Презентация работы Арихина П.
Выполнена на Кафедре Защиты Информации Факультета Информационных Систем и Технологий СыктГУ.
http://www.kzissu.ru/paper/doklady/539
Base Paper Abstract:
Most web applications have critical bugs (faults) affecting their security, which makes them vulnerable to attacks by hackers and organized crime. To prevent these security problems from occurring it is of utmost importance to understand the typical software faults. This paper contributes to this body of knowledge by presenting a field study on two of the most widely spread and critical web application vulnerabilities: SQL Injection and XSS. It analyzes the source code of security patches of widely used web applications written in weak and strong typed languages. Results show that only a small subset of software fault types, affecting a restricted collection of statements, is related to security. To understand how these vulnerabilities are really exploited by hackers, this paper also presents an analysis of the source code of the scripts used to attack them. The outcomes of this study can be used to train software developers and code inspectors in the detection of such faults and are also the foundation for the research of realistic
vulnerability and attack injectors that can be used to assess security mechanisms, such as intrusion detection systems, vulnerability scanners, and static code analyzers.
http://kaashivinfotech.com/
http://inplanttrainingchennai.com/
http://inplanttraining-in-chennai.com/
http://internshipinchennai.in/
http://inplant-training.org/
http://kernelmind.com/
http://inplanttraining-in-chennai.com/
http://inplanttrainingchennai.com/
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
This document discusses identifying cross-site scripting (XSS) vulnerabilities in web applications. It presents static and dynamic analysis methods to detect XSS vulnerabilities. Static analysis detects potentially vulnerable pages by analyzing code flow graphs, while dynamic analysis tests vulnerabilities by executing attack strings. The approaches are demonstrated on an open-source forum application, finding a second-order XSS vulnerability later fixed in an update.
Презентация работы Арихина П.
Выполнена на Кафедре Защиты Информации Факультета Информационных Систем и Технологий СыктГУ.
http://www.kzissu.ru/paper/doklady/539
Base Paper Abstract:
Most web applications have critical bugs (faults) affecting their security, which makes them vulnerable to attacks by hackers and organized crime. To prevent these security problems from occurring it is of utmost importance to understand the typical software faults. This paper contributes to this body of knowledge by presenting a field study on two of the most widely spread and critical web application vulnerabilities: SQL Injection and XSS. It analyzes the source code of security patches of widely used web applications written in weak and strong typed languages. Results show that only a small subset of software fault types, affecting a restricted collection of statements, is related to security. To understand how these vulnerabilities are really exploited by hackers, this paper also presents an analysis of the source code of the scripts used to attack them. The outcomes of this study can be used to train software developers and code inspectors in the detection of such faults and are also the foundation for the research of realistic
vulnerability and attack injectors that can be used to assess security mechanisms, such as intrusion detection systems, vulnerability scanners, and static code analyzers.
http://kaashivinfotech.com/
http://inplanttrainingchennai.com/
http://inplanttraining-in-chennai.com/
http://internshipinchennai.in/
http://inplant-training.org/
http://kernelmind.com/
http://inplanttraining-in-chennai.com/
http://inplanttrainingchennai.com/
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
This document discusses identifying cross-site scripting (XSS) vulnerabilities in web applications. It presents static and dynamic analysis methods to detect XSS vulnerabilities. Static analysis detects potentially vulnerable pages by analyzing code flow graphs, while dynamic analysis tests vulnerabilities by executing attack strings. The approaches are demonstrated on an open-source forum application, finding a second-order XSS vulnerability later fixed in an update.
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...Nurul Haszeli Ahmad
This is a presentation slide presented during mock viva as a requirement from IPSIS, UiTM for Post-graduate student before submitting complete thesis for viva
A Study on Dynamic Detection of Web Application VulnerabilitiesYuji Kosuga
This dissertation presents techniques for the dynamic detection of web application vulnerabilities. It describes Sania, a tool that detects SQL injection vulnerabilities by dynamically generating effective attacks based on analyzing the syntax of where attacks are injected. It also describes Detoxss, a tool that detects cross-site scripting (XSS) vulnerabilities using a similar dynamic analysis approach. An evaluation found that these techniques discovered more vulnerabilities than popular vulnerability scanners. Additionally, the dissertation presents Amberate, an extensible framework for developing web application vulnerability scanners that supports plugin architectures and common functions to facilitate implementing new detection techniques.
2012 04 Analysis Techniques for Mobile OS SecurityRaleigh ISSA
The document discusses security analysis techniques for mobile operating systems. It covers how smartphones differ from traditional computing in their usage model and risk profile. It also discusses rethinking host security for smartphones by defining permissions that applications can access and focusing on what permissions applications ask for and how they use those permissions. The document uses Kirin, a modified Android application installer, as an example to evaluate application policies and permissions at install time to determine if they pose security risks.
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
This talk was given at OWASP AppSec Europe 2008.
Full paper can be downloaded from here:
http://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
A slide show on the subject web application vulnerabilities. It contains how the vulnerabilities evolves, how to detect, how to exploit and how to defense against the vulnerabilities with example.
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsIsao Takaesu
This document summarizes a presentation about using machine learning to detect web application vulnerabilities. The speaker discusses developing an AI called SAIVS that can automatically crawl web apps and detect vulnerabilities. SAIVS uses techniques like naive Bayes and multilayer perceptrons to recognize page types, detect crawling failures, and input correct form values through reinforcement learning. It is pre-trained on sample web apps to efficiently learn crawling before analyzing real client apps. The goal is to develop fully automated security assessment that does not rely on human skills.
Attribute-based encryption (ABE) is a public-key based one-to-many encryption that allows users to encrypt and decrypt data based on user attributes.
A promising application of ABE is flexible access control of encrypted data stored in the cloud, using access polices and ascribed attributes associated with private keys and ciphertexts.One of the main efficiency drawbacks of the existing ABE schemes is that decryption involves expensive pairing operations and the number of such operations grows with the complexity of the access policy. Recently, Green et al. proposed an ABE system with outsourced decryption that largely eliminates the decryption overhead for users.
In such a system, a user provides an untrusted server, say a cloud service provider, with a transformation key that allows the cloud to translate any ABE cipher text satisfied by that user’s attributes or access policy into a simple cipher text, and it only incurs a small computational overhead for the user to recover the plaintext from the transformed cipher text.
Security of an ABE system with outsourced decryption ensures that an adversary (including a malicious cloud) will not be able to learn anything about the encrypted message; however, it does not guarantee the correctness of the transformation done by the cloud.
In this paper, we consider a new requirement of ABE with outsourced decryption: verifiability. Informally, verifiability guarantees that a user can efficiently check if the transformation is done correctly.
We give the formal model of ABE with verifiable outsourced decryption and propose a concrete scheme. We prove that our new scheme is both secure and verifiable, without relying on random oracles.
Finally, we show an implementation of our scheme and result of performance measurements, which indicates a significant reduction on computing resources imposed on users.
http://kaashivinfotech.com/
http://inplanttrainingchennai.com/
http://inplanttraining-in-chennai.com/
http://internshipinchennai.in/
http://inplant-training.org/
http://kernelmind.com/
http://inplanttraining-in-chennai.com/
http://inplanttrainingchennai.com/
The document discusses various ways that data mining can be applied for security applications such as intrusion detection, firewall policy management, worm detection, and counter-terrorism surveillance. It describes techniques like anomaly detection, link analysis, classification, and prediction that can help detect cyber attacks, trace malware authors, and predict future threats. It also addresses challenges of working with real-time streaming data from sensors for critical applications.
Technology buffet for new teachers march 2012Karen Brooks
This document provides information about new teacher training opportunities and classroom technology resources. It discusses a technology proficiency self-assessment, effective habits of 21st century teachers including adapting, communicating, collaborating and leading, and emerging technology trends like smaller mobile devices, self-driving cars, and digital tattoos. Videos are recommended for educators to stay informed on technology integration and innovations impacting K-12 students.
Безопасность Интернета вещей - непростая тема и имеет очень много проблем, обусловленных, в первую очередь, большим количеством применений IoT и, как следствие, большим количество стандартов (и их проектов), не всегда связанных между собой
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...Nurul Haszeli Ahmad
This is a presentation slide presented during mock viva as a requirement from IPSIS, UiTM for Post-graduate student before submitting complete thesis for viva
A Study on Dynamic Detection of Web Application VulnerabilitiesYuji Kosuga
This dissertation presents techniques for the dynamic detection of web application vulnerabilities. It describes Sania, a tool that detects SQL injection vulnerabilities by dynamically generating effective attacks based on analyzing the syntax of where attacks are injected. It also describes Detoxss, a tool that detects cross-site scripting (XSS) vulnerabilities using a similar dynamic analysis approach. An evaluation found that these techniques discovered more vulnerabilities than popular vulnerability scanners. Additionally, the dissertation presents Amberate, an extensible framework for developing web application vulnerability scanners that supports plugin architectures and common functions to facilitate implementing new detection techniques.
2012 04 Analysis Techniques for Mobile OS SecurityRaleigh ISSA
The document discusses security analysis techniques for mobile operating systems. It covers how smartphones differ from traditional computing in their usage model and risk profile. It also discusses rethinking host security for smartphones by defining permissions that applications can access and focusing on what permissions applications ask for and how they use those permissions. The document uses Kirin, a modified Android application installer, as an example to evaluate application policies and permissions at install time to determine if they pose security risks.
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
This talk was given at OWASP AppSec Europe 2008.
Full paper can be downloaded from here:
http://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
A slide show on the subject web application vulnerabilities. It contains how the vulnerabilities evolves, how to detect, how to exploit and how to defense against the vulnerabilities with example.
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsIsao Takaesu
This document summarizes a presentation about using machine learning to detect web application vulnerabilities. The speaker discusses developing an AI called SAIVS that can automatically crawl web apps and detect vulnerabilities. SAIVS uses techniques like naive Bayes and multilayer perceptrons to recognize page types, detect crawling failures, and input correct form values through reinforcement learning. It is pre-trained on sample web apps to efficiently learn crawling before analyzing real client apps. The goal is to develop fully automated security assessment that does not rely on human skills.
Attribute-based encryption (ABE) is a public-key based one-to-many encryption that allows users to encrypt and decrypt data based on user attributes.
A promising application of ABE is flexible access control of encrypted data stored in the cloud, using access polices and ascribed attributes associated with private keys and ciphertexts.One of the main efficiency drawbacks of the existing ABE schemes is that decryption involves expensive pairing operations and the number of such operations grows with the complexity of the access policy. Recently, Green et al. proposed an ABE system with outsourced decryption that largely eliminates the decryption overhead for users.
In such a system, a user provides an untrusted server, say a cloud service provider, with a transformation key that allows the cloud to translate any ABE cipher text satisfied by that user’s attributes or access policy into a simple cipher text, and it only incurs a small computational overhead for the user to recover the plaintext from the transformed cipher text.
Security of an ABE system with outsourced decryption ensures that an adversary (including a malicious cloud) will not be able to learn anything about the encrypted message; however, it does not guarantee the correctness of the transformation done by the cloud.
In this paper, we consider a new requirement of ABE with outsourced decryption: verifiability. Informally, verifiability guarantees that a user can efficiently check if the transformation is done correctly.
We give the formal model of ABE with verifiable outsourced decryption and propose a concrete scheme. We prove that our new scheme is both secure and verifiable, without relying on random oracles.
Finally, we show an implementation of our scheme and result of performance measurements, which indicates a significant reduction on computing resources imposed on users.
http://kaashivinfotech.com/
http://inplanttrainingchennai.com/
http://inplanttraining-in-chennai.com/
http://internshipinchennai.in/
http://inplant-training.org/
http://kernelmind.com/
http://inplanttraining-in-chennai.com/
http://inplanttrainingchennai.com/
The document discusses various ways that data mining can be applied for security applications such as intrusion detection, firewall policy management, worm detection, and counter-terrorism surveillance. It describes techniques like anomaly detection, link analysis, classification, and prediction that can help detect cyber attacks, trace malware authors, and predict future threats. It also addresses challenges of working with real-time streaming data from sensors for critical applications.
Technology buffet for new teachers march 2012Karen Brooks
This document provides information about new teacher training opportunities and classroom technology resources. It discusses a technology proficiency self-assessment, effective habits of 21st century teachers including adapting, communicating, collaborating and leading, and emerging technology trends like smaller mobile devices, self-driving cars, and digital tattoos. Videos are recommended for educators to stay informed on technology integration and innovations impacting K-12 students.
Безопасность Интернета вещей - непростая тема и имеет очень много проблем, обусловленных, в первую очередь, большим количеством применений IoT и, как следствие, большим количество стандартов (и их проектов), не всегда связанных между собой
Кибервойна давно шагнула со страниц фантастических романов в реальный мир. Что нас ждет сегодня и завтра? По каким сценариям будут развиваться кибернетические войны? Кибероружие - буря в социальных сетях или оружие массового поражения? Боевой потенциал кибервооружений различных стран мира. Мы их или они нас?
Создание системы обеспечения ИБ АСТУ электросетевой компанииDialogueScience
Спикер: Дмитрий Ярушевский, руководитель отдела кибербезопасности АСУ ТП АО «ДиалогНаука»
Вебинар посвящен работам по созданию системы обеспечения информационной безопасности автоматизированной системы технологического управления одной из крупнейших электросетевых компаний г. Москвы. Докладчик расскажет об обрабатываемых рисках и угрозах в рамках создаваемой системы, задачах, стоявших перед проектировщиками и инженерами. Большая часть вебинара будет посвящена техническим решениям системы, среди которых есть как общеизвестные средства защиты от мировых лидеров рынка, так и решения, разрабатываемые специально для заказчика и реализующие меры безопасности непосредственно на уровне ПЛК.
Презентация с потока по Industrial IoT на форуме "Интернет вещей", посвященная кибербезопасности промышленного Интернета вещей. Текущее состояние, тенденции и все такое.
Запись вебинара: https://www.youtube.com/watch?v=fIk9IU7FNEc&index=4&list=PLvxhSg-LXXAcKhaBFL6zrIBKVlMz2Pd1X
Аудит информационной безопасности АСУ ТП – первый и поэтому крайне важный шаг в ходе обеспечения информационной безопасности промышленных систем управления и автоматизации. В ходе вебинара специалисты УЦСБ поделятся своим практическим опытом проведения аудитов и расскажут о тех нюансах, на которые стоит обратить внимание в первую очередь.
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...Andrew Petukhov
- The document discusses reversing the architecture of a banking application that uses certified cryptography to ensure security. It describes initial efforts looking at the client-side crypto, which proved difficult due to the closed-source Windows app.
- A more successful approach was to look at how the crypto server communicates validation status and metadata to the application server. The authors aimed to find differences in how HTTP is handled between the crypto server and app server to potentially bypass signature validation.
- Basic steps taken included fingerprinting the HTTP parsers, reversing client and server features, and surveying the integration protocol. This was done through techniques like parameter pollution and duplicate headers to profile inconsistencies.
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...Andrew Petukhov
Недостатки, влияющие на качество (и безопасность) приложений, можно поделить на две группы: типичные недостатки (переполнения, уязвимости форматной строки, SQLi, XSS и т.п.) и специфичные недостатки (англ. application specific). В докладе будет проведена оценка справедливости высказываний вендоров статических анализаторов об их возможностях по поиску специфичных недостатков безопасности в приложениях. Будет представлена методика поиска подобных ошибок на примере поиска ошибок контроля доступа: задача будет декомпозирована на шаги, для каждого из которых будет указано, что можно сделать автоматически и как, а что — только вручную.
Обеспечение безопасности расширений в корпоративных информационных системахAndrew Petukhov
Одни из самых распространенных платформ для корпоративных информационных систем в России - SAP и 1C Предприятие. В обеих основную ценность представляют так называемые расширения, обеспечивающие клиентам требуемую функциональность: для SAP – это модули на языке ABAP, для 1С Предприятия – конфигурации, для создания которых используется встроенный язык программирования. С точки зрения информационной безопасности ситуация неутешительна: к задаче обнаружения закладок в custom-коде расширений в последние годы добавилось выявление классических веб-уязвимостей из OWASP Top10. В докладе будет рассмотрена оценка защищенности расширений корпоративных информационных систем, а также подходы к решению этой задачи в отношении платформы SAPв зарубежных странах, и в отношении платформы 1С – в России.
Detecting Insufficient Access Control in Web ApplicationsAndrew Petukhov
Web applications have become a de facto standard for delivering services on the Internet. Often they contain sensitive data and provide functionality which should be protected from unauthorized access. Explicit access control policies can be leveraged for validating the access control, but, unfortunately, these policies are rarely defined in case of web applications. Previous research shows that access control flaws in web applications may be revealed with black-box analysis, but the existing “differential analysis” approach has certain limitations. We believe that taking the state of the web application into account could help to overcome the limitations of exiting approach. In this paper we propose a novel approach to black-box web application testing, which utilizes a use-case graph. The graph contains classes of actions within the web application and their dependencies. By traversing the graph and applying differential analysis at each step of the traversal, we were able to improve the accuracy of the method. The proposed method was implemented in the proof-of-concept tool AcCoRuTe. Evaluation with several real-world web applications shows better results in comparison to simple differential analysis.
Доклад посвящен задаче сравнения эффективности сканеров веб-приложений в части обнаружения уязвимостей класса SQL Injection. В докладе будет изложена методика построения тестового покрытия, описана процедура проведения тестирования и анализа результатов. Будут приведены результаты тестирования таких известных сканеров, как sqlMap, skipfish, wapiti и acunetix.
4. • Умный дом
➡ сигнализация (о ворах, о пожаре, о протечках), освещение, климат-контроль,
управление разморозкой продуктов, ТВ и медиа-системы, IP-камеры, унитаз, irobot,
приставки (в т.ч. kinect)
• Умные сети электроснабжения
• Пассивные метки (RFID) в логистике, инвентаризации,
предотвращении краж, платежах, изучении миграции
животных, системах контроля доступа (в т.ч. паспортах)
• Сети из активных элементов в задаче получения данных
об окружающей среде (smartdust)
Примеры из IoT
5. • Средства идентификации и считывания
➡ RFID, NFC, QR, штрих-коды и т.д.
• Средства измерения
➡ сенсорные сети
• Средства передачи данных
➡ IEEE 802.15.4 (Phys / MAC), ZigBee,WirelessHart, MiWi, 6LoWPAN, PLC
• Основа для умных вещей
➡ ARM, дистрибутивы Linux для встроенных систем
Технологии IoT, подробнее
6. • Зачем изобретать велосипед, возьмем существующие дистрибутивы
и допилим их под себя!
- известные уязвимости в стандартном ПО
- ненужные компоненты, предоставляющие интерфейс вовне
- “security hardening”? Ой, а что это?
• Давайте изобретем свой протокол, свою ОС, свой веб-сервер и
напишем свой софт!
- собственные уязвимости в коде
• Для управления устройством, сделаем удобный интерфейс через
HTTP/Bluetooth, а в руководстве обязательно напишем про пароли
- пароли по умолчанию, настройки по умолчанию
• К.О.: недостатки появляются в областях ответственности тех
участников жизненного цикла устройства, где про ИБ мало знают
Nothing Ever Changes или откуда берутся уязвимости
7. • Использование стандартного ПО с уязвимостями
• Ошибки в собственном коде (обычно веб-компоненты)
- ошибки авторизации, CSRF, OS command injection, и т.п.
• Небезопасные настройки используемых компонент
- пример: unauthenticated UPnP
• Слабая защита от исследования и обратной инженерии
- всплывают “сервисные” учетные записи
- находится несложный обход доверенной загрузки ОС
• Небезопасная эксплуатация
- пароли по умолчанию
- словарные пароли
- отказ от обновлений
- подключение к Интернет напрямую (например, через PLC или 3G)
Итого
8. • В стандартном варианте умные устройства подключены к домашней
сети или управляются по Bluetooth/ИК
➡ активное воздействие из Интернет на них невозможно
• Остаются нарушители класса “человек рядом с домом” и “человек
за периметром”
• “Человек рядом с домом” - есть ли мотив?
➡ исследования? - не страшно
➡ хулиганство? - тоже не очень с точки зрения последствий
➡ таргетированная атака? - возможно, для слежки
• “Человек за периметром” - как он туда попал и каков был мотив?
➡ ИК и bluetooth устройства не пострадают
➡ захвачен компьютер/телефон, атака таргетированная - логично, слежка
➡ захвачен компьютер/телефон/маршрутизатор, атака нетаргетированная - развитие
атаки на окружение через autopwn - пока не видел, но выглядит не нереально!
Посмотрим на это строже
9. • Если моссад захочет провести таргетированную атаку, он ее
проведет в любом случае
• Маршрутизатор на периметре - Минас Тирит вашего свободного
западного мира умных вещей
• Если у вас может быть захвачен маршрутизатор на периметре, то
бояться стоит в первую очередь за свои данные (в т.ч. учетные), а
не за армию умных вещей
Выводы для “домохозяйки”