Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding Methods
iSpeech.org
Title: Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding Methods
Abstract
Attacks such as Cross-Site Scripting, HTTP header injection, and SQL injection take advantage of weaknesses in the way some web applications handle incoming character strings. One technique for defending against injection vulnerabilities is to sanitize untrusted strings using encoding methods. These methods convert the reserved characters in a string to an inert representation which prevents unwanted side effects. However, encoding methods which are insufficiently thorough or improperly integrated into applications can pose a significant security risk. This paper will outline an algorithm for identifying encoding methods through automated analysis of Java bytecode. The approach combines an efficient heuristic search with selective rebuilding and execution of likely candidates. This combination provides a scalable and accurate technique for identifying and profiling code that could constitute a serious weakness in an application.
*****
Speakers
Arshan Dabirsiaghi. Aspect Security
Matthew Paisner, Aspect Security
Alex Emsellem, Intern Software Engineer, Aspect Security
Intern Software Engineer, Aspect Security
Currently pursuing a bachelor's degree in Computer Science. I'm primarily focused on software reverse engineering and exploitation. Around ten years ago I found my first vulnerability in a web application, and remember it vividly. I live for innovative ideas and the cutting-edge.
*****
Date: Thursday October 25, 2012 4:00pm - 4:45pm
Location:AppSecUSA, Austin, TX. Hyatt Regency Hotel.Checkmarx Room
Track: Attack
Likes: 0
Viewed:
source
Gloss