags “event handler "><sCriPt>xxx "><img src=xxx ‘event handler ‘><sCriPt>xxx <svg/onload=alert()> <sCriPt>xxx</sCriPt> JavaScript ";alert();// [CR][LF]alert(); ¥";alert();// CODE BLUE 2016
  • 125. MBSD Inputs ”Output point" and "pattern of sanitization" to MLP. CODE BLUE 2016 ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight Learning flow
  • 126. MBSD CODE BLUE 2016 ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight Learning flow Selects any test pattern from the input of MLP.
  • 127. MBSD CODE BLUE 2016 ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight Learning flow Attempts to test using the selected test pattern of MLP.
  • 128. MBSD CODE BLUE 2016 ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight Learning flow Observe the result of the test.
  • 129. MBSD CODE BLUE 2016 ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight Learning flow Gives a reward depending on the result of the test.
  • 130. MBSD CODE BLUE 2016 ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight Learning flow Update the weight of MLP using backpropagation.
  • 131. MBSD CODE BLUE 2016 ・ ・ ・ ・ ・ ・ attribute JS ・・・ Output point MLP Out of tag “sCriPt” Other tag URL encode Test pattern Event handler ・ ・ ・ Q-Learning ・ ・ ・ “ ⇒ &quot; < ⇒ &lt; ・・・ Sanitize > ⇒ &gt; observe state evaluate update weight Learning flow. Learning is completed at approx. 100 attempts.
  • 132. Problem MBSD CODE BLUE 2016 100 attempts ⇒ Inefficient
  • 133. MBSD CODE BLUE 2016 Pre-training. Solution
  • 134. MBSD WAVSEP CODE BLUE 2016 ReflectedXSS GET Input Vector Case06 output :SRC attr value of IMG tag. sanitize :< , > ⇒ &lt; , &gt; testing value:"onmouseover=alert(3122);" Case10 output :onClick value of SCRIPT tag. sanitize :“ , < , > ⇒ &quot; , &lt; , &gt; testing value:';alert(3122);// Case27 output :single line comment of JavaScript sanitize :comment out testing value:[CR][LF]alert(3122);// Web Apps for pre-training(one example).
  • 135. MBSD CODE BLUE 2016 Case06 Case08 Case10 Case27 SAIVS WAVSEP Achieve the best test string to avoid each sanitize pattern. Training SAIVS Attempts testing & learning ⇒ Each 100 times. ・・・
  • 136. MBSD  Understanding HTML syntax (✔).  Understanding JavaScript syntax (✔).  Avoiding sanitization (✔). CODE BLUE 2016 3 requirements for detecting RXSS
  • 137. MBSD Test flow of SAIVS  Primary inspection.  Secondary inspection. CODE BLUE 2016
  • 138. Sends normal request to examine the output point. MBSD Web Server Web Apps SAIVS Sends normal request CODE BLUE 2016 Primary inspection
  • 139. Recognizes the output point of the input value. MBSD Web Server Web Apps SAIVS Sends normal request Analyzes response CODE BLUE 2016 <~value="xxx"> Primary inspection.
  • 140. Extracts the seed based on the output point. MBSD Web Server Web Apps SAIVS CODE BLUE 2016 <~value="xxx"> Primary inspection Sends normal request Analyzes response
  • 141. Generates HTML / JavaScript syntax from the seed. (using learned LSTM) MBSD Web Server Web Apps SAIVS CODE BLUE 2016 <~value=“”> Primary inspection Sends normal request Analyzes response
  • 142. Adds the script to the generated HTML syntax. MBSD Web Server Web Apps SAIVS CODE BLUE 2016 <~value=“”><script>alert(3122);</script> Primary inspection Analyzes response Sends normal request
  • 143. Sends test request to detect RXSS. MBSD Web Server Web Apps SAIVS Sends test request CODE BLUE 2016 <~value=“”><script>alert(3122);</script> Primary inspection
  • 144. Determines the presence or absence of RXSS. RXSS detected ⇒ Test finishes. Not detected⇒ Secondary inspection. MBSD Web Server Web Apps SAIVS CODE BLUE 2016 RXSS? Analyzes response Sends test request Primary inspection
  • 145. Recognizes the sanitizing pattern. MBSD Web Server Web Apps SAIVS CODE BLUE 2016 <~value=“”&gt;&lt;script&gt;alert(3122);・・・ Secondary inspection Analyzes response Sends test request
  • 146. Selects the test pattern to avoid sanitization. (Using learned MLP) MBSD Web Server Web Apps SAIVS CODE BLUE 2016 Event handler? Secondary inspection Analyzes response Sends test request
  • 147. Sends the test request to avoid sanitization. MBSD Web Server Web Apps SAIVS CODE BLUE 2016 Event handler? Secondary inspection Resends test request
  • 148. MBSD Web Server Web Apps SAIVS CODE BLUE 2016 Secondary inspection Analyzes response Sends test request RXSS? Determines presence or absence of RXSS. RXSS detected ⇒ Test finishes. Not detected ⇒ Repeat secondary inspection.
  • 149. Demonstration of detecting RXSS MBSD Target:webseclab CODE BLUE 2016 Case Overview /reflect/full1 output : BODY tag sanitize : none /reflect/textarea1 output : TEXTAREA tag sanitize : none /reflect/onmouseover output : attribute value of INPUT tag sanitize : exclude “</script>” /reflect/js4_dq output : SCRIPT tag sanitize : none
  • 150. Demonstration of detecting RXSS MBSD Target:webseclab CODE BLUE 2016 Case Overview /reflect/full1 output : BODY tag sanitize : none /reflect/textarea1 output : TEXTAREA tag sanitize : none /reflect/onmouseover output : attribute value of INPUT tag sanitize : exclude “</script>” /reflect/js4_dq output : SCRIPT tag sanitize : none
  • 151. MBSD <!doctype html><html><head><title>Full Javascript Injection (full.1)</title></head><body> Hello!<BR> The value of cgi parameter &quot;in&quot; is:saivs12345 </body></html> http://xxx/reflect/full1?in=saivs12345 output :BODY tag sanitize : None Case1:Sending normal request CODE BLUE 2016
  • 152. MBSD <!doctype html><html><head><title>Full Javascript Injection (full.1)</title></head><body> Hello!<BR> The value of cgi parameter &quot;in&quot; is: lasther=''></form>D0i7Q"VW53N'nT7t0<script>alert(3122) ;kc5i3</script>ueFj8 </body></html> http://xxx/reflect/full1?in=lasther=''%3E%3C/form%3ED0i7Q%22VW 53N'nT7t0%3Cscript%3Ealert(3122);kc5i3%3C/script%3EueFj8 attempted times:1 Case1:Sending test request CODE BLUE 2016
  • 153. MBSD Case1:Demo movie CODE BLUE 2016 https://www.youtube.com/watch?v=3RkhSED5DQU
  • 154. Demonstration of detecting RXSS MBSD Target:webseclab CODE BLUE 2016 Case Overview /reflect/full1 output : BODY tag sanitize : none /reflect/textarea1 output : TEXTAREA tag sanitize : none /reflect/onmouseover output : attribute value of INPUT tag sanitize : exclude “</script>” /reflect/js4_dq output : SCRIPT tag sanitize : none
  • 155. MBSD <!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body> <H2>Textarea injection test</H2> <p> <FORM> <textarea name="in" rows="5" cols="60">saivs12345 </textarea> <p> http://xxx/reflect/textarea1?in=saivs12345 CODE BLUE 2016 Case2:Sending normal request output :TEXTAREA tag sanitize : None
  • 156. MBSD <!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body> <H2>Textarea injection test</H2> <p> <FORM> <textarea name="in" rows="5" cols="60"></textarea>7Q7p N"MBPcc'PA6tz<script>alert(3122);WKr8J</script>fowCP</ textarea> <p> http://xxx/reflect/textarea1?in=%3C/textarea%3E7Q7pN%22MBPcc' PA6tz%3Cscript%3Ealert(3122);WKr8J%3C/script%3EfowCP CODE BLUE 2016 Case2:Sending test request attempted times:1
  • 157. MBSD Case2:Demo movie CODE BLUE 2016 https://www.youtube.com/watch?v=6UHbMGdqr_0
  • 158. Demonstration of detecting RXSS MBSD Target:webseclab CODE BLUE 2016 Case Overview /reflect/full1 output : BODY tag sanitize : none /reflect/textarea1 output : TEXTAREA tag sanitize : none /reflect/onmouseover output : attribute value of INPUT tag sanitize : exclude “</script>” /reflect/js4_dq output : SCRIPT tag sanitize : none
  • 159. MBSD <!doctype html><html> <head><title>Reflected XSS - attribute injection in ta gs (dq.2)</title></head><body> <H2>Update Your Preferences</H2><p> <FORM> Homepage: <input value=""><script>alert()" name="in" s ize="40"><BR> http://xxx/xss/reflect/onmouseover?in=”><script>alert()</script> CODE BLUE 2016 Case 3:Sending normal request output :INPUT tag sanitize : exclude “</script>”
  • 160. MBSD <!doctype html><html> <head><title>Reflected XSS - attribute injection in tags (dq.2)</title></head><body> <H2>Update Your Preferences</H2><p> <FORM> Homepage: <input value=""> <option s onmouseover=alert (3122);//" name="in" size="40"><BR> http://xxx/xss/reflect/onmouseover?in=%22%3E%3C/option%3E%3 Coption%20s%20onmouseover=alert(3122);// CODE BLUE 2016 Case 3:Sending test request. attempted times:3
  • 161. MBSD Case 3:Demo movie CODE BLUE 2016 https://www.youtube.com/watch?v=-r3C1moUVqU
  • 162. Demonstration of detecting RXSS MBSD Target:webseclab CODE BLUE 2016 Case Overview /reflect/full1 output : BODY tag sanitize : none /reflect/textarea1 output : TEXTAREA tag sanitize : none /reflect/onmouseover output : attribute value of INPUT tag sanitize : exclude “</script>” /reflect/js4_dq output : SCRIPT tag sanitize : none
  • 163. MBSD <!doctype html><html><head><title>JavaScript and double-quote injection in JS block (js.4)</title> </head><body> <script language="javascript"> var f = { date: "", week: "1", bad: "saivs12345", phase: "2", http://xxx/xss/reflect/js4_dq?in=saivs12345 CODE BLUE 2016 Case 4:Sending normal request output :SCRIPT tag sanitize : None
  • 164. MBSD <!doctype html><html><head><title>JavaScript and double-quote injection in JS block (js.4)</title> </head><body> <script language="javascript"> var f = { date: "", week: "1", bad: "6", skuI;alert(3122);//1VU7k", phase: "2", http://xxx/xss/reflect/js4_dq?in=6%22,%0A%20%20%20%20%20%20 %20%20%20%20%20%20skuI;alert(3122);//1VU7k CODE BLUE 2016 Case 4:Sending test request attempted times:1
  • 165. MBSD Case 4:Demo movie CODE BLUE 2016 https://www.youtube.com/watch?v=Pf2lSB25C3M
  • 166. Abilities of SAIVS MBSD  Crawls web apps. (✔)  Detects vulnerabilities. (✔) CODE BLUE 2016
  • 167. MBSD CODE BLUE 2016 “Detect RXSS while crawling web apps.” Realized fully automatically. Abilities of SAIVS
  • 168. MBSD Target:OWASP Broken Web Apps Google Gruyere CODE BLUE 2016 Demonstration of SAIVS
  • 169. MBSD CODE BLUE 2016 Top Sign up Login New snippet Sign up complete 1.Create an account in “Sign up”. 2.Log in. 3.Register Snippet. 4.Update Profile. Profile New snippet register Profile update Demonstration of SAIVS vulnerability
  • 170. MBSD CODE BLUE 2016 Top Sign up Login New snippet Sign up complete Profile New snippet register Profile update 1.Create an account in “Sign up”. 2.Log in. 3.Register Snippet. 4.Update Profile. Demonstration of SAIVS
  • 171. MBSD CODE BLUE 2016 Top Sign up Login New snippet Sign up complete Profile New snippet register Profile update Demonstration of SAIVS 1.Create an account in “Sign up”. 2.Log in. 3.Register Snippet. 4.Update Profile.
  • 172. MBSD CODE BLUE 2016 Top Sign up Login New snippet Sign up complete Profile New snippet register Profile update Demonstration of SAIVS 1.Create an account in “Sign up”. 2.Log in. 3.Register Snippet. 4.Update Profile.
  • 173. MBSD CODE BLUE 2016 Top Sign up Login Sign up complete Profile Profile update New snippet New snippet register Demonstration of SAIVS 1.Create an account in “Sign up”. 2.Log in. 3.Register Snippet. 4.Update Profile.
  • 174. MBSD CODE BLUE 2016 Function name Overview New snippet register output : BODY tag sanitize : exclude SCRIPT tag Profile update output : A tag sanitize : < , > ⇒ &lt; , &gt; Demonstration of SAIVS
  • 175. MBSD CODE BLUE 2016 Demonstration of SAIVS https://www.youtube.com/watch?v=N5d9oM0NcM0
  • 176. MBSD  Strengthening the page crawling capability.  Responding to complex web apps.  Responding to CAPTCHA. CODE BLUE 2016 Future prospects  Strengthening the detecting vulnerabilities capability.  Responding to complex RXSS patterns.  Responding to other vulnerabilities.
  • 177. • Download “.PDF” version of this document: ≫ http://www.mbsd.jp MBSD