Gaoning Pan,Tianxiang Luo,Yiming Tao,Xiao Lei,Shuangxi Chen,Hui Liu,Chunming Wu

DOI: https://doi.org/10.1109/PST58708.2023.10319984

2023-01-01

Abstract:With the popularity of computers and mobile devices and the development of the Internet, browsers (applications used to retrieve and display information resources on the World Wide Web) are often included by default and have become an indispensable software. Therefore, research on browser security issues is essential for protecting information assets. Among many browsers in the industry, Chrome, as a cross-platform web browser developed by Google, occupies a large market share in desktop browsers, and its security risks are further amplified as its kernel is used by many other browsers. Therefore, the research on the security issues of Chrome browser is critical for browser security. This paper focuses on the vulnerability detection of the process communication interface in Chrome browser, and designs and implements a fuzzing framework, auto-mojo-fuzz (AMF). The fuzzing process mainly designs a sample optimization technique to ensure the effectiveness of input samples and improve the efficiency of fuzzing. After implementing the AMF solution, we evaluate the generated test samples to demonstrate the effectiveness of the sample optimization technique. We also prove the possibility of discovering more vulnerabilities with AMF, and tests it with the latest version of Chrome browser, finding five unique crashes, four of which are verified as security vulnerabilities, effectively proving the automatic and efficient ability of this framework to discover vulnerabilities in the process communication interfaces in browsers.

Enze Wang,Jianjun Chen,Wei Xie,Chuhan Wang,Yifei Gao,Zhenhua Wang,Haixin Duan,Yang Liu,Baosheng Wang

DOI: https://doi.org/10.1109/sp54263.2024.00198

2024-01-01

Abstract:Server-Side Request Forgery (SSRF) vulnerability poses significant security risks to web applications, enabling adversaries to exploit web applications as stepping stones for unauthorized access of internal-only services or even performing arbitrary commands. Despite its recent emergence as a distinct category in the 2021 OWASP Top 10 web security risks and its increasing prevalence in modern web applications, there remains a lack of effective approaches to detect SSRF vulnerabilities systematically.We present a novel methodology, SSRFuzz, to effectively identify SSRF vulnerability in PHP web applications. Our methodology consists of three phases. In the initial phase, we designed an SSRF oracle to examine functions in PHP manuals and identify sinks that provide server-side request capabilities. This process yielded a total of 86 sensitive PHP sinks out of 2101 PHP functions. The second stage involves dynamic taint inference and the utilization of the identified sinks to examine the source code of target web applications, pinpointing all feasible input points that could trigger these sinks. The final phase employs fuzzing techniques. We generate testing HTTP requests with SSRF payloads, send them to the previously identified input points within the target web applications, and detect if an SSRF vulnerability is triggered. We implemented a prototype of SSRFuzz and evaluated it on 27 real-world applications, including Joomla and WordPress. In total, we discovered 28 SSRF vulnerabilities, 25 of which were previously unreported. We reported all the vulnerabilities to the affected vendors, and 16 new CVE IDs were assigned.

Shun Wang,Chao Ni,Jianbo Wang,Changhai Nie

DOI: https://doi.org/10.1109/issrew55968.2022.00043

2022-01-01

Abstract:Cross-Site Request Forgery (CSRF) vulnerabilities are severe web vulnerabilities since their characteristics of extreme concealment and heavy harmfulness. However, they have received marginal attention from both the academic and the industry and the detection and protection of CSRF vulnerabilities are still performed predominantly manually. This paper proposes CSRFSolver for API-level CSRF detection and protection with two components: CSRF detector and CSRF defender. The former helps to identify and locate CSRF points where they need CSRF protection, and the latter provides CSRF protection by generating and verifying CSRFToken. We evaluate the effectiveness and efficiency of CSRFSolver on Cisco Webex public URL APIs with the state-of-the-art method. The results indicate that CSRFSolver can effectively and efficiently protect the system from CSRF attacks and have no side effects on systems' functionality. Meanwhile, the practical usefulness of CSRFSolver has also been verified through four years of deployment in Cisco Webex.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Enrico Bazzoli,Claudio Criscione,Federico Maggi,Stefano Zanero

DOI: https://doi.org/10.48550/arXiv.1410.4207

2014-10-16

Abstract:Since the first publication of the "OWASP Top 10" (2004), cross-site scripting (XSS) vulnerabilities have always been among the top 5 web application security bugs. Black-box vulnerability scanners are widely used in the industry to reproduce (XSS) attacks automatically. In spite of the technical sophistication and advancement, previous work showed that black-box scanners miss a non-negligible portion of vulnerabilities, and report non-existing, non-exploitable or uninteresting vulnerabilities. Unfortunately, these results hold true even for XSS vulnerabilities, which are relatively simple to trigger if compared, for instance, to logic flaws. Black-box scanners have not been studied in depth on this vertical: knowing precisely how scanners try to detect XSS can provide useful insights to understand their limitations, to design better detection methods. In this paper, we present and discuss the results of a detailed and systematic study on 6 black-box web scanners (both proprietary and open source) that we conducted in coordination with the respective vendors. To this end, we developed an automated tool to (1) extract the payloads used by each scanner, (2) distill the "templates" that have originated each payload, (3) evaluate them according to quality indicators, and (4) perform a cross-scanner analysis. Unlike previous work, our testbed application, which contains a large set of XSS vulnerabilities, including DOM XSS, was gradually retrofitted to accomodate for the payloads that triggered no vulnerabilities. Our analysis reveals a highly fragmented scenario. Scanners exhibit a wide variety of distinct payloads, a non-uniform approach to fuzzing and mutating the payloads, and a very diverse detection effectiveness.

Cryptography and Security

Federico De Meo,Luca Viganò

DOI: https://doi.org/10.48550/arXiv.1705.03658

2017-05-10

Abstract:Web applications require access to the file-system for many different tasks. When analyzing the security of a web application, secu- rity analysts should thus consider the impact that file-system operations have on the security of the whole application. Moreover, the analysis should take into consideration how file-system vulnerabilities might in- teract with other vulnerabilities leading an attacker to breach into the web application. In this paper, we first propose a classification of file- system vulnerabilities, and then, based on this classification, we present a formal approach that allows one to exploit file-system vulnerabilities. We give a formal representation of web applications, databases and file- systems, and show how to reason about file-system vulnerabilities. We also show how to combine file-system vulnerabilities and SQL-Injection vulnerabilities for the identification of complex, multi-stage attacks. We have developed an automatic tool that implements our approach and we show its efficiency by discussing several real-world case studies, which are witness to the fact that our tool can generate, and exploit, complex attacks that, to the best of our knowledge, no other state-of-the-art-tool for the security of web applications can find.

Cryptography and Security

Simon Yusuf Enoch,Zhibin Huang,Chun Yong Moon,Donghwan Lee,Myung Kil Ahn,Dong Seong Kim

DOI: https://doi.org/10.1109/ACCESS.2020.3009748

2020-07-18

Abstract:With the increasing growth of cyber-attack incidences, it is important to develop innovative and effective techniques to assess and defend networked systems against cyber attacks. One of the well-known techniques for this is performing penetration testing which is carried by a group of security professionals (i.e, red team). Penetration testing is also known to be effective to find existing and new vulnerabilities, however, the quality of security assessment can be depending on the quality of the red team members and their time and devotion to the penetration testing. In this paper, we propose a novel automation framework for cyber-attacks generation named `HARMer' to address the challenges with respect to manual attack execution by the red team. Our novel proposed framework, design, and implementation is based on a scalable graphical security model called Hierarchical Attack Representation Model (HARM). (1) We propose the requirements and the key phases for the automation framework. (2) We propose security metrics-based attack planning strategies along with their algorithms. (3) We conduct experiments in a real enterprise network and Amazon Web Services. The results show how the different phases of the framework interact to model the attackers' operations. This framework will allow security administrators to automatically assess the impact of various threats and attacks in an automated manner.

Cryptography and Security

Michele Campobasso,Pavlo Burda,Luca Allodi

DOI: https://doi.org/10.48550/arXiv.2009.08148

2020-09-17

Cryptography and Security

Abstract:The monitoring of underground criminal activities is often automated to maximize the data collection and to train ML models to automatically adapt data collection tools to different communities. On the other hand, sophisticated adversaries may adopt crawling-detection capabilities that may significantly jeopardize researchers' opportunities to perform the data collection, for example by putting their accounts under the spotlight and being expelled from the community. This is particularly undesirable in prominent and high-profile criminal communities where entry costs are significant (either monetarily or for example for background checking or other trust-building mechanisms). This paper presents CARONTE, a tool to semi-automatically learn virtually any forum structure for parsing and data-extraction, while maintaining a low profile for the data collection and avoiding the requirement of collecting massive datasets to maintain tool scalability. We showcase the tool against four underground forums, and compare the network traffic it generates (as seen from the adversary's position, i.e. the underground community's server) against state-of-the-art tools for web-crawling as well as human users.

Frederico Araujo,Gbadebo Ayoade,Khaled Al-Naami,Yang Gao,Kevin W. Hamlen,Latifur Khan

DOI: https://doi.org/10.1016/j.jisa.2021.102880

IF: 4.96

2021-09-01

Journal of Information Security and Applications

Abstract:<p>Most conventional cyber defenses strive to reject detected attacks as quickly and decisively as possible; however, this instinctive approach has the disadvantage of depriving intrusion detection systems (IDSes) of learning experiences and threat data that might otherwise be gleaned from deeper interactions with adversaries. For IDS technology to improve, a next-generation cyber defense is proposed in which cyber attacks are unconventionally reimagined as free sources of live IDS training data. Rather than aborting attacks against legitimate services, adversarial interactions are selectively prolonged to maximize the defender's harvest of useful threat intelligence. Enhancing web services with deceptive attack-responses in this way is shown to be a powerful and practical strategy for improved detection, addressing several perennial challenges for machine learning-based IDS in the literature, including scarcity of training data, the high labeling burden for (semi-)supervised learning, encryption opacity, and concept differences between honeypot attacks and those against genuine services. By reconceptualizing software security patches as feature extraction engines, the approach conscripts attackers as free penetration testers, and coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web streams.</p><p>Prototype implementations are showcased for two feature set models to extract security-relevant network- and system-level features from cloud services hosting enterprise-grade web applications. The evaluation demonstrates that the extracted data can be fed back into a network-level IDS for exceptionally accurate, yet lightweight attack detection.</p>

computer science, information systems

Kaihua Qin,Zhe Ye,Zhun Wang,Weilin Li,Liyi Zhou,Chao Zhang,Dawn Song,Arthur Gervais

DOI: https://doi.org/10.48550/arxiv.2305.14046

2023-01-01

Abstract:Identifying and mitigating vulnerabilities in smart contracts is crucial, especially considering the rapid growth and increasing complexity of Decentralized Finance (DeFi) platforms. To address the challenges associated with securing these contracts, we introduce a versatile dynamic analysis framework specifically designed for the Ethereum Virtual Machine (EVM). This comprehensive framework focuses on tracking contract executions, capturing valuable runtime information, while introducing and employing the Execution Property Graph (EPG) to propose a unique graph traversal technique that swiftly detects potential smart contract attacks. Our approach showcases its efficacy with rapid average graph traversal time per transaction and high true positive rates. The successful identification of a zero-day vulnerability affecting Uniswap highlights the framework's potential to effectively uncover smart contract vulnerabilities in complex DeFi systems.

Naresh Kshetri,Dilip Kumar,James Hutson,Navneet Kaur,Omar Faruq Osama

2024-02-02

Abstract:The global rise of online users and online devices has ultimately given rise to the global internet population apart from several cybercrimes and cyberattacks. The combination of emerging new technology and powerful algorithms (of Artificial Intelligence, Deep Learning, and Machine Learning) is needed to counter defense web security including attacks on several search engines and websites. The unprecedented increase rate of cybercrime and website attacks urged for new technology consideration to protect data and information online. There have been recent and continuous cyberattacks on websites, web domains with ongoing data breaches including - GitHub account hack, data leaks on Twitter, malware in WordPress plugins, vulnerability in Tomcat server to name just a few. We have investigated with an in-depth study apart from the detection and analysis of two major cyberattacks (although there are many more types): cross-site request forgery (XSRF) and cross-site scripting (XSS) attacks. The easy identification of cyber trends and patterns with continuous improvement is possible within the edge of machine learning and AI algorithms. The use of machine learning algorithms would be extremely helpful to counter (apart from detection) the XSRF and XSS attacks. We have developed the algorithm and cyber defense framework - algoXSSF with machine learning algorithms embedded to combat malicious attacks (including Man-in-the-Middle attacks) on websites for detection and analysis.

Cryptography and Security

Daniel Reti,Karina Elzer,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.2301.10502

2023-01-25

Abstract:Every attack begins with gathering information about the target. The entry point for network breaches are often vulnerabilities in internet facing websites, which often rely on an off-the-shelf Content Management System (CMS). Bot networks and human attackers alike rely on automated scanners to gather information about the CMS software installed and potential vulnerabilities. To increase the security of websites using a CMS, it is desirable to make the use of CMS scanners less reliable. The aim of this work is to extend the current knowledge about cyber deception in regard to CMS. To demonstrate this, a WordPress Plugin called 'SCANTRAP' was created, which uses simulation and dissimulation in regards to plugins, themes, versions, and users. We found that the resulting plugin is capable of obfuscating real information and to a certain extent inject false information to the output of one of the most popular WordPress scanners, WPScan, without limiting the legitimate functionality of the WordPress installation.

Cryptography and Security

Hongyi Pu,Liang He,Peng Cheng,Jiming Chen,Youxian Sun

DOI: https://doi.org/10.1016/j.eng.2023.01.013

IF: 12.834

2023-04-29

Engineering

Abstract:Industrial robots are becoming increasingly vulnerable to cyber incidents and attacks, particularly with the dawn of the Industrial Internet-of-Things (IIoT). To gain a comprehensive understanding of these cyber risks, vulnerabilities of industrial robots were analyzed empirically, using more than three million communication packets collected with testbeds of two ABB IRB120 robots and five other robots from various Original Equipment Manufacturers (OEMs). This analysis, guided by the confidentiality–integrity–availability (CIA) triad, uncovers robot vulnerabilities in three dimensions: confidentiality, integrity, and availability. These vulnerabilities were used to design Covering Robot Manipulation via Data Deception (CORMAND2), an automated cyber–physical attack against industrial robots. CORMAND2 manipulates robot operation while deceiving the Supervisory Control and Data Acquisition (SCADA) system that the robot is operating normally by modifying the robot's movement data and data deception. CORMAND2 and its capability of degrading the manufacturing was validated experimentally using the aforementioned seven robots from six different OEMs. CORMAND2 unveils the limitations of existing anomaly detection systems, more specifically the assumption of the authenticity of SCADA-received movement data, to which we propose mitigations for.

engineering, multidisciplinary

Qi Wang,Jianjun Chen,Zheyu Jiang,Run Guo,Ximeng Liu,Chao Zhang,Haixin Duan

DOI: https://doi.org/10.1109/sp54263.2024.00129

2024-01-01

Abstract:Web Application Firewalls (WAFs) are a crucial line of defense against web-based attacks. However, an emerging threat comes from protocol-level evasion vulnerabilities, in which adversaries exploit parsing discrepancies between the WAF HTTP parser and those of web applications to circumvent WAFs. Currently, uncovering these vulnerabilities still depends on manual, ad hoc methods. In this paper, we propose WAF Manis, a novel testing methodology to automatically discover protocol-level evasion vulnerabilities in WAFs. We evaluated WAF Manis against 14 popular WAFs including Cloudflare and ModSecurity and 20 popular web frameworks including Laravel and Spring. In total, we discovered 311 protocol-level evasion cases affecting all tested WAFs and applications. Due to the generic nature of protocol-level evasions, these evasion vulnerabilities do not hinge on specific payload patterns and can transmit any malicious payloads - for instance, SQL injection, XSS, or Log4jShell - to the target websites. We further analyzed these vulnerabilities and identified three primary reasons contributing to WAF evasions. We have reported those identified vulnerabilities to the affected providers and received acknowledgments and bug bounty rewards from Cloudflare WAF, Fortinet WAF, Alibaba Cloud WAF, Huawei Cloud WAF, ModSecurity, Go security Team, and the PHP security team.

Mahmoud Mohammadi,Bill Chu,Heather Richter Lipford,Emerson Murphy-Hill

DOI: https://doi.org/10.1145/2896921.2896929

2018-04-03

Abstract:Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle. We present an automatic testing approach to detect a common type of Cross Site Scripting (XSS) vulnerability caused by improper encoding of untrusted data. We automatically extract encoding functions used in a web application to sanitize untrusted inputs and then evaluate their effectiveness by automatically generating XSS attack strings. Our evaluations show that this technique can detect 0-day XSS vulnerabilities that cannot be found by static analysis tools. We will also show that our approach can efficiently cover a common type of XSS vulnerability. This approach can be generalized to test for input validation against other types injections such as command line injection.

Cryptography and Security

Yossi Gilad,Amir Herzberg

DOI: https://doi.org/10.48550/arXiv.1204.6623

2012-04-30

Abstract:We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server and circumventing known defenses. Attacker can also launch devastating denial of service (DoS) attacks, even when the connection between the client and the server is secured with SSL/TLS. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a the victim client machine, and attacker capable of IP-spoofing on the Internet. Our attacks use a technique allowing an off-path attacker to learn the sequence numbers of both client and server in a TCP connection. The technique exploits the fact that many computers, in particular those running Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. Finally, we present practical defenses that can be deployed at the firewall level; no changes to existing TCP/IP stacks are required.

Cryptography and Security

Ankur Chowdhary,Kritshekhar Jha,Ming Zhao

DOI: https://doi.org/10.3390/s23188014

2023-09-21

Abstract:The web application market has shown rapid growth in recent years. The expansion of Wireless Sensor Networks (WSNs) and the Internet of Things (IoT) has created new web-based communication and sensing frameworks. Current security research utilizes source code analysis and manual exploitation of web applications, to identify security vulnerabilities, such as Cross-Site Scripting (XSS) and SQL Injection, in these emerging fields. The attack samples generated as part of web application penetration testing on sensor networks can be easily blocked, using Web Application Firewalls (WAFs). In this research work, we propose an autonomous penetration testing framework that utilizes Generative Adversarial Networks (GANs). We overcome the limitations of vanilla GANs by using conditional sequence generation. This technique helps in identifying key features for XSS attacks. We trained a generative model based on attack labels and attack features. The attack features were identified using semantic tokenization, and the attack payloads were generated using conditional sequence GAN. The generated attack samples can be used to target web applications protected by WAFs in an automated manner. This model scales well on a large-scale web application platform, and it saves the significant effort invested in manual penetration testing.

Muhammad Usman Rana,Munam Ali Shah,Mohammad Abdulaziz Al-Naeem,Carsten Maple

DOI: https://doi.org/10.1109/access.2024.3477631

IF: 3.9

2024-10-19

IEEE Access

Abstract:Ransomware has appeared to be the most damaging and devastating type of malware attack in any cyber physical system. The resilience of a web browser to deal with the malware attack is of significance importance, however, evaluating the performance of a browser to tackle these attacks is a challenging task. Due to various automation techniques, web applications can be tested without human intervention. Technologies such as Junit, Chakram, and Selenium are useful in automated testing but the problem is that the attacker uses harmful code and automated web approaches to distribute their malware. In this research,our contribution is twofold. Firstly, we examine a new attack vector that cyber adversaries can possibly use in the future to infect an operating system with a malware. Currently, attackers use various techniques to gain access to victims' personal computers. Secondly, we present a novel automated web defence to countermeasure these malware attacks. The proposed research aims to provide a better understanding of the new computer virus-spreading techniques that intruders can use in the future. We provide the insight of these attacks and present ways to countermeasure the attacks and to reduce the attack surface. Experiments and flow diagrams have been used to demonstrate the attack and defence approach. To offer malware lateral movement and to encrypt the date of users' device, we use Selenium automation tool on a social media platform. For our experimentation, we developed an application which has been tested on a variety of browsers including Google Chrome, Firefox, and Safari. Our research has revealed that we have an 85 percent success rate when testing in a head-on environment. We have expanded our experiments on headless applications and interestingly, the accuracy rate improved and the probability of success increased to 95 percent. Lastly, we have demonstrated a unique method for detecting and stopping web automation that is generally applicable.

computer science, information systems,telecommunications,engineering, electrical & electronic

Matteo Busi,Riccardo Focardi,Flaminia Luccio

2024-04-15

Abstract:Techniques for verifying or invalidating the security of computer systems have come a long way in recent years. Extremely sophisticated tools are available to specify and formally verify the behavior of a system and, at the same time, attack techniques have evolved to the point of questioning the possibility of obtaining adequate levels of security, especially in critical applications. In a recent paper, Bognar et al. have clearly highlighted this inconsistency between the two worlds: on one side, formal verification allows writing irrefutable proofs of the security of a system, on the other side concrete attacks make these proofs waver, exhibiting a gap between models and implementations which is very complex to bridge. In this paper, we propose a new method to reduce this gap in the Sancus embedded security architecture, by exploiting some peculiarities of both approaches. Our technique first extracts a behavioral model by directly interacting with the real Sancus system and then analyzes it to identify attacks and anomalies. Given a threat model, our method either finds attacks in the given threat model or gives probabilistic guarantees on the security of the system. We implement our method and use it to systematically rediscover known attacks and uncover new ones.

Cryptography and Security

Wanpeng Li,Chris J Mitchell,Thomas Chen

DOI: https://doi.org/10.48550/arXiv.1801.07983

2018-01-24

Abstract:Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.

Cryptography and Security