1. Detection of Web-based attacks
Detection of Web-based attacks
PhD Thesis - DIEE University of Cagliari, Italy
Igino Corona
March 4, 2010
2. Detection of Web-based attacks
1 Research outline
2 Current Internet Threats
World Wide Web
Common Gateway Interface
Client-side web security
Server-side web security
3 Our Contribution to Client-side Web Security
Flux Buster
4 Our Contribution to Server-side Web Security
Web Guardian
5 Research Contributions - summary
6 Limitations - summary
3. Detection of Web-based attacks
Research outline
Intrusion Detection and Adversarial Environment - critical
review
I. Corona, G. Giacinto, F. Roli, Intrusion detection in computer systems as a
pattern recognition task in adversarial environment: a critical review,
Workshop on Neural Information Processing Systems (NIPS), Whistler, British
Columbia, Canada, 08/12/2007
Detailed work on the PhD thesis (it is going to be submitted soon to an
important Journal)
Intrusion Detection and Multiple Classifier Systems
I. Corona, G. Giacinto, F. Roli, Intrusion Detection in Computer Systems
using Multiple Classifer Systems, Supervised and Unsupervised Ensemble
Methods and Their Applications, O. Okun and G. Valentini, no. 126:
Springer-Verlag, Berlin/Heidelberg, pp. 91-114, 2008
4. Detection of Web-based attacks
Research outline
Intrusion Detection and Information Fusion
I. Corona, G. Giacinto, C. Mazzariello, F. Roli, C. Sansone, Information fusion
for computer security: State of the art and open issues, Information Fusion,
vol. 10, pp. 274-284, 2009
Intrusion Detection and Web Security
I. Corona, D. Ariu, G. Giacinto , HMM-Web: a framework for the detection of
attacks against Web applications, IEEE ICC 2009, Dresden, Germany,
14/06/2009
HMM-Web → Web Guardian Detailed work on the PhD Thesis (it is going to be
submitted soon to a relevant conference)
R. Perdisci, I. Corona, D. Dagon, W. Lee, Detecting Malicious Flux Service
Networks through Passive Analysis of Recursive DNS Traces, Annual
Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA,
07/12/2009
5. Detection of Web-based attacks
Current Internet Threats
World Wide Web
The weak point in the chain: World Wide Web
Nowadays, most of Internet threats are due to Web-based
vulnerabilities [SANS (2009), Cenzic (2009)]
easy business
information oppor-
sharing tunities
high
complex
applications World Wide Web exposition
of services
developers
strict time with little
development security
constraints training
6. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
web browser Internet web server
7. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
request
web browser Internet web server
8. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
request request
web browser Internet web server
input query
CGI
web application
9. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
request request
web browser Internet web server
input query content
CGI
web application
10. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
response [content] response [content]
request request
web browser Internet web server
input query content
CGI
web application
11. Detection of Web-based attacks
Current Internet Threats
Client-side web security
web user (victim) attacker
[malicious content/scams]
web browser web server
Client-side problem: malicious (or infect) websites
Malicious websites routinely exploit vulnerabilities on browsers
(e.g. Internet Explorer, Firefox) and their plugins (e.g.
Javascript, Adobe Reader, Flash player) to execute arbitrary
(unauthorized) instructions at client-side. Compromised
computers may take part in a botnet. In addition, malicious
websites may support a wide range of scams (e.g. Phishing
scams, Fake Job proposals, Fake lotteries).
12. Detection of Web-based attacks
Current Internet Threats
Client-side web security
Malicious Fast Flux Networks
Malicious websites are increasingly hosted through malicious
Fast Flux Service Networks. These networks are composed by
malware infected computers that can be remotely controlled by
miscreants. Each computer typically acts as a HTTP proxy, i.e.
retrieve malicious content from a central node called
mothership. These illegal networks are very robust, pervasive
and inherently difficult to block.
18. Detection of Web-based attacks
Current Internet Threats
Server-side web security
attacker legitimate web service
malicious request
web browser web server
Server-side problem: malicious web requests
Legitimate web services are routinely compromised by
exploiting vulnerabilities on web servers and web applications.
For example, miscreants may steal confidential information or
inject malicious code on web pages, in order to attack users
that will further access to the web services.
19. Detection of Web-based attacks
Current Internet Threats
Server-side web security
Example: Joomla Hotel Booking System
Component
SQL Injection
http://www.vulnerablehotel.com/components/
com_hbssearch/longDesc.php?h_id=1&
id=-2%20union%20select%20concat%28username,
0x3a,password%29%20from%20jos_users--
Cross-site scripting
http://www.vulnerablehotel.com/index.php?
option=com_hbssearch&task=showhoteldetails&
id=118&adult=2<script%20src=http://www.dbrgf.ru
/script.js>
20. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Our Contribution to Client-side Web Security
Flux Buster
21. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Key observations
In large networks (i.e. serving millions of users), it is very likely that some users
will (unfortunately) fall victims of malicious web content, and will therefore “click”
on (and initiate DNS queries about) fast flux domain names.
Passive analysis of real users’ activities allows us to stealthily detect and collect
information about “popular” malicious flux networks on the Internet, regardless of
the method used by miscreants to advertise websites hosted through these
networks.
Thousands of new domain names per day. In general, during the time, so many
different (but equivalent) domain names may resolve to the same flux network.
Thus, an IP-based clustering of domain names is really useful to (a) identify the
relationship between domain names, (b) accurately characterize different fast
flux networks, (c) obtain a lower number of objects (domain clusters vs domains)
that must be classified.
22. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Passive RDNS data collection
23. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Architecture
24. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Architecture
Very conservative (but effective) prefiltering rules
F1: stateless rules, e.g. TTL ≥ 3 hours
F2: stateful rules, e.g. for each domain name resolved at least
100 times: (a) it is associated to only 5 (or less) distinct IP
addresses and (b) there is no DNS reply which returns more
than 2 new IP addresses.
25. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Preprocessing phase
26. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Preprocessing phase
↓ F1+F2
27. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Hierarchical single linkage Clustering
|R(α) ∩ R(β) | 1
sim(α, β) = ·
(α) ∪ R(β) | 1 + e γ−min(|R(α) |,|R(β)|)
∈ [0, 1]
|R
29. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
Cluster statistical features
Passive: φ1 Number of resolved IPs, φ2 Number of do-
mains, φ3 Avg. TTL per domain, φ4 Network
prefix diversity, φ5 Number of domains per net-
work, φ6 IP Growth Ratio
Active: φ7 Autonomous System (AS) diversity, φ8 BGP
prefix diversity, φ9 Organization diversity, φ10
Country Code diversity, φ11 Dynamic IP ratio,
φ12 Average Uptime Index.
30. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
Cluster ID Cluster Nickname Use Label
l1 cdne.gearsofwar.xbox.com CDN Legitimate
l2 fotf.cdnetworks.net CDN Legitimate
l3 3.europe.ntp.org NTP pool Legitimate
l4 opendht.nyuld.net OASIS Legitimate
m1 50b0f40526956b85.saidthesestory.com Adult Content/Malware Malicious Flux
m2 paypal.database-confirmation.com Phishing Malicious Flux
m3 hqdvrp.flagacai.com Pharmacy Scam Malicious Flux
l1 l2 l3 l4 m1 m2 m3
IP Growth Ratio (φ6 ) 0.028 0.016 0.039 0.021 0.932 0.374 0.56
Number of domains per network (φ5 ) 488 165 57 54 42000 228 1632
Avg. TTL per domain (φ3 ) 22 20 1402 7421 300 180 180
31. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
Labeled Dataset
Time Interval 1march / 14april 2009
Users Over 4 millions
DNS queries 2.5 · 109 per day
Candidate flux domains ∼ 105 per day
Domain Clusters ∼ 310 clusters per day1
Fast Flux Clusters ∼ 23 clusters per day
Fast Flux domain names 61,710
Flux Agents 17,332
1
We consider only clusters (networks) having at least 10 IP addresses
32. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
33. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier - accuracy
Decision tree Accuracy - C4.5 algorithm -
5 fold cross validation: 60%training, 40%test
Features AUC DR FP
All 0.992 (0.003) 99.7% (0.36) 0.3% (0.36)
Passive 0.993 (0.005) 99.4% (0.53) 0.6% (0.53)
φ6 , φ3 , φ5 0.989 (0.006) 99.3% (0.49) 0.7% (0.49)
34. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
adult content
0711afafa7803d51.nugentcelticdonnell.com, 088683b12777d475.ghostsbarredrental.com,
08f15257a0ea7ee5.spreadnettingcleanly.com, 09ad518ad726e193.squadsvariousembryos.com,
09ae7f81efa7faa2.fraserlibraryshabby.com, 0a1a7c2792c461ed.nugentcelticdonnell.com,
0b53caa4e8a9edb5.fraserlibraryshabby.com, 0bc0dd7f7773c50c.nugentcelticdonnell.com,
0bfd3365dca2c45b.nugentcelticdonnell.com, 0c9328f675b1b931.ghostsbarredrental.com,
0d565d437fb5869d.ghostsbarredrental.com, 0d9d81f5e70761d2.squadsvariousembryos.com,
0dfde08e68ca8358.ghostsbarredrental.com, 0e294041c5d3d17c.developleftcity.com,
0e3fe6f42143105b.squadsvariousembryos.com, 0f255699977f3a81.ghostsbarredrental.com,
0fde9565dad27a33.nugentcelticdonnell.com, 100d83dcb74219a6.fraserlibraryshabby.com,
14cc04d937dd090f.fraserlibraryshabby.com, 163f3db2671f9703.fraserlibraryshabby.com,
189dda5b6c51569e.squadsvariousembryos.com, 18ad145ae37d4318.ghostsbarredrental.com,
191ab3abf627f482.nugentcelticdonnell.com, 1a3a25badc9819c5.nugentcelticdonnell.com
[· · · many more]
35. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
facebook phishing
facebook.shared.accessservlet.personalid-fbhmod8j9.processlogon.344session.com,
facebook.shared.accessservlet.personalid-kd0vb3bjj.ceptservlet.8345server.com,
facebook.shared.accessservlet.personalid-mct6meeyi.alternative.8345server.com,
facebook.shared.accessservlet.personalid-xm4f9y8xa.emberuiweb.344session.com,
facebook.shared.accountholder.personalid-0ip00okut.mixed.5435core.com,
facebook.shared.accountholder.personalid-3vj54osat.accountholder.344session.com,
facebook.shared.accountverify.personalid-4z37tsrz9.usermanage.344session.com,
facebook.shared.accountverify.personalid-sa3vts29i.serveronline.8345server.com [· · ·
many more]
36. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
myspace phishing
accounts.myspace.com.tteszk.org.uk, accounts.myspace.com.tteszk.me.uk,
accounts.myspace.com.tteszk.co.uk, accounts.myspace.com.tteszg.org.uk,
accounts.myspace.com.tteszg.me.uk, accounts.myspace.com.tteszg.co.uk,
accounts.myspace.com.tteszf.co.uk, accounts.myspace.com.ttesza.org.uk,
accounts.myspace.com.ttesza.me.uk, accounts.myspace.com.ttesza.co.uk,
accounts.myspace.com.terhhoq.org.uk, accounts.myspace.com.terhhoq.me.uk,
accounts.myspace.com.terhhoq.co.uk, accounts.myspace.com.terhhol.org.uk,
accounts.myspace.com.terhhol.me.uk, accounts.myspace.com.terhhol.eu,
accounts.myspace.com.terhhol.co.uk, accounts.myspace.com.terhhok.org.uk,
accounts.myspace.com.terhhok.me.uk, accounts.myspace.com.terhhok.eu,
accounts.myspace.com.iuuuujer.me.uk, accounts.myspace.com.iuuuujer.eu,
accounts.myspace.com.iuuuujer.co.uk, accounts.myspace.com.iuuuujek.org.uk,
accounts.myspace.com.iuuuujek.me.uk [· · · many more]
37. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
ebay phishing
cgi.ebay.com.fvdssrt.com, cgi.ebay.com.idservertff.net, cgi.ebay.com.idsrvtttr.com,
cgi.ebay.com.modefst10.mobi, cgi.ebay.com.msdrvffg.net, cgi.ebay.com.msdrvt1.bz,
cgi.ebay.com.msfddre.com, cgi.ebay.com.mtdfggs.com, cgi.ebay.com.sdlserverts.com,
cgi.ebay.com.trffdsl.com, cgi.ebay.com.vfrres.com, cgi.ebay.com.vsdfggg.net,
cgi.ebay.com.vvssldr.com, cgi.ebay.com.vvssldr.net, cgi.ebay.com.vzdfff1.com,
cgi.ebay.com.dllmsdrv.net
40. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
Time interval: November, 3, 2009 - February, 2, 2010. Flux
agents: 21,108 IP addresses. Fast flux domain names: 16,375.
Analysis of flux domain names through Google safebrowsing
18000
16000
Number of unique fast flux domain names
14000
12000
10000
8000
6000
4000
2000
0 Total Visited Malicious
41. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
Interpretation
We speculate that most of flux domain names are advertized by
webpages not indexed by Google, or by means of
non-web-based forms of advertisement. In fact, during our
experiments we came accross several compromised websites
whose injected HTML code was in the form:
<META NAME="ROBOTS" CONTENT="NOFOLLOW">
<script src=http://fast-flux-domain-name1/script.js>
<script src=http://fast-flux-domain-name2/script.js>
...
<script src=http://fast-flux-domain-nameN/script.js> </META>
42. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - real time detection and spam filtering
Real time detection of suspicious websites
We may detect in real time suspicious domain names, i.e.
domain names whose resolved IPs are among the pool of
known flux agents (detected through our system).
43. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - real time detection and spam filtering
100
95
90
85
80
75
70
Detection Rate %
65
60
55
50
45
40
35
30
25
20 Day 2009-03-04, 33697 spam domains
15 Day 2009-03-06, 105608 spam domains
10 Day 2009-03-10, 103554 spam domains
5 Day 2009-03-15, 168298 spam domains
0
0.0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 0.0014 0.0016 0.0018
False Positive Rate % (Alexa TOP domains)
Interpretation
We spot almost all domain names inside spam emails. It is
worth noting that some of them do not have a “fluxy” behavior,
but resolve to flux agents characterized by high uptime.
44. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Our Contribution to Server-side Web Security
Web Guardian
45. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Anomaly-based approach
Problem
We would like to detect either known or unknown attacks
against web services. Also, we’d like to provide for automatic
counteractions against such attacks, to protect web services in
real time.
Our Approach
Given a sample of requests on the web server, we model
the normal (legitimate) web traffic profile
We detect web traffic that does not reflect the legitimate
profile (i.e. web attacks)
We may provide for well-suited real-time counteractions,
depending on the detected anomalies
46. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Architecture
47. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Learning framework
Problem
We cannot assume an
attack-free training set! Known
outlier detection techniques may
be not suitable for our task.
Automatic noise filtering
Each model is (re)trained
excluding some samples from
the training set.
48. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
General models
General-purpose models
Feature Model
Sequence of symbols Hidden Markov Model (model-a) -
Baum Welch Algorithm, states=avg
n. of distinct symbols in a se-
quence, random init state transition
and symbol emission matrix
σ2
Numeric Value p[x|model-b] = (x−µ)2 if x > µ + σ
count(x)
Discrete Value p[x|model-c] =
total n. samples
49. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Modeled features
model-a sequence of: headers; web app. attributes;
attribute inputs (generalization of numbers and
letters);
model-b ratio between rejected and successful requests,
and frequency of requests on each web
application, per source IP address; for each
header, its input lenght;
model-c method; http version; for each header, the
following flags: has-alphabetic-input,
has-digit-input; for each header: list of
non-alphanumeric input characters.
50. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Dataset Λ = Σ ∪ T
time interval 27 November - 3
December, 2009
number of web requests 447,178
distinct IP addresses 1,703
bad requests 5,507
web application queries 98,900
number of web applications 217
Dataset Σ and T
Σ contains the first 200,000 requests in Λ, and it is employed
for training the system. T contains the remaining 247,178
requests, and it is used for performance evaluation.
51. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Training phase
CPU Intel CoreDuo2 T8100 2.1Ghz, 2GBytes of RAM, and
Linux (Ubuntu 8.04) Operating System. Training time: 2 hours
and 53 minutes RAM max 1.6GBytes.
OK, but what about attacks inside dataset Λ?
We identify attacks inside Λ with the help of Web Guardian. For each model, we
manually inspect the training samples receiving lower probability. This is justified since:
(a) we may assume that attack samples are in lower number w.r.t. legitimate samples,
(b) attacks are characterized by patterns significantly different from legitimate patterns.
Furthermore, this process is not expensive, because we need to inspect only a small
protion of training samples for each model.
52. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Attack dataset Φ
Target Details Attack Type References Attacks
web applica- 90 distinct web applications cross-site scripting, [Spett (2002)] 412
tion queries and 372 attributes sql injection, remote [Admin (2002)]
code execution, re- [Mac Vittie (2007)]
mote file inclusion, [Hansen (2009)]
information gathering [Pastor (2009)]
[Auger (2010)]
[L0t3k]
headers Accept, generic buffer over- [Bellamy (2002)] 78
Accept-Language, flow, cross-site [PSS (2002)]
Referer, Content-Type, scripting, sql injec- [Linhart et al. (2005)]
Accept-Encoding, tion, http request [Symantec (2006)]
User-Agent, Host, smuggling, CRLF [CAPEC (2007)]
Content-Length, injection [Bajpai (2009)]
Connection, [Mac Vittie (2010)]
Cache-Control, Cookie,
Via, X-Forwarded-For,
If-Modified-Since
method PROPFIND, OPTIONS, buffer overflow, [Donaldson (2002)] 12
TRACE and bad strings cross-site scripting, [Juniper (2002)]
information gathering [Manion (2003)]
[Shah (2004)]
http version bad format string buffer overflow, infor- [Donaldson (2002)] 5
mation gathering [Shah (2004)]
53. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Results
Parameter Dataset Value
Λ = Σ∪T 232/232 100% ∼39alerts/day
detection rate
Φ 505/507 99.6%
Λ 1,252/447,178 0.28% ∼209alerts/day
false alarm rate Σ 450/200,000 0.22% ∼150alerts/day
T 802/247,178 0.32% ∼267alerts/day
response time Λ 1.2 milliseconds
54. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Observation
It is worth to note that a significantly lower false positive rate may be attained by
manually verifying false alarms on our web interface. Using such a interface we may:
group anomalies depending on their type: i.e. what is the model which raised the
anomaly, common traits of the anomaly (e.g. a suspect non-alphanumeric
character), source IP address, targeted web application/header
adjust model thresholds, so that attacks may be still reliably evidenced and false
alarms are reduced
(re)train models using some samples which have been erroneously discarded by
the learning framework (e.g. because there were no attacks in the set of training
samples)
55. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Implementation
56. Detection of Web-based attacks
Research Contributions - summary
Flux Buster
novel, passive approach for detecting and tracking malicious flux service
networks.
we detect fast flux domain names, regardless the way they are advertised
active probing proposed so far is expensive, requires a distributed architecture,
and may be detected and blocked/influenced by miscreants. Contrary, we do not
interact ourselves with the flux network and our approach is stealthy.
we accurately characterize and detect flux networks. By means of Flux Buster
we may substantially enhance the state-of-the-art protection of web users and
spam filtering applications.
57. Detection of Web-based attacks
Research Contributions - summary
Web Guardian
unsupervised training which effectively handles the presence of attacks in the
training set
accurate detection both known and unknown attacks against web services. This
complements the rule-based approach of modsecurity.
low false positive rate
ability to counteract in real time, and thus protect web services
multiple, specific anomaly detectors allow to (a) infer the typology of an attack,
(b) further reduce false positives by grouping similar anomalies, (c) provide for
well-suited counteractions
easy to extend with new models/features
the host-based approach allows us to limit evasive attacks (e.g.
desynchronization) and monitor both HTTP and HTTPS traffic
58. Detection of Web-based attacks
Limitations - summary
Flux Buster
the approach is effective only if applied in large computer networks
some flux domain names may be erroneously prefiltered. To this end, a detailed
evaluation is required. For example, we could select filtered domain names
whose patterns are placed near the decision surface of our prefiltering stage.
Then, we may analyze them using other fast flux detection tools (e.g.
abuse.ch).
due to the massive amount of data Flux Buster has to process, the
responsiveness of Flux Buster is slow. However, this limitation may be reduced
by employing the detection approach proposed for spam filtering.
in principle, fast flux operators may deliberately inject some legitimate IP address
in the pool of flux agents. However, they have to pay a reduced effectiveness of
flux domain names. In order to cope with this issue, we may filter
known-as-legitimate IP addresses from the pool of flux agents, e.g. by extracting
all IP addresses used by most popular websites according to legitimate
organizations such as Alexa.
59. Detection of Web-based attacks
Limitations - summary
Web Guardian
it is fundamentally limited to the detection of input validation attacks. In order to
detect web attacks exploiting logical vulnerabilities, we must add new features
and models.
actually we do not have a description of attacks. We are working on the
automatic inference of the attack class, given an anomaly.
false alarm injection: automatic counteractions may still prevent successful
attacks. However, as matter of fact, the false alarm injection attacks are not
currently addressed by Web Guardian. As future work we intend to research
solutions to this issue.
61. Detection of Web-based attacks
Thank you!
SANS Institute (2009). The Top Cyber Security Risks -
september 2009. ⇒ web link (accessed January 2010)
Cenzic, Inc. (2009). Web Application Security Trends
Report ⇒ web link (accessed January 2010)
Spett, K. (2002). SQL Injection: Are Your Web Applications
Vulnerable?, A White Paper from SPI Dynamics ⇒ web link
(accessed January 2010)
admin@cgisecurity.com (2002). The Cross Site Scripting
FAQ, Packet storm security ⇒ web link (accessed February
2010)
Mac Vittie, L. (2007). SQL Injection Evasion Detection, F5
Whitepaper ⇒ web link (accessed January 2010)
Hansen, R. (2009). XSS (Cross Site Scripting) Cheat Sheet
for filter evasion, ha.ckers.org ⇒ web link (accessed
January 2010)
62. Detection of Web-based attacks
Thank you!
Pastor, A. (2009). CVE-2009-1151: phpMyAdmin Remote
Code Execution Proof of Concept, GNUCitizen ⇒ web link
(accessed February 2010)
Auger, R. (2010). Remote File Inclusion, The Web
Application Security Consortium ⇒ web link (accessed
February 2010)
L0t3k, SQL Injection: The Complete Documentation ⇒
web link (accessed January 2010)
Bellamy, W. (2002). HyperText Transfer Protocol (HTTP)
Header Exploitation, Advanced Incident Handling and
Hacker Exploits, SANS GIAC GCIH Practical Assignment
v2.1 ⇒ web link (accessed January 2010)
Packet Storm Security (2002). Apache 2.0 Cross-Site
Scripting Vulnerability, ⇒ web link (accessed February
2010)
63. Detection of Web-based attacks
Thank you!
Linhart, C., Klein, A., Heled, R., Orrin, S. (2005). HTTP
Request Smuggling, Watchfire ⇒ web link (accessed
January 2010).
Symantec (2006). HTTP Smuggle Get Content Length,
attack signature ⇒ web link (accessed January 2010)
Common Attack Pattern Enumeration and Classification
(CAPEC)-86: Embedding Script (XSS) in HTTP Headers,
MITRE Corporation, ⇒ web link (accessed February 2010)
Bajpai, G. (2009). HP OpenView NNM HTTP
Accept-Language header Buffer Overflow Vulnerability,
iPolicy Networks Security Advisory ⇒ web link (accessed
February 2010)
Mac Vittie, L. (2007). I am in your HTTP headers, attacking
your application, F5 Whitepaper ⇒ web link (accessed
January 2010)
64. Detection of Web-based attacks
Thank you!
Donaldson, M.E. (2002). Inside the Buffer Overflow Attack:
Mechanism, Method, & Prevention, SANS Institute
InfoSec Reading Room, SANS Whitepaper ⇒ web link
(accessed January 2010)
Juniper Networks (2002). HTTP: Apache WebDav
PROPFIND Directory Disclosure ⇒ web link (accessed
January 2010)
Manion, A. (2003). Web servers enable HTTP TRACE
method by default, Vulnerability Note VU#867593,
US-CERT ⇒ web link (accessed January 2010)
Shah, S. (2004). An Introduction to HTTP fingerprinting,
Net square ⇒ web link (accessed January 2010)