Detection & prevention of vulnerabilities in web applications
Date of Issue2016-02-22
School of Physical and Mathematical Sciences
Web applications allow users to receive and communicate content from remote servers through web browsers. They are becoming the dominant way for users to access online services. Meanwhile, web applications have raised a great many security concerns, to name a few, coding weaknesses, vulnerabilities, and leakage of sensitive data. All of those can be exploited by cyber criminals. In a 2014 report, McAfee estimated that the cost of cybercrime is more than $400 billion in 2013. Thus it is imperative to detect and prevent these crimes. It is for this purpose that security professionals develop tools to detect different web vulnerabilities and at the same time, design new web architectures to minimize loopholes for web attacks. The thesis introduces two detection tools that target Unvalidated Redirects and Forwards (URF) and Cross-site Scripting (XSS) vulnerabilities. They use heuristic method and are rather flexible. Protocol-independent modules are used to send data to targeted web applications. The fact that the algorithms are written in simple scripting languages and yield zero false positive rates makes them highly practical and effective. The thesis also presents a new attack model Covert Redirect. The vulnerability exists often because of a website's overconfidence of its partners. To be more specific, website generally does not perform sufficient validation of the redirected URLs that belong to the domains of its partners. Covert Redirect can also be used to attack single sign-on (SSO) systems. This work was first covered in detail by CNET and subsequently reported by many others, such as Yahoo, FOX News and Tech Xplore. In the third part, we list several other vulnerabilities that we found. Dozens of them have been accredited with unique CVE numbers. They belong to various categories, SQL Injection, Denial of Service (DoS), Cross-site Request Forgery (CSRF), Remote File Inclusion (RFI), Information Leakage, HTTP Response Splitting (CRLF), Code Injection and Directory Traversal. The fact that many of the vulnerabilities have drawn the attention of popular security news media such as ZDNet, Tom's Guide, The Register and Computer World is evidence of their importance. DOM-based XSS is one of the three types of XSS vulnerabilities. It works by modifying the DOM environment in the victims' browsers. There is a large body of extant literature on reflected XSS. However, very few researches focus on DOM-based XSS. In this thesis, we will introduce a project that is underway and related to the prevention of DOM-based XSS.