Corona - Ph.D. Defense Slides

Detection of Web-based attacks

PhD Thesis - DIEE University of Cagliari, Italy

Igino Corona

March 4, 2010


1 Research outline
2 Current Internet Threats
World Wide Web
Common Gateway Interface
Client-side web security
Server-side web security
3 Our Contribution to Client-side Web Security
Flux Buster
4 Our Contribution to Server-side Web Security
Web Guardian
5 Research Contributions - summary
6 Limitations - summary

Research outline

Intrusion Detection and Adversarial Environment - critical
review
I. Corona, G. Giacinto, F. Roli, Intrusion detection in computer systems as a
pattern recognition task in adversarial environment: a critical review,
Workshop on Neural Information Processing Systems (NIPS), Whistler, British
Columbia, Canada, 08/12/2007
Detailed work on the PhD thesis (it is going to be submitted soon to an
important Journal)

Intrusion Detection and Multiple Classiﬁer Systems
I. Corona, G. Giacinto, F. Roli, Intrusion Detection in Computer Systems
using Multiple Classifer Systems, Supervised and Unsupervised Ensemble
Methods and Their Applications, O. Okun and G. Valentini, no. 126:
Springer-Verlag, Berlin/Heidelberg, pp. 91-114, 2008

Research outline

Intrusion Detection and Information Fusion
I. Corona, G. Giacinto, C. Mazzariello, F. Roli, C. Sansone, Information fusion
for computer security: State of the art and open issues, Information Fusion,
vol. 10, pp. 274-284, 2009

Intrusion Detection and Web Security
I. Corona, D. Ariu, G. Giacinto , HMM-Web: a framework for the detection of
attacks against Web applications, IEEE ICC 2009, Dresden, Germany,
14/06/2009
HMM-Web → Web Guardian Detailed work on the PhD Thesis (it is going to be
submitted soon to a relevant conference)
R. Perdisci, I. Corona, D. Dagon, W. Lee, Detecting Malicious Flux Service
Networks through Passive Analysis of Recursive DNS Traces, Annual
Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA,
07/12/2009

Current Internet Threats
World Wide Web

The weak point in the chain: World Wide Web
Nowadays, most of Internet threats are due to Web-based
vulnerabilities [SANS (2009), Cenzic (2009)]

easy business
information oppor-
sharing tunities

high
complex
applications World Wide Web exposition
of services

developers
strict time with little
development security
constraints training


web browser Internet web server


request


request request

input query
CGI

web application


request request

input query content
CGI

web application


response [content] response [content]

request request

input query content
CGI

web application


web user (victim) attacker
[malicious content/scams]
web browser web server

Client-side problem: malicious (or infect) websites
Malicious websites routinely exploit vulnerabilities on browsers
(e.g. Internet Explorer, Firefox) and their plugins (e.g.
Javascript, Adobe Reader, Flash player) to execute arbitrary
(unauthorized) instructions at client-side. Compromised
computers may take part in a botnet. In addition, malicious
websites may support a wide range of scams (e.g. Phishing
scams, Fake Job proposals, Fake lotteries).


Malicious Fast Flux Networks
Malicious websites are increasingly hosted through malicious
Fast Flux Service Networks. These networks are composed by
malware infected computers that can be remotely controlled by
miscreants. Each computer typically acts as a HTTP proxy, i.e.
retrieve malicious content from a central node called
mothership. These illegal networks are very robust, pervasive
and inherently difﬁcult to block.


attacker legitimate web service
malicious request
web browser web server

Server-side problem: malicious web requests
Legitimate web services are routinely compromised by
exploiting vulnerabilities on web servers and web applications.
For example, miscreants may steal conﬁdential information or
inject malicious code on web pages, in order to attack users
that will further access to the web services.


Example: Joomla Hotel Booking System
Component

SQL Injection
http://www.vulnerablehotel.com/components/
com_hbssearch/longDesc.php?h_id=1&
id=-2%20union%20select%20concat%28username,
0x3a,password%29%20from%20jos_users--

Cross-site scripting
http://www.vulnerablehotel.com/index.php?
option=com_hbssearch&task=showhoteldetails&
id=118&adult=2<script%20src=http://www.dbrgf.ru
/script.js>

Our Contribution to Client-side Web Security


Flux Buster

Flux Buster

Key observations
In large networks (i.e. serving millions of users), it is very likely that some users
will (unfortunately) fall victims of malicious web content, and will therefore “click”
on (and initiate DNS queries about) fast flux domain names.
Passive analysis of real users’ activities allows us to stealthily detect and collect
information about “popular” malicious flux networks on the Internet, regardless of
the method used by miscreants to advertise websites hosted through these
networks.
Thousands of new domain names per day. In general, during the time, so many
different (but equivalent) domain names may resolve to the same flux network.
Thus, an IP-based clustering of domain names is really useful to (a) identify the
relationship between domain names, (b) accurately characterize different fast
flux networks, (c) obtain a lower number of objects (domain clusters vs domains)
that must be classified.

Flux Buster

Passive RDNS data collection

Flux Buster

Architecture

Flux Buster

Architecture

Very conservative (but effective) preﬁltering rules
F1: stateless rules, e.g. TTL ≥ 3 hours
F2: stateful rules, e.g. for each domain name resolved at least
100 times: (a) it is associated to only 5 (or less) distinct IP
addresses and (b) there is no DNS reply which returns more
than 2 new IP addresses.

Flux Buster

Preprocessing phase

Flux Buster

Preprocessing phase

↓ F1+F2

Flux Buster

Hierarchical single linkage Clustering

|R(α) ∩ R(β) | 1
sim(α, β) = ·
(α) ∪ R(β) | 1 + e γ−min(|R(α) |,|R(β)|)
∈ [0, 1]
|R

Flux Buster

Hierarchical single linkage Clustering

|R(α) ∩ R(β) | 1
sim(α, β) = ·
(α) ∪ R(β) | 1 + e γ−min(|R(α) |,|R(β)|)
∈ [0, 1]
|R
8000

7000
6000

5000
num. of clusters

num. of clusters
4000

3000
2000

0 1000
0

0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0

cut height (h) cut height (h)

Figure: Cluster Analysis, Figure: Cluster Analysis,
Sensor 1. Sensor 2.

Flux Buster

Service Classifier

Cluster statistical features
Passive: φ1 Number of resolved IPs, φ2 Number of do-
mains, φ3 Avg. TTL per domain, φ4 Network
prefix diversity, φ5 Number of domains per net-
work, φ6 IP Growth Ratio

Active: φ7 Autonomous System (AS) diversity, φ8 BGP
prefix diversity, φ9 Organization diversity, φ10
Country Code diversity, φ11 Dynamic IP ratio,
φ12 Average Uptime Index.

Flux Buster

Service Classiﬁer

Cluster ID Cluster Nickname Use Label
l1 cdne.gearsofwar.xbox.com CDN Legitimate
l2 fotf.cdnetworks.net CDN Legitimate
l3 3.europe.ntp.org NTP pool Legitimate
l4 opendht.nyuld.net OASIS Legitimate
m1 50b0f40526956b85.saidthesestory.com Adult Content/Malware Malicious Flux
m2 paypal.database-confirmation.com Phishing Malicious Flux
m3 hqdvrp.flagacai.com Pharmacy Scam Malicious Flux

l1 l2 l3 l4 m1 m2 m3
IP Growth Ratio (φ6 ) 0.028 0.016 0.039 0.021 0.932 0.374 0.56
Number of domains per network (φ5 ) 488 165 57 54 42000 228 1632
Avg. TTL per domain (φ3 ) 22 20 1402 7421 300 180 180

Flux Buster

Service Classiﬁer

Labeled Dataset
Time Interval 1march / 14april 2009
Users Over 4 millions
DNS queries 2.5 · 109 per day
Candidate ﬂux domains ∼ 105 per day
Domain Clusters ∼ 310 clusters per day1
Fast Flux Clusters ∼ 23 clusters per day
Fast Flux domain names 61,710
Flux Agents 17,332

1
We consider only clusters (networks) having at least 10 IP addresses

Flux Buster

Service Classiﬁer

Flux Buster

Service Classiﬁer - accuracy

Decision tree Accuracy - C4.5 algorithm -
5 fold cross validation: 60%training, 40%test
Features AUC DR FP
All 0.992 (0.003) 99.7% (0.36) 0.3% (0.36)
Passive 0.993 (0.005) 99.4% (0.53) 0.6% (0.53)
φ6 , φ3 , φ5 0.989 (0.006) 99.3% (0.49) 0.7% (0.49)

Flux Buster

Application - domain name Blacklisting

adult content
0711afafa7803d51.nugentcelticdonnell.com, 088683b12777d475.ghostsbarredrental.com,

08f15257a0ea7ee5.spreadnettingcleanly.com, 09ad518ad726e193.squadsvariousembryos.com,

09ae7f81efa7faa2.fraserlibraryshabby.com, 0a1a7c2792c461ed.nugentcelticdonnell.com,

0b53caa4e8a9edb5.fraserlibraryshabby.com, 0bc0dd7f7773c50c.nugentcelticdonnell.com,

0bfd3365dca2c45b.nugentcelticdonnell.com, 0c9328f675b1b931.ghostsbarredrental.com,

0d565d437fb5869d.ghostsbarredrental.com, 0d9d81f5e70761d2.squadsvariousembryos.com,

0dfde08e68ca8358.ghostsbarredrental.com, 0e294041c5d3d17c.developleftcity.com,

0e3fe6f42143105b.squadsvariousembryos.com, 0f255699977f3a81.ghostsbarredrental.com,

0fde9565dad27a33.nugentcelticdonnell.com, 100d83dcb74219a6.fraserlibraryshabby.com,

14cc04d937dd090f.fraserlibraryshabby.com, 163f3db2671f9703.fraserlibraryshabby.com,

189dda5b6c51569e.squadsvariousembryos.com, 18ad145ae37d4318.ghostsbarredrental.com,

191ab3abf627f482.nugentcelticdonnell.com, 1a3a25badc9819c5.nugentcelticdonnell.com

[· · · many more]

Flux Buster


facebook phishing
facebook.shared.accessservlet.personalid-fbhmod8j9.processlogon.344session.com,

facebook.shared.accessservlet.personalid-kd0vb3bjj.ceptservlet.8345server.com,

facebook.shared.accessservlet.personalid-mct6meeyi.alternative.8345server.com,

facebook.shared.accessservlet.personalid-xm4f9y8xa.emberuiweb.344session.com,

facebook.shared.accountholder.personalid-0ip00okut.mixed.5435core.com,

facebook.shared.accountholder.personalid-3vj54osat.accountholder.344session.com,

facebook.shared.accountverify.personalid-4z37tsrz9.usermanage.344session.com,

facebook.shared.accountverify.personalid-sa3vts29i.serveronline.8345server.com [· · ·

many more]

Flux Buster


myspace phishing
accounts.myspace.com.tteszk.org.uk, accounts.myspace.com.tteszk.me.uk,

accounts.myspace.com.tteszk.co.uk, accounts.myspace.com.tteszg.org.uk,

accounts.myspace.com.tteszg.me.uk, accounts.myspace.com.tteszg.co.uk,

accounts.myspace.com.tteszf.co.uk, accounts.myspace.com.ttesza.org.uk,

accounts.myspace.com.ttesza.me.uk, accounts.myspace.com.ttesza.co.uk,

accounts.myspace.com.terhhoq.org.uk, accounts.myspace.com.terhhoq.me.uk,

accounts.myspace.com.terhhoq.co.uk, accounts.myspace.com.terhhol.org.uk,

accounts.myspace.com.terhhol.me.uk, accounts.myspace.com.terhhol.eu,

accounts.myspace.com.terhhol.co.uk, accounts.myspace.com.terhhok.org.uk,

accounts.myspace.com.terhhok.me.uk, accounts.myspace.com.terhhok.eu,

accounts.myspace.com.iuuuujer.me.uk, accounts.myspace.com.iuuuujer.eu,

accounts.myspace.com.iuuuujer.co.uk, accounts.myspace.com.iuuuujek.org.uk,

accounts.myspace.com.iuuuujek.me.uk [· · · many more]

Flux Buster


ebay phishing
cgi.ebay.com.fvdssrt.com, cgi.ebay.com.idservertff.net, cgi.ebay.com.idsrvtttr.com,

cgi.ebay.com.modefst10.mobi, cgi.ebay.com.msdrvffg.net, cgi.ebay.com.msdrvt1.bz,

cgi.ebay.com.msfddre.com, cgi.ebay.com.mtdfggs.com, cgi.ebay.com.sdlserverts.com,

cgi.ebay.com.trffdsl.com, cgi.ebay.com.vfrres.com, cgi.ebay.com.vsdfggg.net,

cgi.ebay.com.vvssldr.com, cgi.ebay.com.vvssldr.net, cgi.ebay.com.vzdfff1.com,

cgi.ebay.com.dllmsdrv.net

Flux Buster


bank/irs.gov phishing
chaseonline.chase.com.omersw.com, chaseonline.chase.com.omersr.net,

chaseonline.chase.com.omersr.com, chaseonline.chase.com.omersf.net,

chaseonline.chase.com.omersf.com, chaseonline.chase.com.omersd.net,

chaseonline.chase.com.nyterdasq.net, chaseonline.chase.com.nyterdasq.com,

chaseonline.chase.com.omersx.net, chaseonline.chase.com.omersx.com, fwd.omersf.net,

chaseonline.chase.com.nyterdasp.net, 02fgu145501.cn,

chaseonline.chase.com.nyterdasp.com, chaseonline.chase.com.omersw.net, ger11zr.com,

c.omersx.com, www.irs.gov.ger11zh.net, www.irs.gov.yh1ferz.info,

www.irs.gov.yh1ferz.com, www.irs.gov.ger11zr.com, www.irs.gov.merfaslo.com,

www.irs.gov.ger11zh.com, www.irs.gov.ger11zx.eu, gshipagc.com, gshipagc.net,

www.ger11zf.net, grph.omersf.net [· · · many more]

Flux Buster


on-line pharmacy scam
fiweixg.cn, fshioiwg.cn, fsieoowf.cn, galn.sfoioiiw.cn, gba.sdigwpd.cn,

gdao.sfoioiiw.cn, gdap.sdigwpd.cn, gdou.sdigwpd.cn, gdq.sfoioiiw.cn, gff.fsieoowf.cn,

gfnt.fsieoowf.cn, ggq.fieooief.cn, ggq.sdigwpd.cn, gguf.ssmmmwp.cn, gh.dipmmeig.cn,

gib.fsieoowf.cn, gib.igemmpi.cn, giew.igemmpi.cn, gii.fsieoowf.cn, gjhn.dipmmeig.cn,

gkah.sdigwpd.cn, glhh.sfoioiiw.cn, glqu.sfoioiiw.cn, gmb.sdigwpd.cn, gnum.sdigwpd.cn,

gnvq.fshioiwg.cn, gpb.sdigwpd.cn, gpq.fieooief.cn, gpwc.sdigwpd.cn, gqk.sfoioiiw.cn,

grd.sfoioiiw.cn, grx.sfoioiiw.cn, gsew.fieooief.cn, gsvg.fsieoowf.cn,

gtf.dipmmeig.cn, gtr.dipmmeig.cn, gtse.fshioiwg.cn, gudl.sfoioiiw.cn,

guo.bssigrpi.cn, gvhd.sfoioiiw.cn, gvxl.fsieoowf.cn, gvy.fsieoowf.cn,

gwc.sfoioiiw.cn, gwgz.sdigwpd.cn, gwz.fshioiwg.cn [· · · many more]

Flux Buster

Time interval: November, 3, 2009 - February, 2, 2010. Flux
agents: 21,108 IP addresses. Fast ﬂux domain names: 16,375.
Analysis of flux domain names through Google safebrowsing
18000
16000
Number of unique fast flux domain names

14000
12000
10000
8000
6000
4000
2000
0 Total Visited Malicious

Flux Buster


Interpretation
We speculate that most of ﬂux domain names are advertized by
webpages not indexed by Google, or by means of
non-web-based forms of advertisement. In fact, during our
experiments we came accross several compromised websites
whose injected HTML code was in the form:
<META NAME="ROBOTS" CONTENT="NOFOLLOW">
<script src=http://fast-flux-domain-name1/script.js>
<script src=http://fast-flux-domain-name2/script.js>
...
<script src=http://fast-flux-domain-nameN/script.js> </META>

Flux Buster

Application - real time detection and spam ﬁltering

Real time detection of suspicious websites
We may detect in real time suspicious domain names, i.e.
domain names whose resolved IPs are among the pool of
known ﬂux agents (detected through our system).

Flux Buster

Application - real time detection and spam filtering

100
95
90
85
80
75
70
Detection Rate %

65
60
55
50
45
40
35
30
25
20 Day 2009-03-04, 33697 spam domains
15 Day 2009-03-06, 105608 spam domains
10 Day 2009-03-10, 103554 spam domains
5 Day 2009-03-15, 168298 spam domains
0
0.0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 0.0014 0.0016 0.0018
False Positive Rate % (Alexa TOP domains)

Interpretation
We spot almost all domain names inside spam emails. It is
worth noting that some of them do not have a “fluxy” behavior,
but resolve to flux agents characterized by high uptime.

Our Contribution to Server-side Web Security


Web Guardian

Web Guardian

Anomaly-based approach

Problem
We would like to detect either known or unknown attacks
against web services. Also, we’d like to provide for automatic
counteractions against such attacks, to protect web services in
real time.

Our Approach
Given a sample of requests on the web server, we model
the normal (legitimate) web traffic profile
We detect web traffic that does not reflect the legitimate
profile (i.e. web attacks)
We may provide for well-suited real-time counteractions,
depending on the detected anomalies

Web Guardian

Architecture

Web Guardian

Learning framework

Problem
We cannot assume an
attack-free training set! Known
outlier detection techniques may
be not suitable for our task.

Automatic noise ﬁltering
Each model is (re)trained
excluding some samples from
the training set.

Web Guardian

General models

General-purpose models
Feature Model
Sequence of symbols Hidden Markov Model (model-a) -
Baum Welch Algorithm, states=avg
n. of distinct symbols in a se-
quence, random init state transition
and symbol emission matrix
σ2
Numeric Value p[x|model-b] = (x−µ)2 if x > µ + σ
count(x)
Discrete Value p[x|model-c] =
total n. samples

Web Guardian

Modeled features

model-a sequence of: headers; web app. attributes;
attribute inputs (generalization of numbers and
letters);
model-b ratio between rejected and successful requests,
and frequency of requests on each web
application, per source IP address; for each
header, its input lenght;
model-c method; http version; for each header, the
following ﬂags: has-alphabetic-input,
has-digit-input; for each header: list of
non-alphanumeric input characters.

Web Guardian

Experiments

Dataset Λ = Σ ∪ T
time interval 27 November - 3
December, 2009
number of web requests 447,178
distinct IP addresses 1,703
bad requests 5,507
web application queries 98,900
number of web applications 217

Dataset Σ and T
Σ contains the ﬁrst 200,000 requests in Λ, and it is employed
for training the system. T contains the remaining 247,178
requests, and it is used for performance evaluation.

Web Guardian

Experiments

Training phase
CPU Intel CoreDuo2 T8100 2.1Ghz, 2GBytes of RAM, and
Linux (Ubuntu 8.04) Operating System. Training time: 2 hours
and 53 minutes RAM max 1.6GBytes.

OK, but what about attacks inside dataset Λ?
We identify attacks inside Λ with the help of Web Guardian. For each model, we
manually inspect the training samples receiving lower probability. This is justiﬁed since:
(a) we may assume that attack samples are in lower number w.r.t. legitimate samples,
(b) attacks are characterized by patterns signiﬁcantly different from legitimate patterns.
Furthermore, this process is not expensive, because we need to inspect only a small
protion of training samples for each model.

Web Guardian

Experiments

Attack dataset Φ

Target Details Attack Type References Attacks
web applica- 90 distinct web applications cross-site scripting, [Spett (2002)] 412
tion queries and 372 attributes sql injection, remote [Admin (2002)]
code execution, re- [Mac Vittie (2007)]
mote file inclusion, [Hansen (2009)]
information gathering [Pastor (2009)]
[Auger (2010)]
[L0t3k]
headers Accept, generic buffer over- [Bellamy (2002)] 78
Accept-Language, flow, cross-site [PSS (2002)]
Referer, Content-Type, scripting, sql injec- [Linhart et al. (2005)]
Accept-Encoding, tion, http request [Symantec (2006)]
User-Agent, Host, smuggling, CRLF [CAPEC (2007)]
Content-Length, injection [Bajpai (2009)]
Connection, [Mac Vittie (2010)]
Cache-Control, Cookie,
Via, X-Forwarded-For,
If-Modified-Since
method PROPFIND, OPTIONS, buffer overflow, [Donaldson (2002)] 12
TRACE and bad strings cross-site scripting, [Juniper (2002)]
information gathering [Manion (2003)]
[Shah (2004)]
http version bad format string buffer overflow, infor- [Donaldson (2002)] 5
mation gathering [Shah (2004)]

Web Guardian

Experiments

Results
Parameter Dataset Value
Λ = Σ∪T 232/232 100% ∼39alerts/day
detection rate
Φ 505/507 99.6%
Λ 1,252/447,178 0.28% ∼209alerts/day
false alarm rate Σ 450/200,000 0.22% ∼150alerts/day
T 802/247,178 0.32% ∼267alerts/day
response time Λ 1.2 milliseconds

Web Guardian

Experiments

Observation
It is worth to note that a signiﬁcantly lower false positive rate may be attained by
manually verifying false alarms on our web interface. Using such a interface we may:
group anomalies depending on their type: i.e. what is the model which raised the
anomaly, common traits of the anomaly (e.g. a suspect non-alphanumeric
character), source IP address, targeted web application/header
adjust model thresholds, so that attacks may be still reliably evidenced and false
alarms are reduced
(re)train models using some samples which have been erroneously discarded by
the learning framework (e.g. because there were no attacks in the set of training
samples)

Web Guardian

Implementation

Research Contributions - summary

Flux Buster
novel, passive approach for detecting and tracking malicious flux service
networks.
we detect fast flux domain names, regardless the way they are advertised
active probing proposed so far is expensive, requires a distributed architecture,
and may be detected and blocked/influenced by miscreants. Contrary, we do not
interact ourselves with the flux network and our approach is stealthy.
we accurately characterize and detect flux networks. By means of Flux Buster
we may substantially enhance the state-of-the-art protection of web users and
spam filtering applications.

Research Contributions - summary

Web Guardian
unsupervised training which effectively handles the presence of attacks in the
training set
accurate detection both known and unknown attacks against web services. This
complements the rule-based approach of modsecurity.
low false positive rate
ability to counteract in real time, and thus protect web services
multiple, speciﬁc anomaly detectors allow to (a) infer the typology of an attack,
(b) further reduce false positives by grouping similar anomalies, (c) provide for
well-suited counteractions
easy to extend with new models/features
the host-based approach allows us to limit evasive attacks (e.g.
desynchronization) and monitor both HTTP and HTTPS trafﬁc

Limitations - summary

Flux Buster
the approach is effective only if applied in large computer networks
some flux domain names may be erroneously prefiltered. To this end, a detailed
evaluation is required. For example, we could select filtered domain names
whose patterns are placed near the decision surface of our prefiltering stage.
Then, we may analyze them using other fast flux detection tools (e.g.
abuse.ch).
due to the massive amount of data Flux Buster has to process, the
responsiveness of Flux Buster is slow. However, this limitation may be reduced
by employing the detection approach proposed for spam filtering.
in principle, fast flux operators may deliberately inject some legitimate IP address
in the pool of flux agents. However, they have to pay a reduced effectiveness of
flux domain names. In order to cope with this issue, we may filter
known-as-legitimate IP addresses from the pool of flux agents, e.g. by extracting
all IP addresses used by most popular websites according to legitimate
organizations such as Alexa.

Limitations - summary

Web Guardian
it is fundamentally limited to the detection of input validation attacks. In order to
detect web attacks exploiting logical vulnerabilities, we must add new features
and models.
actually we do not have a description of attacks. We are working on the
automatic inference of the attack class, given an anomaly.
false alarm injection: automatic counteractions may still prevent successful
attacks. However, as matter of fact, the false alarm injection attacks are not
currently addressed by Web Guardian. As future work we intend to research
solutions to this issue.

Thank you!

Thank you for your attention!
Any question?

Thank you!

SANS Institute (2009). The Top Cyber Security Risks -
september 2009. ⇒ web link (accessed January 2010)
Cenzic, Inc. (2009). Web Application Security Trends
Report ⇒ web link (accessed January 2010)
Spett, K. (2002). SQL Injection: Are Your Web Applications
Vulnerable?, A White Paper from SPI Dynamics ⇒ web link
(accessed January 2010)
admin@cgisecurity.com (2002). The Cross Site Scripting
FAQ, Packet storm security ⇒ web link (accessed February
2010)
Mac Vittie, L. (2007). SQL Injection Evasion Detection, F5
Whitepaper ⇒ web link (accessed January 2010)
Hansen, R. (2009). XSS (Cross Site Scripting) Cheat Sheet
for ﬁlter evasion, ha.ckers.org ⇒ web link (accessed
January 2010)

Thank you!

Pastor, A. (2009). CVE-2009-1151: phpMyAdmin Remote
Code Execution Proof of Concept, GNUCitizen ⇒ web link
(accessed February 2010)
Auger, R. (2010). Remote File Inclusion, The Web
Application Security Consortium ⇒ web link (accessed
February 2010)
L0t3k, SQL Injection: The Complete Documentation ⇒
web link (accessed January 2010)
Bellamy, W. (2002). HyperText Transfer Protocol (HTTP)
Header Exploitation, Advanced Incident Handling and
Hacker Exploits, SANS GIAC GCIH Practical Assignment
v2.1 ⇒ web link (accessed January 2010)
Packet Storm Security (2002). Apache 2.0 Cross-Site
Scripting Vulnerability, ⇒ web link (accessed February
2010)

Thank you!

Linhart, C., Klein, A., Heled, R., Orrin, S. (2005). HTTP
Request Smuggling, Watchfire ⇒ web link (accessed
January 2010).
Symantec (2006). HTTP Smuggle Get Content Length,
attack signature ⇒ web link (accessed January 2010)
Common Attack Pattern Enumeration and Classification
(CAPEC)-86: Embedding Script (XSS) in HTTP Headers,
MITRE Corporation, ⇒ web link (accessed February 2010)
Bajpai, G. (2009). HP OpenView NNM HTTP
Accept-Language header Buffer Overflow Vulnerability,
iPolicy Networks Security Advisory ⇒ web link (accessed
February 2010)
Mac Vittie, L. (2007). I am in your HTTP headers, attacking
your application, F5 Whitepaper ⇒ web link (accessed
January 2010)

Thank you!

Donaldson, M.E. (2002). Inside the Buffer Overﬂow Attack:
Mechanism, Method, & Prevention, SANS Institute
InfoSec Reading Room, SANS Whitepaper ⇒ web link
(accessed January 2010)
Juniper Networks (2002). HTTP: Apache WebDav
PROPFIND Directory Disclosure ⇒ web link (accessed
January 2010)
Manion, A. (2003). Web servers enable HTTP TRACE
method by default, Vulnerability Note VU#867593,
US-CERT ⇒ web link (accessed January 2010)
Shah, S. (2004). An Introduction to HTTP ﬁngerprinting,
Net square ⇒ web link (accessed January 2010)

Corona - Ph.D. Defense Slides

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Corona - Ph.D. Defense Slides

Similar a Corona - Ph.D. Defense Slides (20)

Más de Pluribus One

Más de Pluribus One (20)

Último

Último (20)

Corona - Ph.D. Defense Slides