Expert System Approach on Web Vulnerability Analysis 20103272 / Jong Heon, PARK 20103616 / Hyun Woo, CHO CS548 Advanced Information Security Term Project Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Expert System Approach
on Web Vulnerability Analysis20103272 / Jong Heon, PARK20103616 / Hyun Woo, CHO
CS548 Advanced Information Security Term Project Presentation
Contents
• Motivation• Problem we meet• Existing System• Our Expert System• Comparison• Conclusion
2
Motivation
• In recent years, web hacking is changing more delicate and automatic
• Spread malignant code, Personal information, Hacking and phishing for monetary profit
• Small businesses, lack of manpower in informa-tion security is became main target of hacker
• Web vulnerability – SQL Injection, XSS(file up-load), Packet modification
3
Motivation
Number of vulnerability detection recent 5years (K-ISA)
4
Motivation
Homepage Modification attack for recent 5years (K-ISA)
5
Motivation
Worm, Virus Spam relay Phishing
Simple invasion Homepage modification Ma-lignant code
6
Problem we meet
• Still most of web is Exposed to simple hacking technique
Get personal information by packet modification
7
Problem we meet
• Still most of web is Exposed to simple hacking technique
Critical exploit of Payment module-Use weak crypto-graph algorithm
8
Problem we meet
• Still most of web is Exposed to simple hacking technique
Critical exploit of Payment mod-uleIn some web hard serverEx) http://www.filecity.-co.kr/
9
Problem we meet
• Still most of web is Exposed to simple hacking technique– Most of web hacking is started with testing the input value
• Script code(XSS), SQL injection…
– Possibility of falsifying packet data• Packet is encrypted or not.
– Some web application vulnerabilities cannot be solved by IDS, Firewall
• Practical need _ Web application security– Solution for web application vulnerability(SQL injection, XSS, …)– Information Security Tool for web developer(not for security Ex-
pert)– Core function, modifying code in develop phase(bottom up ap-
proach)– Overcome public IDS and Firewall
10
Problem we meet
• Public IDS and Firewall
Clients, HackerFire wall Web Server
Web app
Web app
Web app
Web app
Web app
Web appli-cation
*SQL InjectionID:AdminPWD : ‘or 1=1--
*Web Applica-tion Firewall(WAF)
• WAF is do not modifying web applica-tion
• Rule setup is difficult and highly need security experience
• Heavy load for web server
11
Existing System
• Relative research– OWASP Top 10 // Web application Standard
• The OWASP Top Ten provides a powerful awareness document for web application secu-rity.
– WASC, NSS Group(Fire wall Testing) 10 // Web application Stan-dard
– KrCERT/CC, Castle 2009 //Web application Standard, Audit tool• Korea Internet Security Center• Castle – Home page vulnerability solution, code modification (get/post, file upload, cookie)
– Fortify SCA(Source Code Analysis) //Audit tool
– Acunetix web vulnerability scanner //Web application Scanner• Acunetix web vulnerability scanner is a tool designed to discover security holes in your web applications • (SQL injection, cross site scripting, and weak passwords. )
– SecuBat //Web application Scanner
– AppScan //Web application Scanner12
Existing System
• Existing approach(Acunetix, SecuBat, …)
Existing web vulnerability analy-sis
Patching Web Appli-cation
13
Our Expert System
• Expert system– can perform like expert in specific field,
especially security expert
–Web developer submit his code to the sys-tem, and system will detect ‘non-Standard’ or ‘vulnerable’ code.
– Security Expert collects vulnerable rules based on OWASP Top 10, and stored in a Data-base.
14
Our Expert System
• Our approach
15
OWASP Rule Database & Expert system Guarantee the secu-
rity in developing phase
Input web vulnerable rules in the Database
Our Expert System
• System design and work flow
16
• End User (web developer) : Insert web application code into system.
• User Interface : Simple in-terface, developer can choice language, vulnerabil-ity.
• Inference module : Step1. Evaluation whether each vulnerabilities is safe in OWASP Top 10.Step2. Based on results of Step1, give a list of vulnerable code and provide appropriate measure
mod-ule
Our Expert System
• OWASP Top 10 1st Rank Issue : Injection– Injection flaws, such as SQL, OS, and LDAP injec-
tion, occur when untrusted data is sent to an in-terpreter as part of a command or query.
– The attacker’s hostile data can trick the inter-preter into executing unintended commands or accessing unauthorized data.
17
Our Expert System
• How do I prevent from injection?– VERIFY Parameter Input– MINIMIZE authority to access other back-end sys-
tem– DO NOT USE Dymamic Query Interface,
like mysql_query() [ in MySQL ]
– DO NOT USE simple escape function Addslashes() [ in PHP ] or str_replace()
18
Our Expert System
• Injection Analyze in Expert System
19
AnalyzeInjection(){ // Knowledge Base(DB) connection ConnectionInfo = DBConnect(server, ID, password, database); // Load the injection vulnerability information in List List rulebase = getInjection(ConnectionInfo); // Extract query QueryString = SearchExecuteQuery(InputText); // Extract parameter inside query Parameters[] = SearchParametersInQuery(QueryString); // Is the parameter or query in safe? foreach( rule in rulebase ) { if(CompareRules(QueryString, Parameters, rule) != 1) AddErrorItem(QueryString, warningmessage, LineNo, QueryPosi-tion); } }
Our Expert System
• Injection Analyze in Expert System
20
Demonstration
Our Expert System
• OWASP Top 10 2nd Rank Issue : Cross Site Scripting(XSS)– Attacker sends text-based attack scripts that exploit
the interpreter in the browser. – Attackers can execute scripts in a victim’s browser to
hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser us-ing malware, etc.
21
Our Expert System
• How do I prevent from XSS?– VERIFY Input text– ENCRYPT Output text strongly– DO NOT ADJUST Black-list verification method
like “DO NOT WRITE ‘<’or ‘>’ ”
22
Our Expert System
• Problem about Get/Post, Weak Encryption– Get method
• User data is exposed on address window• Ex.)http://localhost/chs/book/Request.jsp?
Name=Michael&Depy=Computer• Hack can attack just modify the parameter of address
– Post method• Data is decoded but still intercepted by packet capture
tool• Ex.)http://localhost/object_asp/post_meth_view.asp
– User Authentication field must be encrypt both get and post method
23
Our Expert System
• Problem about Get/Post, Weak Encryp-tion– Encryption• Page Encryption
– Call “https” and apply to web page
Plaintext
Cipher-text
24
Our Expert System
• Use strong cipher– Encryption Function(PHP)• CRC32 – MHASH_CRC32• MD5 – MHASH_MD5• DES – MCRYPT_DES• 3-WAY - MCRYPT_THREEWAY …• …
– Filtering weak algorithm• Ex) SHA-1, BASE64… • Modify to 128 bit encryption like AES
25
Comparison
26
SQL In-jection XSS
User data En-cryption
Other OWASP top 10
Code Mod-ification
Devel-oper
Guiding
Castle
Fortify SCA
Acunetix
SecuBat
Appscan
Our Sys-tem
Support Partially Support Future work
Future Work
• Analyze the other issues• More formal rules– Still, the system run these modules with different
process– Developing Rule Maker Module, instead of formal
rules
• OpenSystem– Experts and User join this system free.
27
Conclusions
• Statistics for attack method of Website &Making success attack scenarios
• Explore some issues of OWASP Top 10– Injection, XSS, Cryptographic…
• Devise ‘Evolutionary System’– The more people using the system,
the bigger the system will be.
• Compare other vulnerability checking tools– In Code Modification & Guide for developers
28
EYP_Z H^D� �Thank You
Related Documents
![Lim Hyun Joo[1][1]](https://static.cupdf.com/doc/110x72/54b208584a7959895b8b4577/lim-hyun-joo11.jpg)
