SlideShare a Scribd company logo

Generic attack detection engine

Vikrant Kansal
Vikrant Kansal

This paper covers a new technique that can help IDS/IPS solution developers to provide more protection against web attacks. The approach is very generic and can be “adopted” by any IDS/IPS solution provider. Presently the approach is just an Idea and it requires more research and experiment to convert it into a working solution. This approach helps in enhancing quality of “signature based IDS/IPS solution” and provides good coverage with respect to the evasion techniques.

Technology
1 of 7
Download to read offline
Abstract This paper covers a new technique that can help IDS/IPS solution developers to provide more protection against web attacks. The approach is very generic and can be “adopted” by any IDS/IPS solution provider. Presently the approach is just an Idea and it requires more research and experiment to convert it into a working solution. This approach helps in enhancing quality of “signature based IDS/IPS solution” and provides good coverage with respect to the evasion techniques. Introduction There are some web attacks that can be performed against different applications, let us name them as “Generic Attacks”. Also these attacks involve evasion techniques to bypass the IDS/IPS signature based protection mechanism. Generic Attacks Name:- 1. Cross Site Scripting 2. SQL Injection 3. Shell Code Execution 4. Directory Traversal 5. Buffer overflow 6. Remote File Inclusion Presently, most of the signature based IDS/IPS solution providers provides one signature per vulnerability or they may write some more signatures for same vulnerability to cover the evasion techniques but most of the IDS/IPS solutions are following this approach. This approach allows the attacker to bypass the IDS/IPS detection using evasion techniques. There are some other limitations of current approach which are covered below under “Problem” heading. Problem To explain the problem more clearly let me start with an example:- Threat Information: - Cross-Site Scripting (XSS) vulnerability in the com_search module for Joomla! 1.0.x through 1.0.15 allows remote attackers to inject arbitrary web script or HTML via the ordering parameter to index.php. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0005 In above vulnerability we can see that “Joomla” application is vulnerable to XSS attack via “ordering” parameter. Sample POC/Exploit for above vulnerability http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=any&o rdering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top: 0;left:0;width:100%;height:100%;%22
Above mentioned POC is just one XSS type of case and there are many other evasion techniques that attacker can use to conduct the attack, but vulnerable parameter “ordering” remains the same in other XSS cases. To detect the above attack signature developer writes a single signature or multiple signatures to cover some XSS evasion techniques. But there are very high chances that developer may miss to cover some evasion techniques or in many cases he/she may not be able to write multiple signatures due to the performance issues of detection engine, as more number of signatures involves more processing time. A sample IDS signature (Snort Rule) that a developer can write to detect the above malicious URL is as below:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; pcre:"/ alertx28document.cookiex29x20style /smi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) Same approach is followed while developing the signatures for other attacks. Also one important point here is that the way XSS attack is conducted is mostly common across the applications, only thing that vary is parameter, argument or function, like in above mentioned vulnerability parameter is “ordering” and in case of XSS vulnerability in other application this parameter can be something else let’s say “userid”. Snort rules:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP phpBB mod tag board sql injection attempt"; flow:established,to_server; content:"tag_board.php"; fast_pattern; nocase; http_uri; content:"action=delete"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/tag_board.phpx3F[^rn]*action=delete[^rn]*id=[^rnx26]*(select|insert|delete)/ Usmi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert, service http; reference:bugtraq,32701; reference:cve,2008-6314; classtype:web-application-attack; sid:15425; rev:5;) In above snort rule, signature is only covering one evasion technique to detect the SQL injection. Although there are many other ways using which attacker can bypass this detection rule. For example: - Attacker can provide the select, insert and delete query via using comment /**/ within the keyword as S/**/E/**/L/**/ECT which gets normalize as SELECT later on database side. As we can see that this is not covered by above signature. This is just one way of performing SQL injection and there are many more ways that attacker can use to conduct the attack. For more details you can search for SQL injection Evasion Techniques. Like the above rule you can find some more signatures which are having same limitations. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql with comments injection attempt - GET parameter"; flow:to_server,established; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/(update|exec|insert|union)[^/]*/*.**//Uis"; metadata:service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:16431; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection atttempt - POST parameter"; flow:established,to_server; content:"insert "; fast_pattern; nocase; http_client_body; pcre:"/inserts+intos+[^/]+/Pi"; metadata:policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:15875; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - GET parameter"; flow:established,to_server; content:"update"; fast_pattern; nocase; http_uri; pcre:"/updates+[^/]+sets+[^/]+/Ui"; metadata:policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13514; rev:11;) Weaknesses and Limitations found in current scenario:- 1. If some new evasion technique is discovered that conducts web attack (like SQL injection) then in that case a new IDS/IPS signature have to be released for all the applications which has SQL injection vulnerabilities. So, developer has to write one new signature for all the applications to provide the protection. There is no single point where we can patch the entire signatures against this new evasion technique. 2. False Negative chances are high in current scenario as IDS/IPS signature written for vulnerability can possibly miss to cover some evasion techniques during signature development phase or due to performance limitation of IDS/IPS detection engine. 3. In current approach it is difficult for IDS/IPS solution provider to provide quality assurance parameters per vulnerability like how many evasion techniques or which evasion techniques their signatures are covering for a particular vulnerability. Providing such information per vulnerability is difficult. Brief about signature development:- Before writing the signature for vulnerability we first find the parameter, argument or function which has the flaw. Now, while writing the signature we first match this parameter and then match the attack pattern using either content matching or using PCRE. Here, for above explained Joomla XSS attack I am writing a sample signature:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; pcre:"/ alertx28document.cookiex29x20style /smi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) Here I have match the parameter “ordering” and then match the attack pattern using PCRE. We match parameter first to reduce the PCRE matching on whole traffic to improve the performance and reduce false positive chances. Direct PCRE matching on real traffic is very performance intensive. My Idea Generic Detection Algorithm/Engine: - What I am suggesting is that, we can develop some generic detection algorithm/engine for each such generic attack and call them whenever they are required. Like in above case instead of matching the malicious pattern using a single PCRE we can call “XSS detection algorithm/engine” that covers all the possible XSS evasion techniques.
There are multiple advantages of developing and using such attack detection algorithm/engine:- 1. Reusability:-The advantage of developing such engine is that we can call it for any application which is vulnerable to such attack. 2. Signature Patching: - In case some new evasion technique is introduced to conduct the attack then it’s only needed to enhance the detection engine to cover this new evasion technique instead of what we do right now by developing a new signature for all the applications. At the same time, it will reduce false negative chances. Also, it helps in providing “Zero Day” protection. 3. Accountability: - With the help of such detection algorithm/engine we are sure about how many evasion techniques are covered per vulnerability. 4. Quality Assurance: - Using such detection algorithm/engine we are very sure and confident about the quality of our signature coverage. 5. Performance Enhancement: - We can optimize the algorithm and also use some special hardware to run, which can help in improving the performance of IDS/IPS detection solution. 6. Automation: - Signature development process can be automated once we have the stable detection engine for attack. Details:- Flow Diagram:- Packet Capture Malicious Pattern http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=a ny&ordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:f ixed;top:0;left:0;width:100%;height:100%;%22 First Content/Pattern Match content:"ordering="; PCRE Match for XSS pcre:"/ alertx28document.cookiex29x20style /smi"; Generic XSS detection Algorithm/Engine covers all Evasion Techniques
Basic Architecture of Generic Detection Engine Following architecture diagram it to give you a little Idea about how the generic detection approach can work. Content or PCRE Match In above diagram we have two branches after Content/Pattern Match one is “Normal Detection” and another one is “Generic Detection Engine”. For generic attacks we are having six different attack detection engines which can be called as per the detection requirement. Each individual detection engine cover all the possible evasion techniques related to the respective attack. Like XSS engine is capable of detecting all type of XSS attack evasions. These detection engines are called during signature matching for the detection of malicious patterns and return the result. For all other type of attacks we have our normal detection engine that works like current detection logic that includes further Content/PCRE matches. XSS Detection SQL Injection Shell Code Directory Traversal Buffer Overflow Remote File Inclusion Content/Pattern Match Generic Detection EngineNormal Detection
Detection Levels:- We can define some detection levels in attack detection engine like low, medium and high. In case if we want to drop some evasion techniques at the cost of appliance performance then there has to be some possibility within engine using which we are able to drop some evasion techniques. Evasion Techniques Complexity Detection Engine Parameters: - Possible parameters that the detection engine can have are mentioned as below:- Engine ID Engine Name Detection Level Status Evasion Technique Count 1 XSS Low/Medium/High Enable/Disable Some Integer Value 2 SQL Injection Low/Medium/High Enable/Disable Some Integer Value 3 Shell Code Low/Medium/High Enable/Disable Some Integer Value 4 Buffer Over Flow Low/Medium/High Enable/Disable Some Integer Value 5 Directory Traversal Low/Medium/High Enable/Disable Some Integer Value 6 Remote File Inclusion Low/Medium/High Enable/Disable Some Integer Value XSS Attack HighLow Medium Evasion 1 Evasion 2 Evasion 3 Evasion 4 Evasion 5
New Construct For IDS/IPS Signature From signature development language/syntax point of view we can have some new constructs like as below “engineid” and “detectionlevel” that can support the new generic detection engine. This is just one way that I am thinking of but there can be some other ways also to integrated/implement the new approach. OLD RULE:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; pcre:"/ alertx28document.cookiex29x20style /smi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) NEW RULE:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; engineid:1;detectionlevel:high;metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) Now as you can see that instead of “pcre” match I am using an “engineid” and “detectionlevel” which is the ID of XSS engine. First signature perform the content matching “index.php” and “ordering=” once it’s matched after then “XSS engine” is called to match for all the possibilities of XSS evasion techniques and return the result. If any match succeeds then signature is triggered. Here, using new approach there is no need to write the multiple signatures for different-2 evasion techniques. All of this is taken care by generic detection engine. Conclusion and Further Work I believe that this approach helps a lot in IDS/IPS solution development and improve the quality of signatures with respect to the evasion techniques. Using this new approach we can overcome the current approach flaws and limitations. Lot of work is required to actually make this approach as a working solution. Nothing has been tested and implemented yet. So we need to do some experiments to test how this approach works. Once we have some good results then we need to find a way to implement this approach into a working solution. Feedback and comments are most welcome. Best Regards Packet Computing Team

Recommended

Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web appsOmkar Parab
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 

Recommended

Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web appsOmkar Parab
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Ricardo L0gan
 

More Related Content

What's hot

Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 

What's hot (20)

S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 

Viewers also liked

Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Ricardo L0gan
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlJosé Castro
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Roadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRoadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRicardo L0gan
 

Viewers also liked (20)

Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile application
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
 
EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
Roadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRoadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New Threat
 

Similar to Generic attack detection engine

DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)Jeremiah Grossman
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...Andrey Karpov
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitationRaghunath G
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
17726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.517726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.5Attaporn Ninsuwan
 

Similar to Generic attack detection engine (20)

DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
 
C01461422
C01461422C01461422
C01461422
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitation
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Php security
Php securityPhp security
Php security
 
T04505103106
T04505103106T04505103106
T04505103106
 
17726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.517726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.5
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Generic attack detection engine

  • 1. Abstract This paper covers a new technique that can help IDS/IPS solution developers to provide more protection against web attacks. The approach is very generic and can be “adopted” by any IDS/IPS solution provider. Presently the approach is just an Idea and it requires more research and experiment to convert it into a working solution. This approach helps in enhancing quality of “signature based IDS/IPS solution” and provides good coverage with respect to the evasion techniques. Introduction There are some web attacks that can be performed against different applications, let us name them as “Generic Attacks”. Also these attacks involve evasion techniques to bypass the IDS/IPS signature based protection mechanism. Generic Attacks Name:- 1. Cross Site Scripting 2. SQL Injection 3. Shell Code Execution 4. Directory Traversal 5. Buffer overflow 6. Remote File Inclusion Presently, most of the signature based IDS/IPS solution providers provides one signature per vulnerability or they may write some more signatures for same vulnerability to cover the evasion techniques but most of the IDS/IPS solutions are following this approach. This approach allows the attacker to bypass the IDS/IPS detection using evasion techniques. There are some other limitations of current approach which are covered below under “Problem” heading. Problem To explain the problem more clearly let me start with an example:- Threat Information: - Cross-Site Scripting (XSS) vulnerability in the com_search module for Joomla! 1.0.x through 1.0.15 allows remote attackers to inject arbitrary web script or HTML via the ordering parameter to index.php. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0005 In above vulnerability we can see that “Joomla” application is vulnerable to XSS attack via “ordering” parameter. Sample POC/Exploit for above vulnerability http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=any&o rdering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top: 0;left:0;width:100%;height:100%;%22
  • 2. Above mentioned POC is just one XSS type of case and there are many other evasion techniques that attacker can use to conduct the attack, but vulnerable parameter “ordering” remains the same in other XSS cases. To detect the above attack signature developer writes a single signature or multiple signatures to cover some XSS evasion techniques. But there are very high chances that developer may miss to cover some evasion techniques or in many cases he/she may not be able to write multiple signatures due to the performance issues of detection engine, as more number of signatures involves more processing time. A sample IDS signature (Snort Rule) that a developer can write to detect the above malicious URL is as below:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; pcre:"/ alertx28document.cookiex29x20style /smi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) Same approach is followed while developing the signatures for other attacks. Also one important point here is that the way XSS attack is conducted is mostly common across the applications, only thing that vary is parameter, argument or function, like in above mentioned vulnerability parameter is “ordering” and in case of XSS vulnerability in other application this parameter can be something else let’s say “userid”. Snort rules:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP phpBB mod tag board sql injection attempt"; flow:established,to_server; content:"tag_board.php"; fast_pattern; nocase; http_uri; content:"action=delete"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/tag_board.phpx3F[^rn]*action=delete[^rn]*id=[^rnx26]*(select|insert|delete)/ Usmi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert, service http; reference:bugtraq,32701; reference:cve,2008-6314; classtype:web-application-attack; sid:15425; rev:5;) In above snort rule, signature is only covering one evasion technique to detect the SQL injection. Although there are many other ways using which attacker can bypass this detection rule. For example: - Attacker can provide the select, insert and delete query via using comment /**/ within the keyword as S/**/E/**/L/**/ECT which gets normalize as SELECT later on database side. As we can see that this is not covered by above signature. This is just one way of performing SQL injection and there are many more ways that attacker can use to conduct the attack. For more details you can search for SQL injection Evasion Techniques. Like the above rule you can find some more signatures which are having same limitations. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql with comments injection attempt - GET parameter"; flow:to_server,established; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/(update|exec|insert|union)[^/]*/*.**//Uis"; metadata:service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:16431; rev:2;)
  • 3. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection atttempt - POST parameter"; flow:established,to_server; content:"insert "; fast_pattern; nocase; http_client_body; pcre:"/inserts+intos+[^/]+/Pi"; metadata:policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:15875; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - GET parameter"; flow:established,to_server; content:"update"; fast_pattern; nocase; http_uri; pcre:"/updates+[^/]+sets+[^/]+/Ui"; metadata:policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13514; rev:11;) Weaknesses and Limitations found in current scenario:- 1. If some new evasion technique is discovered that conducts web attack (like SQL injection) then in that case a new IDS/IPS signature have to be released for all the applications which has SQL injection vulnerabilities. So, developer has to write one new signature for all the applications to provide the protection. There is no single point where we can patch the entire signatures against this new evasion technique. 2. False Negative chances are high in current scenario as IDS/IPS signature written for vulnerability can possibly miss to cover some evasion techniques during signature development phase or due to performance limitation of IDS/IPS detection engine. 3. In current approach it is difficult for IDS/IPS solution provider to provide quality assurance parameters per vulnerability like how many evasion techniques or which evasion techniques their signatures are covering for a particular vulnerability. Providing such information per vulnerability is difficult. Brief about signature development:- Before writing the signature for vulnerability we first find the parameter, argument or function which has the flaw. Now, while writing the signature we first match this parameter and then match the attack pattern using either content matching or using PCRE. Here, for above explained Joomla XSS attack I am writing a sample signature:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; pcre:"/ alertx28document.cookiex29x20style /smi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) Here I have match the parameter “ordering” and then match the attack pattern using PCRE. We match parameter first to reduce the PCRE matching on whole traffic to improve the performance and reduce false positive chances. Direct PCRE matching on real traffic is very performance intensive. My Idea Generic Detection Algorithm/Engine: - What I am suggesting is that, we can develop some generic detection algorithm/engine for each such generic attack and call them whenever they are required. Like in above case instead of matching the malicious pattern using a single PCRE we can call “XSS detection algorithm/engine” that covers all the possible XSS evasion techniques.
  • 4. There are multiple advantages of developing and using such attack detection algorithm/engine:- 1. Reusability:-The advantage of developing such engine is that we can call it for any application which is vulnerable to such attack. 2. Signature Patching: - In case some new evasion technique is introduced to conduct the attack then it’s only needed to enhance the detection engine to cover this new evasion technique instead of what we do right now by developing a new signature for all the applications. At the same time, it will reduce false negative chances. Also, it helps in providing “Zero Day” protection. 3. Accountability: - With the help of such detection algorithm/engine we are sure about how many evasion techniques are covered per vulnerability. 4. Quality Assurance: - Using such detection algorithm/engine we are very sure and confident about the quality of our signature coverage. 5. Performance Enhancement: - We can optimize the algorithm and also use some special hardware to run, which can help in improving the performance of IDS/IPS detection solution. 6. Automation: - Signature development process can be automated once we have the stable detection engine for attack. Details:- Flow Diagram:- Packet Capture Malicious Pattern http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=a ny&ordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:f ixed;top:0;left:0;width:100%;height:100%;%22 First Content/Pattern Match content:"ordering="; PCRE Match for XSS pcre:"/ alertx28document.cookiex29x20style /smi"; Generic XSS detection Algorithm/Engine covers all Evasion Techniques
  • 5. Basic Architecture of Generic Detection Engine Following architecture diagram it to give you a little Idea about how the generic detection approach can work. Content or PCRE Match In above diagram we have two branches after Content/Pattern Match one is “Normal Detection” and another one is “Generic Detection Engine”. For generic attacks we are having six different attack detection engines which can be called as per the detection requirement. Each individual detection engine cover all the possible evasion techniques related to the respective attack. Like XSS engine is capable of detecting all type of XSS attack evasions. These detection engines are called during signature matching for the detection of malicious patterns and return the result. For all other type of attacks we have our normal detection engine that works like current detection logic that includes further Content/PCRE matches. XSS Detection SQL Injection Shell Code Directory Traversal Buffer Overflow Remote File Inclusion Content/Pattern Match Generic Detection EngineNormal Detection
  • 6. Detection Levels:- We can define some detection levels in attack detection engine like low, medium and high. In case if we want to drop some evasion techniques at the cost of appliance performance then there has to be some possibility within engine using which we are able to drop some evasion techniques. Evasion Techniques Complexity Detection Engine Parameters: - Possible parameters that the detection engine can have are mentioned as below:- Engine ID Engine Name Detection Level Status Evasion Technique Count 1 XSS Low/Medium/High Enable/Disable Some Integer Value 2 SQL Injection Low/Medium/High Enable/Disable Some Integer Value 3 Shell Code Low/Medium/High Enable/Disable Some Integer Value 4 Buffer Over Flow Low/Medium/High Enable/Disable Some Integer Value 5 Directory Traversal Low/Medium/High Enable/Disable Some Integer Value 6 Remote File Inclusion Low/Medium/High Enable/Disable Some Integer Value XSS Attack HighLow Medium Evasion 1 Evasion 2 Evasion 3 Evasion 4 Evasion 5
  • 7. New Construct For IDS/IPS Signature From signature development language/syntax point of view we can have some new constructs like as below “engineid” and “detectionlevel” that can support the new generic detection engine. This is just one way that I am thinking of but there can be some other ways also to integrated/implement the new approach. OLD RULE:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; pcre:"/ alertx28document.cookiex29x20style /smi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) NEW RULE:- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Joomla XSS Attack"; flow:established,to_server; content:"index.php"; nocase; http_uri; content:"ordering="; nocase; http_uri; engineid:1;detectionlevel:high;metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 ) Now as you can see that instead of “pcre” match I am using an “engineid” and “detectionlevel” which is the ID of XSS engine. First signature perform the content matching “index.php” and “ordering=” once it’s matched after then “XSS engine” is called to match for all the possibilities of XSS evasion techniques and return the result. If any match succeeds then signature is triggered. Here, using new approach there is no need to write the multiple signatures for different-2 evasion techniques. All of this is taken care by generic detection engine. Conclusion and Further Work I believe that this approach helps a lot in IDS/IPS solution development and improve the quality of signatures with respect to the evasion techniques. Using this new approach we can overcome the current approach flaws and limitations. Lot of work is required to actually make this approach as a working solution. Nothing has been tested and implemented yet. So we need to do some experiments to test how this approach works. Once we have some good results then we need to find a way to implement this approach into a working solution. Feedback and comments are most welcome. Best Regards Packet Computing Team