![Page 1: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/1.jpg)
CODE BLUE 2016
Presented by Isao Takaesu
Method of Detecting Vulnerability
in Web Apps
Using Machine Learning
![Page 2: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/2.jpg)
About the speaker
• Occupation: Web security engineer
• Company: Mitsui Bussan Secure Directions
• Hobbies: Making scanners, Machine Learning
• Blog: http://www.mbsd.jp/blog/
• Presented in “Black Hat Asia 2016” Arsenal
• hosted “AISECjp”
Isao Takaesu
MBSD
(@bbr_bbq)
CODE BLUE 2016
![Page 3: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/3.jpg)
Agenda
MBSD CODE BLUE 2016
1. Introduction
2. Objectives of research
3. Overview of SAIVS
4. Realized methods
5. Validation results
6. Demonstration
7. Future Prospects
![Page 4: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/4.jpg)
Introduction
MBSD CODE BLUE 2016
In Japan, there is
a significant lack of security engineers.
![Page 5: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/5.jpg)
MBSD CODE BLUE 2016
About 240,000 people short.
(according to a survey by IPA)
Introduction
![Page 6: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/6.jpg)
MBSD CODE BLUE 2016
Are we facing the limit of
human-only resources?
Introduction
![Page 7: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/7.jpg)
Objectives of research
MBSD CODE BLUE 2016
Fully automated information security.
![Page 8: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/8.jpg)
MBSD CODE BLUE 2016
The first step is
Web application vulnerability assessment.
Objectives of research
![Page 9: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/9.jpg)
What is web app vul assessment?
MBSD CODE BLUE 2016
Detect vulnerabilities on web apps.
![Page 10: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/10.jpg)
MBSD
Security engineer Web Server
Web Apps
Our company Client company
Pseudo-attack
Analyze response
CODE BLUE 2016
Performs pseudo-attacks while crawling the pages of web apps.
Analyzes the response and detects vulnerabilities.
What is web app vul assessment?
![Page 11: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/11.jpg)
MBSD
Web Server
Web AppsSQLi?
XSS?
CODE BLUE 2016
Our company Client company
Pseudo-attack
Analyze responseSecurity engineer
Performs pseudo-attacks while crawling the pages of web apps.
Analyzes the response and detects vulnerabilities.
What is web app vul assessment?
![Page 12: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/12.jpg)
Issues of web app vul assessment
MBSD CODE BLUE 2016
Depends on the skilled craftsmanship
of security engineers.
![Page 13: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/13.jpg)
Our “GOAL”
Realize ALL MACHINE web app vulnerability assessment.
MBSD
The AIWeb Server
Web Apps
CODE BLUE 2016
Our company Client company
Pseudo-attack
Analyze response
SQLi?
XSS?
![Page 14: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/14.jpg)
Overview of AI ”SAIVS”
MBSD
SAIVS
Spider Artificial Intelligence Vulnerability Scanner
CODE BLUE 2016
AI that performs web app vul assessment.
![Page 15: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/15.jpg)
Abilities of SAIVS
MBSD
Crawls web apps
Detects vulnerabilities
CODE BLUE 2016
![Page 16: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/16.jpg)
Abilities of SAIVS
MBSD
Crawls web apps
Detects vulnerabilities
CODE BLUE 2016
![Page 17: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/17.jpg)
Importance of crawling
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
vulnerability
Send
message
![Page 18: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/18.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
It is necessary to log in correctly.
Importance of crawling
Send
message
![Page 19: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/19.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
Importance of crawling.
It is necessary to register correctly.
Send
message
![Page 20: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/20.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
Contact Us
My Page
Complete
It is important to exhaustively crawl pages.
Importance of crawling
Send
message
![Page 21: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/21.jpg)
MBSD
Crawling web apps is difficult.
Why?
CODE BLUE 2016
![Page 22: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/22.jpg)
What is the type of this page ?
MBSD CODE BLUE 2016
Humans : Easily recognize the page type.
Machine : Difficult. (Log in? Register?)
![Page 23: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/23.jpg)
What has just happened?
MBSD
Humans : Recognize failed crawling attempts from the message.
Machine : Difficult to interpret the message.CODE BLUE 2016
![Page 24: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/24.jpg)
What are your input values to crawl to the next page ?
MBSD
crawl
Humans : Input correct values in the form.
Machine : Difficult to interpret the meaning of the form.
???
???
???
???
???
CODE BLUE 2016
![Page 25: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/25.jpg)
MBSD
Crawling requires complex thinking.
CODE BLUE 2016
![Page 26: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/26.jpg)
3 requirements for crawling
MBSD
Recognize the page type
Recognize the success/fail of crawling
Input correct values in the forms
CODE BLUE 2016
![Page 27: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/27.jpg)
MBSD CODE BLUE 2016
How do you achieve them?
![Page 28: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/28.jpg)
Our approach
MBSD CODE BLUE 2016
Reverse engineering of the human brain.
![Page 29: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/29.jpg)
MBSD CODE BLUE 2016
Each thinking pattern
implemented in machine learning.
Our approach
![Page 30: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/30.jpg)
3 requirements for crawling
MBSD CODE BLUE 2016
Recognize the page type
Recognize the success/fail of crawling
Input correct values in the forms
![Page 31: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/31.jpg)
Page recognition by humans
MBSD CODE BLUE 2016
![Page 32: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/32.jpg)
Page recognition by humans
MBSD CODE BLUE 2016
Recognize the keywords that characterize the page.
![Page 33: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/33.jpg)
Page recognition by machines
MBSD CODE BLUE 2016
Using Naive Bayes.
![Page 34: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/34.jpg)
What is Naive Bayes?
Naive Bayes is used for auto classification of texts.
Uses pre-defined categories & laws of probability.
MBSD
examples)
Spam mail filter.
Classify blog post genres.
Improvement of defensive accuracy for WAF.
CODE BLUE 2016
![Page 35: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/35.jpg)
MBSD
SPAM:0.672 ← SelectedHAM :0.03
limitedSPAM:40%HAM :10%
Category
period
click
here
http://
wana.jp
SPAM:10%HAM :30%
SPAM:70%HAM :50%
SPAM:30%HAM :40%
SPAM:80%HAM :5%
Extracting a keyword from the mail text.
Example of the use of the spam e-mail filter.
CODE BLUE 2016
To calculate the probability of SPAM and HAM,
to select the probability is high category.
![Page 36: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/36.jpg)
MBSD CODE BLUE 2016
Page recognition by Naive Bayes
![Page 37: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/37.jpg)
Page recognition by Naive Bayes
MBSD
<h1>Sign in</h1><form action="/cyclone/sessions" method="post"><label for="email">Email</label><input id="email" name="email" type="text" /><label for="password">Password</label><input id="password" name="password" type="password" /></form>
Extracts keywords that characterize the page.
Excludes “Stop words”.
CODE BLUE 2016
![Page 38: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/38.jpg)
Category table for page recognition
MBSD
Categories Keywords
Log in Email, User ID, Password, Sign in …
Register user Email, Password, Confirm, Sign up …
Search Word, Text, String, Sort, Search …
Purchase goods Credit, Account, Expire, Purchase …
Change password Password, Old Password, Change …
CODE BLUE 2016
Selects the category that contain the many keywords.
Keywords : Sign in, Email, Password
![Page 39: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/39.jpg)
MBSD
Categories Keywords
Log in Email, User ID, Password, Sign in …
Register user Email, Password, Confirm, Sign up …
Search Word, Text, String, Sort, Search …
Purchase goods Credit, Account, Expire, Purchase …
Change password Password, Old Password, Change …
CODE BLUE 2016
“Log in” category contains many of the keywords.
⇒ The highest probability of the category "Log in".
Category table for page recognition
![Page 40: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/40.jpg)
MBSD CODE BLUE 2016
This page is
recognized as ”Log in”.
Page recognition by Naive Bayes
![Page 41: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/41.jpg)
3 requirements for crawling
MBSD CODE BLUE 2016
Recognize the page type (✔)
Recognize the success/fail of crawling
Input correct values in the forms
![Page 42: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/42.jpg)
MBSD CODE BLUE 2016
Recognition of page crawling success/fail by humans
![Page 43: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/43.jpg)
MBSD CODE BLUE 2016
Recognition of page crawling success/fail by humans
Recognizes the keywords that characterize failure.
![Page 44: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/44.jpg)
MBSD CODE BLUE 2016
Using Naive Bayes.
Recognition of page crawling success/fail by machines
![Page 45: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/45.jpg)
MBSD CODE BLUE 2016
Recognition of page crawling success/fail by machines
![Page 46: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/46.jpg)
MBSD
<h2>2 errors prohibited this user from being saved </h2><p>There were problems with these fields:</p><ul><li> Password doesn't match confirmation </li><li> Email is invalid </li>["Password doesn't match confirmation","Email is invalid"]</ul>
CODE BLUE 2016
Extracts keywords that characterize failure.
Excludes “Stop words”.
Recognition of page crawling success/fail by machines
![Page 47: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/47.jpg)
Category table for page crawling success/fail
MBSD
Categories Keywords
Successgood, valid, success, normal, fine, clean, nice,
can, match, confirmation, ok, finish, thank …
Failurebad, invalid, failure, error, problem, unmatch,
doesn’t match, can’t, too, wrong, ng, blank …
CODE BLUE 2016
Selects the category that contain the many keywords.
Keywords : errors, problem, doesn’t match, invalid
![Page 48: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/48.jpg)
MBSD
Categories Keywords
Successgood, valid, success, normal, fine, clean, nice,
can, match, confirmation, ok, finish, thank …
Failurebad, invalid, failure, error, problem, wrong,
doesn’t match, can’t, too, ng, blank …
CODE BLUE 2016
“Failure“ category contains many of the keywords.
⇒ The highest probability of the category "Failure".
Category table for page crawling success/fail
![Page 49: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/49.jpg)
MBSD CODE BLUE 2016
This is recognized as a
page transition ”failure”.
Recognize the success/fail of crawling by machines
![Page 50: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/50.jpg)
3 requirements for crawling
MBSD CODE BLUE 2016
Recognize the page type (✔).
Recognize the success/fail of crawling (✔).
Input correct values in the forms.
![Page 51: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/51.jpg)
MBSD CODE BLUE 2016
Interprets the meaning of the form and inputs correct values.
crawl
Isao Takaesu
mbsd1234
mbsd1234
Inputting correct values by humans
![Page 52: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/52.jpg)
MBSD CODE BLUE 2016
Using multilayer perceptron &
Q-Learning.
Inputting correct values by machines
![Page 53: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/53.jpg)
What is multilayer perceptron(MLP)?
MBSD
examples)
Image recognition.
Hand-written number recognition.
CODE BLUE 2016
MLP is used for image recognition.
The model simulates the neural structure and function.
![Page 54: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/54.jpg)
・・・
・・・
・・・
Data Label
0
1
2
Training Data
Example of the use of the hand-written number recognition
CODE BLUE 2016MBSD
・・・
・・・
・・・
X₁
X₂
X784
X0
Y₁
Y₂
Y300
Y0
Z₁
Z₂
Z10
MLP
Learn
It can output the answer depending on the input data.
![Page 55: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/55.jpg)
Learned MLP
014679 425970401967CODE BLUE 2016MBSD
Example of the use of the hand-written number recognition
![Page 56: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/56.jpg)
An algorithm that learns the best behavior of the agent.
Evaluates effectiveness of the behavior using the Q-value.
MBSD
examples)
Locomotive learning in robots.
Playing video games.
Route search.
CODE BLUE 2016
What is Q-Learning?
![Page 57: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/57.jpg)
Example of the use of the locomotive learning in robots
MBSD CODE BLUE 2016
Agent
Environment
a1 Forward
a2 Left turn
a3 Right turn
a4 Backward
Action
State s
・・・
Next state s’
Policy
( a | s )
Transition probability
( s’ | s, a )
hole in the front
of the eye …
Reward r = R( s, a, s’ )
Task : The goal to avoid obstacles.
Learn the policies that total of reward is the maximum.
Update Q( s, a )
![Page 58: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/58.jpg)
Model to attain correct input values
MBSD
Learns correct input values while attempting to crawl.
CODE BLUE 2016
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 59: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/59.jpg)
MBSD CODE BLUE 2016
Model to attain correct input values
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
Learns correct input values while attempting to crawl.
![Page 60: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/60.jpg)
Patterns of input value
MBSD
Pattern Input value
Char abc, abcdef, aBc, aBcdEf, ABCDEF …
Num 123, 12345, 4111111111111111 …
Char,Num abc123, 123abc, aBc123, 1a2b3c …
Char,Symbol abc!, abc!#$, abcdef!, abcdef!#$ …
Num,Symbol 123!, 123!#$, 12345!, !#$12345 …
Char,Num,Symbol abc123!, 123abc!, abc!123, !#$%&a1 …
Mail address [email protected], [email protected] …
CODE BLUE 2016
Set a combination of input values to the parameter.
Target : INPUT TYPE = text, password
![Page 61: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/61.jpg)
MBSD
Inputs ”current" and "next" page to MLP.
CODE BLUE 2016
Learning flow
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 62: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/62.jpg)
MBSD
Selects any input pattern from the input of MLP.
CODE BLUE 2016
Learning flow
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 63: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/63.jpg)
MBSD
Attempts to crawl using the selected input pattern of MLP.
CODE BLUE 2016
Learning flow
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 64: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/64.jpg)
MBSD
Observe the result of crawling.
CODE BLUE 2016
Learning flow
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 65: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/65.jpg)
MBSD
Gives a reward depending on the result of crawling.
CODE BLUE 2016
Learning flow
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 66: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/66.jpg)
MBSD
Update the weight of MLP using backpropagation.
CODE BLUE 2016
Learning flow
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 67: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/67.jpg)
MBSD
Learning can be completed at approx. 300 attempts.
CODE BLUE 2016
Learning flow
・・・
・・・
Current page
MLP
Input values
Q-Learning
Next page
p1=abc, xyz・・・
p1=123, 12a・・・
p1=abc@xxx・・・
observe
state
evaluate
update
weight
![Page 68: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/68.jpg)
Problem
MBSD CODE BLUE 2016
300 attempts ⇒ Inefficient
![Page 69: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/69.jpg)
MBSD CODE BLUE 2016
Pre-training.
Solution
![Page 70: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/70.jpg)
Web apps for pre-training(one example).
MBSD
OWASP Broken Web Apps
CODE BLUE 2016
![Page 71: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/71.jpg)
Training SAIVS
MBSD CODE BLUE 2016
BodgeIt peruggia WackoPicko Yazd
SAIVS
Web Apps
Attempts crawling & learning
⇒ Each 300 times
Achieves the correct input values for each form.
・・・
![Page 72: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/72.jpg)
Achieved correct input values (one example).
MBSD
Input form Correct input value
ID abc, abcdef, aBc, aBcdEf, ABCDEF …
Password abc123!, 123abc!, abc!123, !#$%&a1 …
FirstName abc, abcdef, aBc, aBcdEf, ABCDEF …
LastName abc, abcdef, aBc, aBcdEf, ABCDEF …
Email address [email protected], [email protected] …
Username abc, abcdef, aBc, aBcdEf, ABCDEF …
Signature abc, abcdef, aBc, aBcdEf, ABCDEF …
CODE BLUE 2016
![Page 73: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/73.jpg)
Problem:mismatch of form strings
MBSD CODE BLUE 2016
Used in Training Used in actual assessment
Mismatch!!
![Page 74: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/74.jpg)
MBSD CODE BLUE 2016
Calculate the
similarity of form strings.
Solution
![Page 75: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/75.jpg)
Calculate similarity
MBSD CODE BLUE 2016
Using word2vec.
![Page 76: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/76.jpg)
What is word2vec?
Calculation method for similar words in NLP.
A word is represented by a vector.
MBSD CODE BLUE 2016
examples)
Adding and subtracting words
word cos distance
email 0.956302
mail 0.927386
reply 0.920610
formula answer
Iraq - Violence Jordan
Human - Animal Ethics
Japan – Tokyo + France Paris
Similarity between words
Input : e-mail
![Page 77: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/77.jpg)
Example of the use of the similarity calculation
MBSD CODE BLUE 2016
Calculate similarity using words around the word of interest.
Training data)
interpretation further. However, if anyone wishes to discuss this, I‘m certainly willing
(either offline - e-mail - or Stephen In article [email protected] (Mathemagician)
writes: Just what do gay people do that straight・・・
carries archives of old alt.atheism.moderated articles and assorted other files. For more
information, send mail to [email protected] saying help send atheism/index
and it will mail back a reply. mathew An・・・
send mail to [email protected] saying help send atheism/index and it will
mail back a reply. mathew An Introduction to Atheism by Mathew. This article attempts
to provide a general introduction・・・
The similarity of the "e-mail", "mail", "reply" is high.
![Page 78: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/78.jpg)
Word2vec training data
MBSD CODE BLUE 2016
The 20 Newsgroups data set.
A collection of newsgroups : about 20,000 news.
examples of newsgroup)
Computer(Graphics, MS-Windows, Hardware)
Science(Cryptography, Electronics, Space)
Hobby(Motorcycles, Baseball, Hockey)
![Page 79: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/79.jpg)
MBSD CODE BLUE 2016
Windows Crypt Hardware Space
SAIVS
The 20 Newsgroups data set
Learns the similarity
Learns the similarity between the words.
word2vec
Training SAIVS
・・・
![Page 80: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/80.jpg)
MBSD
candidate similarity
email 0.956302
mail 0.927386
E-mail 0.900249
address 0.893337
reply 0.865438
contact 0.846801
message 0.792930
chat 0.754903
newsgroup 0.747636
CODE BLUE 2016
candidate similarity
names 0.962508
username 0.939661
nickname 0.933694
naming 0.898254
surname 0.863966
initials 0.861093
firstname 0.849641
lastname 0.847604
title 0.782467
candidate similarity
homepage 0.794415
blog 0.752945
site 0.708534
webpage 0.701838
portal 0.701374
forum 0.692067
com 0.641086
archive 0.537914
org 0.531096
Extracts candidate words of Top 10.
Learned similarities in the training
Target :websiteTarget :nameTarget : e-mail
![Page 81: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/81.jpg)
MBSD
candidate similarity
email 0.956302
mail 0.927386
E-mail 0.900249
address 0.893337
reply 0.865438
contact 0.846801
message 0.792930
chat 0.754903
newsgroup 0.747636
CODE BLUE 2016
candidate similarity
names 0.962508
username 0.939661
nickname 0.933694
naming 0.898254
surname 0.863966
initials 0.861093
firstname 0.849641
lastname 0.847604
title 0.782467
candidate similarity
homepage 0.794415
blog 0.752945
site 0.708534
webpage 0.701838
portal 0.701374
forum 0.692067
com 0.641086
archive 0.537914
org 0.531096
Selects a candidate word that matches the form string of training.
Learned similarities in the training
Target :websiteTarget :nameTarget : e-mail
![Page 82: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/82.jpg)
MBSD
candidate similarity
email 0.956302
mail 0.927386
E-mail 0.900249
address 0.893337
reply 0.865438
contact 0.846801
message 0.792930
chat 0.754903
newsgroup 0.747636
CODE BLUE 2016
candidate similarity
names 0.962508
username 0.939661
nickname 0.933694
naming 0.898254
surname 0.863966
initials 0.861093
firstname 0.849641
lastname 0.847604
title 0.782467
candidate similarity
homepage 0.794415
blog 0.752945
site 0.708534
webpage 0.701838
portal 0.701374
forum 0.692067
com 0.641086
archive 0.537914
org 0.531096
Learned similarities in the training
Target :websiteTarget :nameTarget : e-mail
⇒ [email protected] ⇒ aBcdEf ⇒ http://hoge.com
![Page 83: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/83.jpg)
MBSD CODE BLUE 2016
3 requirements for crawling
Recognize the page type (✔).
Recognize the success/fail of crawling (✔).
Input correct values in the forms (✔).
![Page 84: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/84.jpg)
Demonstration of crawling
MBSD
Target:OWASP Broken Web Apps Cyclone
CODE BLUE 2016
![Page 85: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/85.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create a login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
vulnerability
![Page 86: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/86.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create a login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
![Page 87: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/87.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create a login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
![Page 88: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/88.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
Demonstration of crawling
1.Create a login account in "register".
2.Log in.
3.Search users.
![Page 89: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/89.jpg)
MBSD CODE BLUE 2016
Top Login
Register Confirm
User Search
Complete
1.Create login account in "register".
2.Log in.
3.Search users.
Demonstration of crawling
![Page 90: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/90.jpg)
MBSD CODE BLUE 2016
https://www.youtube.com/watch?v=aXw3vgXbl1U
Demonstration movie of crawling
![Page 91: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/91.jpg)
Abilities of SAIVS
MBSD
Crawls web apps. (✔)
Detects vulnerabilities.
CODE BLUE 2016
![Page 92: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/92.jpg)
MBSD CODE BLUE 2016
To detect vulnerabilities with less trouble.
Objective of this research
![Page 93: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/93.jpg)
MBSD CODE BLUE 2016
There are many web application
vulnerabilities...
![Page 94: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/94.jpg)
MBSD CODE BLUE 2016
Reflected Cross-Site Scripting
(RXSS)
Target vulnerability of this research
![Page 95: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/95.jpg)
Example of RXSS Pattern 1:very vulnerable web app
MBSD
<html><head><meta http-equiv="Content-Type" content="text/html"><title>Case 3 - RXSS</title></head><body><input type="text" value="testData"></body></html>
http://xxx/case3/?input=testData
Input value is echoed in the "VALUE" attribute of the INPUT tag.
CODE BLUE 2016
![Page 96: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/96.jpg)
MBSD
<html><head><meta http-equiv="Content-Type" content="text/html"><title>Case 3 - RXSS</title></head><body><input type="text" value=""/><script>alert('XSS');</script>"></body></html>
http://xxx/case3/?input="/><script>alert(‘XSS');</script>
JavaScript is inserted in the HTML syntax.
CODE BLUE 2016
Example of RXSS Pattern 1:attacking a web app
![Page 97: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/97.jpg)
Example of RXSS Pattern 2:a little more secure web app
MBSD
<html><head><meta http-equiv="Content-Type" content="text/html"><title>Case 4 - RXSS</title></head><body><input type="text" value=""/> alert('XSS');"></body></html>
SCRIPT tag is sanitized by the web app.
http://xxx/case4/?input="/><script>alert(‘XSS');</script>
CODE BLUE 2016
![Page 98: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/98.jpg)
Example of RXSS Pattern 2:attacking web app
MBSD
<html><head><meta http-equiv="Content-Type" content="text/html"><title>Case 4 - RXSS</title></head><body><input type="text" value=""onmouseout=alert('XSS')""></body></html>
JavaScript is inserted to avoid sanitization.
http://xxx/case4/?input=“onmouseout=alert(‘XSS')”
CODE BLUE 2016
![Page 99: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/99.jpg)
MBSD
Understanding HTML syntax.
Understanding JavaScript syntax.
Avoiding sanitization.
CODE BLUE 2016
3 requirements for detecting RXSS
![Page 100: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/100.jpg)
MBSD CODE BLUE 2016
How do you achieve them?
![Page 101: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/101.jpg)
Our approach
MBSD CODE BLUE 2016
Reverse engineering the human brain.
![Page 102: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/102.jpg)
MBSD CODE BLUE 2016
Each thinking pattern
implemented in machine learning.
Our approach
![Page 103: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/103.jpg)
MBSD
Understanding HTML syntax.
Understanding JavaScript syntax.
Avoiding sanitization.
CODE BLUE 2016
3 requirements for detecting RXSS
![Page 104: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/104.jpg)
MBSD
Understanding of HTML/JavaScript syntax by machines
Using LSTM
CODE BLUE 2016
![Page 105: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/105.jpg)
What is LSTM(Long-Short Term Memory)?
It can learn chronological data.
It can learn dependencies in short & long term data.
MBSD
examples)
Machine translation.
Text generation. (novel, lyrics, source code)
Sound generation. (music, human voice)
CODE BLUE 2016
![Page 106: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/106.jpg)
What is LSTM(Long-Short Term Memory)?
It can learn chronological data.
It can learn dependencies in short & long term data.
MBSD
examples)
Machine translation.
Text generation. (novel, Lyrics, source code)
Sound generation. (music, human voice)
CODE BLUE 2016
![Page 107: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/107.jpg)
Example of the use of the text generation.
MBSD CODE BLUE 2016
Generation of source code.(from Andrej Karpathy blog)
static int indicate_policy(void){int error;if (fd == MARN_EPT) {if (ss->segment < mem_total)
unblock_set_blocked();else
ret = 1;goto bail;
}segaddr = in_SB(in.addr);selector = seg / 16;
・・・
Training Data
static void settings(struct *tty){if (tty == tty)disable_single_st_p(dev);pci_disable_spool(port);return 0;
}
static void command(struct seq_file *m){int column = 32 << (cmd[2] & 0x80);if (state)
・・・
Generated source code by LSTM
It can generate a code from the starting point (seed).
![Page 108: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/108.jpg)
Why LSTM?
MBSD
<!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body><H2>Textarea injection test</H2><FORM><textarea name="in" rows="5" cols="60">xxx</textarea>・・・
http://xxx/textarea1?in=xxx
CODE BLUE 2016
Input value is echoed in the TEXTAREA tag.
![Page 109: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/109.jpg)
MBSD
<!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body><H2>Textarea injection test</H2><FORM><textarea name="in" rows="5" cols="60"> <script>alert('XSS');</script></textarea>・・・
http://xxx/textarea1?in=<script>alert(‘XSS’);</script>
JavaScript doesn’t run.
⇒ Simple script injection is not allowed.
CODE BLUE 2016
Why LSTM?
![Page 110: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/110.jpg)
MBSD
<!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body><H2>Textarea injection test</H2><FORM><textarea name="in" rows="5" cols="60">xxx</textarea>・・・
http://xxx/textarea1?in=xxx
“Is JavaScript inserted after closing the TEXTAREA tag ?”
CODE BLUE 2016
Why LSTM?
![Page 111: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/111.jpg)
MBSD
<!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body><H2>Textarea injection test</H2><FORM><textarea name="in" rows="5" cols="60"></textarea><script>alert('XSS');</script></textarea>・・・
http://xxx/textarea1?in=</textarea><script>alert(‘XSS’);</script>
CODE BLUE 2016
Understands the context of HTML and inserts a script.
⇒ JavaScript run.
Why LSTM?
![Page 112: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/112.jpg)
MBSD CODE BLUE 2016
How can LSTM be learned ?
![Page 113: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/113.jpg)
Learning data for LSTM (HTML)
MBSD
<abbr class="" data-utime="" title=""></abbr><abbr class='' title=''></abbr><abbr data-utime='' title=''></abbr>・・・
<input name="" type="" value=""/><input alt="" id="" onclick="" src="" type=""/><input alt='' id="" src='' type=''/><input alt='' name='' src='' type=''/>・・・
<video autoplay="" loop="" muted=""></video><video class="" height="" id="" width=""></video><video src='' tabindex=''></video><video src=''></video>
20,000 pages of HTML syntax. (about 12,000 types)
CODE BLUE 2016
![Page 114: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/114.jpg)
MBSD
_satellite.pageBottom();'](function(window) {
var _gaq = _gaq || [];var methods = ['log', 'dir', 'trace'];if (typeof window.console === 'undefined') {
window.console = {};} for (var i in methods) {
if (!(methods[i] in window.console)) { window.console[methods[i]] = function() {};
}}
}(window));
CODE BLUE 2016
10,000 pages of JavaScript syntax.
Learning data for LSTM (JavaScript)
![Page 115: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/115.jpg)
Generated syntax by learned LSTM (one example)
MBSD
Seed Generated syntax
<textarea cols="60">xxx </textarea>
<!– mbsdtest xxx -->
<input type="" value=“xxx ">
var hoge = ['log', ‘xxx red’];¥r¥n
/* mbsdtest xxx */
function(){ xxx }¥r¥n
CODE BLUE 2016
It can generate a syntax from the seeds.
![Page 116: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/116.jpg)
MBSD
Understanding HTML syntax (✔).
Understanding JavaScript syntax (✔).
Avoiding sanitization.
CODE BLUE 2016
3 requirements for detecting RXSS
![Page 117: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/117.jpg)
Avoidance of sanitization by machines
MBSD CODE BLUE 2016
Using Multilayer perceptron &
Q-Learning.
![Page 118: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/118.jpg)
MBSD
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
Model to avoid sanitization
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
Learns the pattern of avoiding sanitization while attempting to test.
CODE BLUE 2016
observe
state
evaluate
update
weight
![Page 119: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/119.jpg)
MBSD
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
Model to avoid sanitization.
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
CODE BLUE 2016
observe
state
evaluate
update
weight
![Page 120: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/120.jpg)
Patterns of Output point
MBSD
Output point Example
attribute value :「”」 <~value="xxx">
attribute value :「'」 <~value='xxx'>
attribute value : noquote <~value=xxx>
JavaScript <script>xxx</script>
outside of HTML tags <~>xxx</~>
CODE BLUE 2016
![Page 121: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/121.jpg)
MBSD CODE BLUE 2016
Model to avoid sanitization
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
![Page 122: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/122.jpg)
Patterns of sanitization
MBSD
Sanitization Example
「“」: translate entity reference, exclude 「”」⇒「"」
「‘」: translate entity reference, exclude 「’」⇒「'」
「<」: translate entity reference, exclude 「<」⇒「<」
「>」: translate entity reference, exclude 「>」⇒「>」
「alert();」: exclude 「alert();」⇒「」
CODE BLUE 2016
![Page 123: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/123.jpg)
MBSD CODE BLUE 2016
Model to avoid sanitization
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
![Page 124: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/124.jpg)
Test patterns(one example)
MBSD
Output point Test pattern
attribute value :「”」attribute value :「'」
attribute value : noquote
outside of HTML tags
“event handler
"><sCriPt>xxx
"><img src=xxx
‘event handler
‘><sCriPt>xxx
<svg/onload=alert()>
<sCriPt>xxx</sCriPt>
JavaScript
";alert();//
[CR][LF]alert();
¥";alert();//
CODE BLUE 2016
![Page 125: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/125.jpg)
MBSD
Inputs ”Output point" and "pattern of sanitization" to MLP.
CODE BLUE 2016
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
Learning flow
![Page 126: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/126.jpg)
MBSD CODE BLUE 2016
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
Learning flow
Selects any test pattern from the input of MLP.
![Page 127: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/127.jpg)
MBSD CODE BLUE 2016
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
Learning flow
Attempts to test using the selected test pattern of MLP.
![Page 128: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/128.jpg)
MBSD CODE BLUE 2016
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
Learning flow
Observe the result of the test.
![Page 129: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/129.jpg)
MBSD CODE BLUE 2016
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
Learning flow
Gives a reward depending on the result of the test.
![Page 130: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/130.jpg)
MBSD CODE BLUE 2016
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
Learning flow
Update the weight of MLP using backpropagation.
![Page 131: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/131.jpg)
MBSD CODE BLUE 2016
・・・
・・・
attribute
JS
・・・
Output point
MLP
Out of tag
“sCriPt”
Other tag
URL encode
Test pattern
Event handler
・・・
Q-Learning
・・・
“ ⇒ "
< ⇒ <
・・・
Sanitize
> ⇒ >
observe
state
evaluate
update
weight
Learning flow.
Learning is completed at approx. 100 attempts.
![Page 132: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/132.jpg)
Problem
MBSD CODE BLUE 2016
100 attempts ⇒ Inefficient
![Page 133: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/133.jpg)
MBSD CODE BLUE 2016
Pre-training.
Solution
![Page 134: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/134.jpg)
MBSD
WAVSEP
CODE BLUE 2016
ReflectedXSS GET Input Vector
Case06 output :SRC attr value of IMG tag.
sanitize :< , > ⇒ < , >
testing value:"onmouseover=alert(3122);"
Case10 output :onClick value of SCRIPT tag.
sanitize :“ , < , > ⇒ " , < , >
testing value:';alert(3122);//
Case27 output :single line comment of JavaScript
sanitize :comment out
testing value:[CR][LF]alert(3122);//
Web Apps for pre-training(one example).
![Page 135: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/135.jpg)
MBSD CODE BLUE 2016
Case06 Case08 Case10 Case27
SAIVS
WAVSEP
Achieve the best test string to avoid each sanitize pattern.
Training SAIVS
Attempts testing & learning
⇒ Each 100 times.
・・・
![Page 136: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/136.jpg)
MBSD
Understanding HTML syntax (✔).
Understanding JavaScript syntax (✔).
Avoiding sanitization (✔).
CODE BLUE 2016
3 requirements for detecting RXSS
![Page 137: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/137.jpg)
MBSD
Test flow of SAIVS
Primary inspection.
Secondary inspection.
CODE BLUE 2016
![Page 138: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/138.jpg)
Sends normal request to examine the output point.
MBSD
Web Server
Web AppsSAIVS
Sends normal request
CODE BLUE 2016
Primary inspection
![Page 139: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/139.jpg)
Recognizes the output point of the input value.
MBSD
Web Server
Web AppsSAIVS
Sends normal request
Analyzes response
CODE BLUE 2016
<~value="xxx">
Primary inspection.
![Page 140: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/140.jpg)
Extracts the seed based on the output point.
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
<~value="xxx">
Primary inspection
Sends normal request
Analyzes response
![Page 141: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/141.jpg)
Generates HTML / JavaScript syntax
from the seed. (using learned LSTM)
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
<~value=“”>
Primary inspection
Sends normal request
Analyzes response
![Page 142: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/142.jpg)
Adds the script to the generated HTML syntax.
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
<~value=“”><script>alert(3122);</script>
Primary inspection
Analyzes response
Sends normal request
![Page 143: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/143.jpg)
Sends test request to detect RXSS.
MBSD
Web Server
Web AppsSAIVS
Sends test request
CODE BLUE 2016
<~value=“”><script>alert(3122);</script>
Primary inspection
![Page 144: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/144.jpg)
Determines the presence or absence of RXSS.
RXSS detected ⇒ Test finishes.
Not detected⇒ Secondary inspection.
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
RXSS?
Analyzes response
Sends test request
Primary inspection
![Page 145: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/145.jpg)
Recognizes the sanitizing pattern.
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
<~value=“”><script>alert(3122);・・・
Secondary inspection
Analyzes response
Sends test request
![Page 146: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/146.jpg)
Selects the test pattern to avoid sanitization.
(Using learned MLP)
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
Event handler?
Secondary inspection
Analyzes response
Sends test request
![Page 147: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/147.jpg)
Sends the test request to avoid sanitization.
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
Event handler?
Secondary inspection
Resends test request
![Page 148: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/148.jpg)
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 2016
Secondary inspection
Analyzes response
Sends test request
RXSS?
Determines presence or absence of RXSS.
RXSS detected ⇒ Test finishes.
Not detected ⇒ Repeat secondary inspection.
![Page 149: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/149.jpg)
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1output : BODY tag
sanitize : none
/reflect/textarea1output : TEXTAREA tag
sanitize : none
/reflect/onmouseoveroutput : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dqoutput : SCRIPT tag
sanitize : none
![Page 150: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/150.jpg)
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1output : BODY tag
sanitize : none
/reflect/textarea1output : TEXTAREA tag
sanitize : none
/reflect/onmouseoveroutput : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dqoutput : SCRIPT tag
sanitize : none
![Page 151: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/151.jpg)
MBSD
<!doctype html><html><head><title>Full JavascriptInjection (full.1)</title></head><body>Hello!<BR>The value of cgi parameter "in" is:saivs12345</body></html>
http://xxx/reflect/full1?in=saivs12345
output :BODY tag
sanitize : None
Case1:Sending normal request
CODE BLUE 2016
![Page 152: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/152.jpg)
MBSD
<!doctype html><html><head><title>Full JavascriptInjection (full.1)</title></head><body>Hello!<BR>The value of cgi parameter "in" is:lasther=''></form>D0i7Q"VW53N'nT7t0<script>alert(3122);kc5i3</script>ueFj8</body></html>
http://xxx/reflect/full1?in=lasther=''%3E%3C/form%3ED0i7Q%22VW
53N'nT7t0%3Cscript%3Ealert(3122);kc5i3%3C/script%3EueFj8
attempted times:1
Case1:Sending test request
CODE BLUE 2016
![Page 153: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/153.jpg)
MBSD
Case1:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=3RkhSED5DQU
![Page 154: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/154.jpg)
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1output : BODY tag
sanitize : none
/reflect/textarea1output : TEXTAREA tag
sanitize : none
/reflect/onmouseoveroutput : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dqoutput : SCRIPT tag
sanitize : none
![Page 155: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/155.jpg)
MBSD
<!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body><H2>Textarea injection test</H2><p><FORM><textarea name="in" rows="5" cols="60">saivs12345</textarea><p>
http://xxx/reflect/textarea1?in=saivs12345
CODE BLUE 2016
Case2:Sending normal request
output :TEXTAREA tag
sanitize : None
![Page 156: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/156.jpg)
MBSD
<!doctype html><html><head><title>Reflected XSS in textarea (textarea1)</title></head><body><H2>Textarea injection test</H2><p><FORM><textarea name="in" rows="5" cols="60"></textarea>7Q7pN"MBPcc'PA6tz<script>alert(3122);WKr8J</script>fowCP</textarea><p>
http://xxx/reflect/textarea1?in=%3C/textarea%3E7Q7pN%22MBPcc'
PA6tz%3Cscript%3Ealert(3122);WKr8J%3C/script%3EfowCP
CODE BLUE 2016
Case2:Sending test request
attempted times:1
![Page 157: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/157.jpg)
MBSD
Case2:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=6UHbMGdqr_0
![Page 158: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/158.jpg)
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1output : BODY tag
sanitize : none
/reflect/textarea1output : TEXTAREA tag
sanitize : none
/reflect/onmouseoveroutput : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dqoutput : SCRIPT tag
sanitize : none
![Page 159: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/159.jpg)
MBSD
<!doctype html><html><head><title>Reflected XSS - attribute injection in tags (dq.2)</title></head><body><H2>Update Your Preferences</H2><p><FORM>Homepage: <input value=""><script>alert()" name="in" size="40"><BR>
http://xxx/xss/reflect/onmouseover?in=”><script>alert()</script>
CODE BLUE 2016
Case 3:Sending normal request
output :INPUT tag
sanitize : exclude “</script>”
![Page 160: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/160.jpg)
MBSD
<!doctype html><html><head><title>Reflected XSS - attribute injection in tags (dq.2)</title></head><body><H2>Update Your Preferences</H2><p><FORM>Homepage: <input value=""> <option s onmouseover=alert(3122);//" name="in" size="40"><BR>
http://xxx/xss/reflect/onmouseover?in=%22%3E%3C/option%3E%3
Coption%20s%20onmouseover=alert(3122);//
CODE BLUE 2016
Case 3:Sending test request.
attempted times:3
![Page 161: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/161.jpg)
MBSD
Case 3:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=-r3C1moUVqU
![Page 162: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/162.jpg)
Demonstration of detecting RXSS
MBSD
Target:webseclab
CODE BLUE 2016
Case Overview
/reflect/full1output : BODY tag
sanitize : none
/reflect/textarea1output : TEXTAREA tag
sanitize : none
/reflect/onmouseoveroutput : attribute value of INPUT tag
sanitize : exclude “</script>”
/reflect/js4_dqoutput : SCRIPT tag
sanitize : none
![Page 163: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/163.jpg)
MBSD
<!doctype html><html><head><title>JavaScript anddouble-quote injection in JS block (js.4)</title></head><body><script language="javascript">var f = {date: "",week: "1",bad: "saivs12345",phase: "2",
http://xxx/xss/reflect/js4_dq?in=saivs12345
CODE BLUE 2016
Case 4:Sending normal request
output :SCRIPT tag
sanitize : None
![Page 164: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/164.jpg)
MBSD
<!doctype html><html><head><title>JavaScript anddouble-quote injection in JS block (js.4)</title></head><body><script language="javascript">var f = {date: "",week: "1",bad: "6",skuI;alert(3122);//1VU7k",phase: "2",
http://xxx/xss/reflect/js4_dq?in=6%22,%0A%20%20%20%20%20%20
%20%20%20%20%20%20skuI;alert(3122);//1VU7k
CODE BLUE 2016
Case 4:Sending test request
attempted times:1
![Page 165: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/165.jpg)
MBSD
Case 4:Demo movie
CODE BLUE 2016
https://www.youtube.com/watch?v=Pf2lSB25C3M
![Page 166: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/166.jpg)
Abilities of SAIVS
MBSD
Crawls web apps. (✔)
Detects vulnerabilities. (✔)
CODE BLUE 2016
![Page 167: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/167.jpg)
MBSD CODE BLUE 2016
“Detect RXSS while crawling web apps.”
Realized fully automatically.
Abilities of SAIVS
![Page 168: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/168.jpg)
MBSD
Target:OWASP Broken Web Apps Google Gruyere
CODE BLUE 2016
Demonstration of SAIVS
![Page 169: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/169.jpg)
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
Profile
New snippet
register
Profile
update
Demonstration of SAIVS
vulnerability
![Page 170: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/170.jpg)
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
Profile
New snippet
register
Profile
update
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
Demonstration of SAIVS
![Page 171: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/171.jpg)
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
Profile
New snippet
register
Profile
update
Demonstration of SAIVS
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
![Page 172: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/172.jpg)
MBSD CODE BLUE 2016
Top Sign up
Login New snippet
Sign up
complete
Profile
New snippet
register
Profile
update
Demonstration of SAIVS
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
![Page 173: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/173.jpg)
MBSD CODE BLUE 2016
Top Sign up
Login
Sign up
complete
Profile Profile
update
New snippetNew snippet
register
Demonstration of SAIVS
1.Create an account in “Sign up”.
2.Log in.
3.Register Snippet.
4.Update Profile.
![Page 174: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/174.jpg)
MBSD CODE BLUE 2016
Function name Overview
New snippet registeroutput : BODY tag
sanitize : exclude SCRIPT tag
Profile updateoutput : A tag
sanitize : < , > ⇒ < , >
Demonstration of SAIVS
![Page 175: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/175.jpg)
MBSD CODE BLUE 2016
Demonstration of SAIVS
https://www.youtube.com/watch?v=N5d9oM0NcM0
![Page 176: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/176.jpg)
MBSD
Strengthening the page crawling capability.
Responding to complex web apps.
Responding to CAPTCHA.
CODE BLUE 2016
Future prospects
Strengthening the detecting vulnerabilities capability.
Responding to complex RXSS patterns.
Responding to other vulnerabilities.
![Page 177: CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps](https://reader036.vdocument.in/reader036/viewer/2022070516/5871524a1a28ab8e5b8b4747/html5/thumbnails/177.jpg)
• Download “.PDF” version of this document:
≫ http://www.mbsd.jp
MBSD