Interaktyvios saugos sistemos prototipas apsaugai nuo injekcinių atakų / Interactive security system prototype to protect against injections attacks

Žukas, Mantas

05 November 2013

Darbas apie apsisaugojimo metodiką nuo injekcinių atakų naudojant Bekaus ir Nauro formą. Pasirinkta įvesties patikros strategija (blacklist), realizuotas reguliarių išraiškų transformacijos algoritmas. Sukurtas pradinis injekcinių atakų aprašas. Transformuojant aprašo sematiką į reguliarių išraiškų masyvus yra suformuojamos tikrinimo taisyklės. Pagal suformuotas taisyklės yra nustatoma, ar sistemos įvesties parametrai atitinka injekcinių atakų aprašą. Sukurtas saugos sistemos prototipas apsaugai nuo injekcinių atakų. / In this research the injection attack prevention method is introduced. Also the interactive security system prototype to protect against injections attacks is proposed. Security system prototype is using blacklist input validation strategy for checking input parameters. Each list item consists of a single type of injection attack description. Descriptions are written in Backus–Naur form.

Informatics Engineering

SQL injekcijos

Xpath injekcijos

Įvesties patikra

SQL injections

Xpath injections

Input validation

Fuzz Testing for Quality Control in Systems with Complex Input Data

Bodin, Josefin

January 2023

Fuzz testing is a testing technique used to generate a large amount of random or semi-random input data. This data is then fed to a target system which is then run with said data and monitored for anomalous behaviour. But as systems become increasingly complex, and as such, their input, fuzz testing becomes less efficient as pure randomisation no longer yields many useful results, and the long execution chains that may arise from complex systems create a demand for configurability in order to generate useful test data and make the testing efficient long-term. This thesis applies high-level configurability to a fuzz testing tool and tests this on a proprietary hard real-time operating system. The results show that this approach might not work all that well on the target system used during this thesis, but it is still believed that it is an approach to fuzz testing which may be useful in other regards.

fuzz testing

quality control

complex input

input validation

software testing

fuzzing

Computer Sciences

Datavetenskap (datalogi)

Validation DSL for client-server applications

Fedorenko, Vitalii M.

10 1900

<p>Given the nature of client-server applications, most use some freeform interface, like web forms, to collect user input. The main difficulty with this approach is that all parameters obtained in this fashion need to be validated and normalized to protect the application from invalid entries. This is the problem addressed here: how to take client input and preprocess it before passing the data to a back-end, which concentrates on business logic. The method of implementation is a rule engine that uses Groovy internal domain-specific language (DSL) for specifying input requirements. We will justify why the DSL is a good fit for a validation rule engine, describe existing techniques used in this area and comprehensively address the related issues of accidental complexity, security, and user experience.</p> / Master of Science (MSc)

domain-specific language

input validation

input preprocessing

internal DSL

embedded DSL

groovy DSL

Programming Languages and Compilers

Programming Languages and Compilers