Return to search

Next Generation Black-Box Web Application Vulnerability Analysis Framework

abstract: Web applications are an incredibly important aspect of our modern lives. Organizations

and developers use automated vulnerability analysis tools, also known as

scanners, to automatically find vulnerabilities in their web applications during development.

Scanners have traditionally fallen into two types of approaches: black-box

and white-box. In the black-box approaches, the scanner does not have access to the

source code of the web application whereas a white-box approach has access to the

source code. Today’s state-of-the-art black-box vulnerability scanners employ various

methods to fuzz and detect vulnerabilities in a web application. However, these

scanners attempt to fuzz the web application with a number of known payloads and

to try to trigger a vulnerability. This technique is simple but does not understand

the web application that it is testing. This thesis, presents a new approach to vulnerability

analysis. The vulnerability analysis module presented uses a novel approach

of Inductive Reverse Engineering (IRE) to understand and model the web application.

IRE first attempts to understand the behavior of the web application by giving

certain number of input/output pairs to the web application. Then, the IRE module

hypothesizes a set of programs (in a limited language specific to web applications,

called AWL) that satisfy the input/output pairs. These hypotheses takes the form of

a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt

to detect vulnerabilities in this DAG. Further, it generates the payload based on the

DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability

(based on our understanding of the program). It then tests this potential

vulnerability using the generated payload on the actual web application, and creates

a verification procedure to see if the potential vulnerability is actually vulnerable,

based on the web application’s response. / Dissertation/Thesis / Masters Thesis Computer Science 2017

Identiferoai:union.ndltd.org:asu.edu/item:44256
Date January 2017
ContributorsKhairnar, Tejas (Author), Doupé, Adam (Advisor), Ahn, Gail-Joon (Committee member), Zhao, Ziming (Committee member), Arizona State University (Publisher)
Source SetsArizona State University
LanguageEnglish
Detected LanguageEnglish
TypeMasters Thesis
Format47 pages
Rightshttp://rightsstatements.org/vocab/InC/1.0/, All Rights Reserved

Page generated in 0.0018 seconds