Next Generation Black-Box Web Application Vulnerability Analysis Framework

Next Generation Black-Box Web Application Vulnerability Analysis Framework

abstract: Web applications are an incredibly important aspect of our modern lives. Organizations and developers use automated vulnerability analysis tools, also known as scanners, to automatically find vulnerabilities in their web applications during development. Scanners have traditionally falle...

Full description

Bibliographic Details
Other Authors: Khairnar, Tejas (Author)
Format: Dissertation
Language:English
Published: 2017
Subjects:
Computer science
Black-Box
Cross Site Scripting
Inductive Reverse Engineering
Static Program Analysis
Vulnerability Scanner
XSS
Online Access:http://hdl.handle.net/2286/R.I.44256
id ndltd-asu.edu-item-44256
record_format oai_dc
spelling ndltd-asu.edu-item-442562018-06-22T03:08:33Z Next Generation Black-Box Web Application Vulnerability Analysis Framework abstract: Web applications are an incredibly important aspect of our modern lives. Organizations and developers use automated vulnerability analysis tools, also known as scanners, to automatically find vulnerabilities in their web applications during development. Scanners have traditionally fallen into two types of approaches: black-box and white-box. In the black-box approaches, the scanner does not have access to the source code of the web application whereas a white-box approach has access to the source code. Today’s state-of-the-art black-box vulnerability scanners employ various methods to fuzz and detect vulnerabilities in a web application. However, these scanners attempt to fuzz the web application with a number of known payloads and to try to trigger a vulnerability. This technique is simple but does not understand the web application that it is testing. This thesis, presents a new approach to vulnerability analysis. The vulnerability analysis module presented uses a novel approach of Inductive Reverse Engineering (IRE) to understand and model the web application. IRE first attempts to understand the behavior of the web application by giving certain number of input/output pairs to the web application. Then, the IRE module hypothesizes a set of programs (in a limited language specific to web applications, called AWL) that satisfy the input/output pairs. These hypotheses takes the form of a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt to detect vulnerabilities in this DAG. Further, it generates the payload based on the DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability (based on our understanding of the program). It then tests this potential vulnerability using the generated payload on the actual web application, and creates a verification procedure to see if the potential vulnerability is actually vulnerable, based on the web application’s response. Dissertation/Thesis Khairnar, Tejas (Author) Doupé, Adam (Advisor) Ahn, Gail-Joon (Committee member) Zhao, Ziming (Committee member) Arizona State University (Publisher) Computer science Black-Box Cross Site Scripting Inductive Reverse Engineering Static Program Analysis Vulnerability Scanner XSS eng 47 pages Masters Thesis Computer Science 2017 Masters Thesis http://hdl.handle.net/2286/R.I.44256 http://rightsstatements.org/vocab/InC/1.0/ All Rights Reserved 2017
collection NDLTD
language English
format Dissertation
sources NDLTD
topic Computer science
Black-Box
Cross Site Scripting
Inductive Reverse Engineering
Static Program Analysis
Vulnerability Scanner
XSS
spellingShingle Computer science
Black-Box
Cross Site Scripting
Inductive Reverse Engineering
Static Program Analysis
Vulnerability Scanner
XSS
Next Generation Black-Box Web Application Vulnerability Analysis Framework
description abstract: Web applications are an incredibly important aspect of our modern lives. Organizations and developers use automated vulnerability analysis tools, also known as scanners, to automatically find vulnerabilities in their web applications during development. Scanners have traditionally fallen into two types of approaches: black-box and white-box. In the black-box approaches, the scanner does not have access to the source code of the web application whereas a white-box approach has access to the source code. Today’s state-of-the-art black-box vulnerability scanners employ various methods to fuzz and detect vulnerabilities in a web application. However, these scanners attempt to fuzz the web application with a number of known payloads and to try to trigger a vulnerability. This technique is simple but does not understand the web application that it is testing. This thesis, presents a new approach to vulnerability analysis. The vulnerability analysis module presented uses a novel approach of Inductive Reverse Engineering (IRE) to understand and model the web application. IRE first attempts to understand the behavior of the web application by giving certain number of input/output pairs to the web application. Then, the IRE module hypothesizes a set of programs (in a limited language specific to web applications, called AWL) that satisfy the input/output pairs. These hypotheses takes the form of a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt to detect vulnerabilities in this DAG. Further, it generates the payload based on the DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability (based on our understanding of the program). It then tests this potential vulnerability using the generated payload on the actual web application, and creates a verification procedure to see if the potential vulnerability is actually vulnerable, based on the web application’s response. === Dissertation/Thesis === Masters Thesis Computer Science 2017
author2 Khairnar, Tejas (Author)
author_facet Khairnar, Tejas (Author)
title Next Generation Black-Box Web Application Vulnerability Analysis Framework
title_short Next Generation Black-Box Web Application Vulnerability Analysis Framework
title_full Next Generation Black-Box Web Application Vulnerability Analysis Framework
title_fullStr Next Generation Black-Box Web Application Vulnerability Analysis Framework
title_full_unstemmed Next Generation Black-Box Web Application Vulnerability Analysis Framework
title_sort next generation black-box web application vulnerability analysis framework
publishDate 2017
url http://hdl.handle.net/2286/R.I.44256
_version_ 1718701488701702144

Similar Items