j k using dynamic analysis to crawl and test modern web
play

jk: Using Dynamic Analysis to Crawl and Test Modern Web Applications - PowerPoint PPT Presentation

Oct 25, 2023 •265 likes •732 views

jk: Using Dynamic Analysis to Crawl and Test Modern Web Applications Giancarlo Pellegrino (1) , Constantin Tschrtz (2) , Eric Bodden (2) , and Christian Rossow (1) 18th International Symposium on Research in Attacks, Intrusions and Defenses

  1. jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications Giancarlo Pellegrino (1) , Constantin Tschürtz (2) , Eric Bodden (2) , and Christian Rossow (1) 18th International Symposium on Research in Attacks, Intrusions and Defenses November 3rd, Kyoto, Japan (1) CISPA, Saarland University, Germany (2) Fraunhofer SIT / TU Darmstadt, Germany

  2. Web Application Scanners  (Semi-)automated security testing tools  Follow a dynamic and black-box testing approach Nov. 3, 2016

  3. Web Application Scanners  (Semi-)automated security testing tools  Follow a dynamic and black-box testing approach Nov. 3, 2016

  4. Architecture Crawler Module Attacker Module Analysis Module Nov. 3, 2016

  5. Crawler Seed URL http://shop.foo http://shop.foo Nov. 3, 2016

  6. Crawler http://shop.foo <html> <head> <title>Online shopping</title> </head> <body> <a href=”/contacts”>Contacts</a> <form action=”/search”> <input type=”text” name=”q”/> <input type=”submit”/> </form> </body> </html> Nov. 3, 2016

  7. Crawler http://shop.foo <html> <head> <title>Online shopping</title> </head> <body> <a href=”/contacts”>Contacts</a> <form action=”/search”> <input type=”text” name=”q”/> <input type=”submit”/> </form> </body> </html> New URL Nov. 3, 2016

  8. Crawler http://shop.foo <html> <head> <title>Online shopping</title> </head> <body> <a href=”/contacts”>Contacts</a> <form action=”/search”> <input type=”text” name=”q”/> <input type=”submit”/> </form> </body> </html> New search HTML form Nov. 3, 2016

  9. Crawler Next? http://shop.foo/contacts Nov. 3, 2016

  10. Crawler http://shop.foo/contacts <html> <head> <title>Contact Page</title> </head> <body> <form action=”/comments”> <input type=”text” name=”msg”/> <input type=”submit”/> </form> </body> </html> New HTML form Nov. 3, 2016

  11. Security Testing XSS payload SQL payload XSS payload SQL payload <form action=”/search”> shop.foo Tests == Attacks <input type=”text” name=”q”/> <input type=”submit”/> </form> Responses ? Nov. 3, 2016

  12. Crawler Critical for Coverage  Crawler explores the Web application attack surface ● Missing parts → missing possible vulnerabilities  Existing crawlers based on: ● HTML parsing and pattern matching to extract URLs ● “clickable” areas to further explore the surface Nov. 3, 2016

  13. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs) Nov. 3, 2016

  14. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url; ➔ HTML parsing and pattern matching no longer sufficient Nov. 3, 2016

  15. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url; ➔ HTML parsing and pattern matching no longer sufficient  JS is an event-driven language click generate URLs/HTML form mouse movement register new events timeout Ajax requests Ajax response received ● Functions executed upon events ➔ Lack of support of event-based execution model Nov. 3, 2016

  16. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url; ➔ HTML parsing and pattern matching no longer sufficient  JS is an event-driven language click generate URLs/HTML form mouse movement register new events timeout Ajax requests Ajax response received ● Functions executed upon events ➔ Lack of support of event-based execution model Large part of web applications remain unexplored! Large part of web applications remain unexplored! Nov. 3, 2016

  17. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url;  We addressed the coverage problem with ➔ HTML parsing and pattern matching no longer sufficient ● JavaScript client side dynamic analysis  JS is an event-driven language ● Model-based Crawler click generate URLs/HTML form  Build a tool: jÄk mouse movement register new events timeout Ajax requests Ajax response received ● Functions executed upon events ➔ Lack of support of event-based execution model Large part of web applications remain unexplored! Large part of web applications remain unexplored! Nov. 3, 2016

  18. Our Approach Dynamic Analysis Model-based Crawler Action JS Engine Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Combine dynamic analysis with model-based crawler ● Dynamic analysis monitors client side program execution ● Crawler builds, maintains, uses a model of the visited attack surface Nov. 3, 2016

  19. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: Nov. 3, 2016

  20. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: 1) JS engine instrumentation → laborious task, engine-dependent Nov. 3, 2016

  21. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: 1) JS engine instrumentation → laborious task, engine-dependent 2) JS program instrumentation → JS code is not entirely available Nov. 3, 2016

  22. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: 1) JS engine instrumentation → laborious task, engine-dependent 2) JS program instrumentation → JS code is not entirely available 3) Modification of execution environment Nov. 3, 2016

  23. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs  Modify execution environment via function hooking : Intercept API calls (e.g., network I/O and event handler registration) ● Object manipulations (i.e., object properties) ● Schedule DOM inspections ●  Hooks installed by injecting own JS code: Function redefinition ● Set functions ● Nov. 3, 2016

  24. Function Redefinition function handler() { alert("hello world"); Application JS code } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  25. Function Redefinition function handler() { alert("hello world"); } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  26. Function Redefinition function handler() { alert("hello world"); } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  27. Function Redefinition Element.prototype.addEventListener = function(e, h) { Element.prototype.addEventListener = function(e, h) { function handler() { […] API […] API alert("hello world"); listeners[e].append(h); listeners[e].append(h); } } } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  28. Function Redefinition Element.prototype.addEventListener = function(e, h) { Element.prototype.addEventListener = function(e, h) { function handler() { […] API […] API alert("hello world"); listeners[e].append(h); listeners[e].append(h); } } } el = document.getElementByID('img') el.addEventListener("click", handler); Intercept! Intercept! Nov. 3, 2016

  29. Function Redefinition preamble function handler() { alert("hello world"); Application JS code } el = document.getElementByID('img') el.addEventListener("click", handler); var orig_f = Element.prototype.addEventListener; var orig_f = Element.prototype.addEventListener; PREAMBLE PREAMBLE Element.prototype.addEventListener = function(){ Element.prototype.addEventListener = function(){ console.log("new handler registration"); console.log("new handler registration"); return orig_f.apply(this, argument); return orig_f.apply(this, argument); }; }; Nov. 3, 2016

Recommend

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, &quot;Software Unit Test Coverage and Adequacy,&quot; ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Rubber Test Application Highlights Versatile and Dynamic ElectroForce Instruments 1

Rubber Test Application Highlights Versatile and Dynamic ElectroForce Instruments 1

Rubber Test Application Highlights Versatile and Dynamic ElectroForce Instruments 1 TAINSTRUMENTS.COM TAINSTRUMENTS.COM TA Instruments Thermal Analysis Rheology Thermogravimetric Analysis Microcalorimetry Dynamic Mechanical Analysis

378 views • 8 slides
#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL

#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL

#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL LONDON VENTURE CRAWL What is this thing? LONDON VENTURE CRAWL Venture Crawl through the ages.. 2017 2018 2019 LONDON VENTURE CRAWL

512 views • 22 slides
Distributed Web Crawling over DHTs Boon Thau Loo, Owen Cooper, Sailesh Krishnamurthy CS294-4

Distributed Web Crawling over DHTs Boon Thau Loo, Owen Cooper, Sailesh Krishnamurthy CS294-4

Distributed Web Crawling over DHTs Boon Thau Loo, Owen Cooper, Sailesh Krishnamurthy CS294-4 Search Today Search Index Crawl Crawl Whats Wrong? Users have a limited search interface Todays web is dynamic and growing: Timely

825 views • 21 slides
The Glimpse of Detectron : Dynamic Forwarding and Routing in Modern Detectors Ziwei Liu

The Glimpse of Detectron : Dynamic Forwarding and Routing in Modern Detectors Ziwei Liu

The Glimpse of Detectron : Dynamic Forwarding and Routing in Modern Detectors Ziwei Liu Multimedia Lab (MMLAB) The Chinese University of Hong Kong Dynamic Forwarding Content-Aware Resolution-Adaptive A neurobiological model of visual

1.19k views • 80 slides
Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring Meeting Martin Eling, University of Ulm Thomas Parnitzke, Baloise Holding San Diego, May 23-26, 2010 Hato Schmeiser, University of St. Gallen Hato

639 views • 30 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
System Test, Static Analysis Test SW V&amp;V, CTIP, (ANT, SVN, Mantis) 200611490

System Test, Static Analysis Test SW V&amp;V, CTIP, (ANT, SVN, Mantis) 200611490

System Test, Static Analysis Test SW V&amp;V, CTIP, (ANT, SVN, Mantis) 200611490 200913988 201011318 201011358 Contents Category partition &amp; Pairwise testing Clover Sonar Analysis

559 views • 36 slides
Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper

Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper

Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper takeaways tl;dr JUST USE HASKELL JUST USE IDRIS several modern functional languages have optional type systems they are mature enough to be

1.12k views • 76 slides
Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay trees Inge Li Grtz CLRS Chapter 17 Je ff Erickson notes Dynamic tables Dynamic tables Problem. Have to assign size of table at initialization.

365 views • 11 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of Exac act t Cove Covers rs EVOLVE 2011, Luxembourg Jeffrey Horn GECCO June 28, 2005 IEEE SSCI FOCI 2007 Northern Nort hern Mi Michigan Univer

981 views • 46 slides
Modern MDL Meets Data Mining Insight, Theory, and Practice Part IV Dynamic Setting Kenji

Modern MDL Meets Data Mining Insight, Theory, and Practice Part IV Dynamic Setting Kenji

Modern MDL Meets Data Mining Insight, Theory, and Practice Part IV Dynamic Setting Kenji Yamanishi Graduate School of Information Science and Technology, the University of Tokyo August 4 th 2019 KDD Tutorial Part IV. Dynamic Setting

944 views • 60 slides
Shape Analysis for Redistricting modern geometry meets modern politics Zachary Schutzman

Shape Analysis for Redistricting modern geometry meets modern politics Zachary Schutzman

Shape Analysis for Redistricting modern geometry meets modern politics Zachary Schutzman University of Pennsylvania &amp; Metric Geometry and Gerrymandering Group Hyperbolic Lunch, U. of Toronto Mathematics February 21st, 2019

844 views • 46 slides
EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic Website? Produces a Customized Response to User Input Examples Google, Yahoo and other seach engines Online banking E-Tailors

437 views • 26 slides
AN SLP ONCE TRIED TO TEST ME Making use of dynamic assessment, counseling strategies, medical

AN SLP ONCE TRIED TO TEST ME Making use of dynamic assessment, counseling strategies, medical

AN SLP ONCE TRIED TO TEST ME Making use of dynamic assessment, counseling strategies, medical history, and the interdisciplinary team for effective patient advocacy and treatment Will Farnham, MS CCC - SLP FUTURE COLLEAGUE COLLAB MAY 6,

496 views • 27 slides
Combined Static and Dynamic Automated Test Generation Sai Zhang University of Washington Joint

Combined Static and Dynamic Automated Test Generation Sai Zhang University of Washington Joint

Combined Static and Dynamic Automated Test Generation Sai Zhang University of Washington Joint work with: David Saff, Yingyi Bu, Michael D. Ernst 1 Unit Testing for Object-oriented Programs Unit test = sequence of method calls + testing oracle

1.38k views • 43 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
MODERN LIFE IS RUBBISH? USING TIME USE ANALYSIS TO DISPEL MYTHS OF DECLINE Modern Life is Rubbish

MODERN LIFE IS RUBBISH? USING TIME USE ANALYSIS TO DISPEL MYTHS OF DECLINE Modern Life is Rubbish

MODERN LIFE IS RUBBISH? USING TIME USE ANALYSIS TO DISPEL MYTHS OF DECLINE Modern Life is Rubbish Importance of approach and consistency of output Changing rhythm of the day Blurring of work/life boundaries The rise of the (3D)

765 views • 28 slides
Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a known working state, take small steps Make things visible (gdb, printf, logic analyzer) Methodical, systematic approach. Form hypotheses and perform

755 views • 38 slides
A UAV Test and Development Environment Based on Dynamic System Reconfiguration Osamah A.

A UAV Test and Development Environment Based on Dynamic System Reconfiguration Osamah A.

A UAV Test and Development Environment Based on Dynamic System Reconfiguration Osamah A. Rawashdeh, Garrett D. Chandler, and James E. Lumpp, Jr. Department of Electrical and Computer Engineering University of Kentucky Lexington, KY Outline

300 views • 11 slides
Toward Continuous SAGE How to Interrupt and Migrate Dynamic Test Generation Mehdi

Toward Continuous SAGE How to Interrupt and Migrate Dynamic Test Generation Mehdi

Toward Continuous SAGE How to Interrupt and Migrate Dynamic Test Generation Mehdi Bouazizs End -of-Internship talk Joint work with Ella Bounimova (mentor), Patrice Godefroid (MSR), David Molnar (MSR) and Eric Jarvi (Office) Security is

428 views • 20 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides

More recommend