250 likes | 390 Views
Cybersecurity Testing and Analysis for Web Applications. William GJ Halfond Center for Systems and Software Engineering University of Southern California. Research Area. Software Engineering Quality Assurance Security Testing Analysis. Importance of Web Applications.
E N D
Cybersecurity Testing and Analysis for Web Applications William GJ Halfond Center for Systems and Software Engineering University of Southern California
Research Area Software Engineering Quality Assurance • Security • Testing • Analysis
Importance of Web Applications Bank of America services over 23 million visitors a month. Yahoo’s projected revenue in 2008 = $7.2 billion. Facebook has over 120 million active users.
Problems in Web Applications Amazon.com: 60sec = $30,000 Average data breach: $6.6 million Downtime cost = $3.6 million Reported software vulnerabilities
Current Approaches • Web crawlers and scanners • Scenario-based testing
Scenario-Based Testing General Process: • Define use cases • Check each use case • Realistic • Incomplete • Tests known behaviors
Research Overview Goal Improve quality of web applications Develop new techniques Adaptation of existing techniques Method Develop and apply program analysis techniques to web applications in order to analyze and understand their structure and runtime behavior. Benefits • Accurate and complete • Automatable
Key Differences • Observation: • Many software quality assurance techniques are not directly applicable to web applications. • Complications: • Interface definitions • Control flow • Generated object programs • Data flow • Problem: • Traditional abstractions look very different in web applications.
Developed Techniques • Accepted Interface Analysis • Improve test coverage • Discover vulnerabilities • Component Output Identification • Static verification of correctness • Control-Flow Analysis • Verify runtime behaviors
3) Domain information 1) Parameter names Traditional Interface publicvoid write(File outfile, String buffer, int length) 2) Grouping of parameters
Web Application Interfaces voidservice( Request req ) 1. String dbQuery = "select * from db where " 2. String search = req.getParameter( "search" ) 3. String dbQuery += "name like '" + search + "' and " 4. String searchType = req.getParameter( "sPref" ) 5. if (searchType.equals( "zip" )) 6. int zip = Integer.parseInt(req.getParameter( “zip” ) 7. dbQuery+= "zip=" + zip 8. else if(searchType.equals( "type" )) 9. String type = req.getParameter( "business" ) 10. dbQuery+= "type=" +type 11. else 12. String state = req.getParameter( "state" ) 13. dbQuery+= "state=" +state 14. ResultSet results = execute(dbQuery) 15. print(results) Parameter names Grouping of parameters Domain information
Testing Improvements % Stmt. Coverage Statement coverage increase: 30% Spider WAMDF % Branch Coverage Branch coverage increase: 48% # Command Forms Command form increase: 94%
DB Web Application HTML White Hat Tester Servlets Other Systems Penetration Testing !@#$ Secret Data!
Penetration Testing Results Spider # SQL Injection Vulns. Vulnerability detection increase: 365% WAMDF # XSS Vulns. Vulnerability detection increase: 282%
Traditional Invocation Verification publicvoid write(File outfile, String buffer, int length) write(file, string, int) write(file, string, string)
Web Application HTML Servlets Component Output Analysis Analysis to Identify Invocations Interface Invocations Servlet
Invocation Verification Web Application searchpage.jsp dosearch.jsp X
End Users High-level Analysis Web Application shoppingCart.jsp login.jsp memberInfo.jsp Attacker
Areas of Future Work in Analysis Control Flow Data Flow Object Programs JavaScript Def D D Servlet SQL U U U U Use Use Use U U HTML Protocol Analysis Object Program Semantics
Summary • Research focused on quality assurance for web applications • Promising results in basic areas • Future work in higher-level analysis