1 / 25

Cybersecurity Testing and Analysis for Web Applications

Cybersecurity Testing and Analysis for Web Applications. William GJ Halfond Center for Systems and Software Engineering University of Southern California. Research Area. Software Engineering Quality Assurance Security Testing Analysis. Importance of Web Applications.

cole-moody
Download Presentation

Cybersecurity Testing and Analysis for Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity Testing and Analysis for Web Applications William GJ Halfond Center for Systems and Software Engineering University of Southern California

  2. Research Area Software Engineering Quality Assurance • Security • Testing • Analysis

  3. Importance of Web Applications Bank of America services over 23 million visitors a month. Yahoo’s projected revenue in 2008 = $7.2 billion. Facebook has over 120 million active users.

  4. Problems in Web Applications Amazon.com: 60sec = $30,000 Average data breach: $6.6 million Downtime cost = $3.6 million Reported software vulnerabilities

  5. Current Approaches • Web crawlers and scanners • Scenario-based testing

  6. Web Crawlers

  7. Problems with Web Crawling

  8. Scenario-Based Testing General Process: • Define use cases • Check each use case • Realistic • Incomplete • Tests known behaviors

  9. Research Overview Goal Improve quality of web applications Develop new techniques Adaptation of existing techniques Method  Develop and apply program analysis techniques to web applications in order to analyze and understand their structure and runtime behavior. Benefits  • Accurate and complete • Automatable

  10. Key Differences • Observation: • Many software quality assurance techniques are not directly applicable to web applications. • Complications: • Interface definitions • Control flow • Generated object programs • Data flow • Problem: • Traditional abstractions look very different in web applications.

  11. Developed Techniques • Accepted Interface Analysis • Improve test coverage • Discover vulnerabilities • Component Output Identification • Static verification of correctness • Control-Flow Analysis • Verify runtime behaviors

  12. 3) Domain information 1) Parameter names Traditional Interface publicvoid write(File outfile, String buffer, int length) 2) Grouping of parameters

  13. Web Application Interfaces voidservice( Request req ) 1. String dbQuery = "select * from db where " 2. String search = req.getParameter( "search" ) 3. String dbQuery += "name like '" + search + "' and " 4. String searchType = req.getParameter( "sPref" ) 5. if (searchType.equals( "zip" )) 6. int zip = Integer.parseInt(req.getParameter( “zip” ) 7. dbQuery+= "zip=" + zip 8. else if(searchType.equals( "type" )) 9. String type = req.getParameter( "business" ) 10. dbQuery+= "type=" +type 11. else 12. String state = req.getParameter( "state" ) 13. dbQuery+= "state=" +state 14. ResultSet results = execute(dbQuery) 15. print(results) Parameter names Grouping of parameters Domain information

  14. Interface Information

  15. Testing Improvements % Stmt. Coverage Statement coverage increase: 30% Spider WAMDF % Branch Coverage Branch coverage increase: 48% # Command Forms Command form increase: 94%

  16. DB Web Application HTML White Hat Tester Servlets Other Systems Penetration Testing !@#$ Secret Data!

  17. Penetration Testing Results Spider # SQL Injection Vulns. Vulnerability detection increase: 365% WAMDF # XSS Vulns. Vulnerability detection increase: 282%

  18. Traditional Invocation Verification publicvoid write(File outfile, String buffer, int length)  write(file, string, int)  write(file, string, string)

  19. Web Application Invocations

  20. Web Application HTML Servlets Component Output Analysis Analysis to Identify Invocations Interface Invocations Servlet

  21. Invocation Verification Web Application searchpage.jsp dosearch.jsp X

  22. Verification Results

  23. End Users High-level Analysis Web Application shoppingCart.jsp login.jsp memberInfo.jsp Attacker

  24. Areas of Future Work in Analysis Control Flow Data Flow Object Programs JavaScript Def D D Servlet SQL U U U U Use Use Use U U HTML Protocol Analysis Object Program Semantics

  25. Summary • Research focused on quality assurance for web applications • Promising results in basic areas • Future work in higher-level analysis

More Related