DOCSLIB.ORG

OWASP Presentation Template

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
OWASP Presentation Template Engineering better security SECURITY DATA & ANALYTICS IT CONTROL & VISIBILITY “Vastly expanding attack surface” ATTACKER SOPHISTICATION & REACH “Weaponization of cyber attacks” TIME 控制安全风险——漏洞管理系统 Know Your Network Manage Risk Effectively Simplify Your Compliance 了解您的网络 有效管理风险 简单处理合规需求 Confidential and Proprietary 3 了解业务需求 RealContext™ • 自动归类 • 定义资产的重要性 • 设定修补和资产的责任人 Confidential and Proprietary 4 自适 的安全 应 攻击暴露面管理 • 自动发现新的资产加入网络 DHCP • 跟踪网络和信息资产的风险变 化 VMWARE • 了解所有外部资产 MOBILE AWS Sonar Labs Integration 5 自适应安全 Emergent Threats • 自动扫描整个网络的情况 • 自动触发扫描任务,基于设定的 搜索条件,比如CVSS分数。 • 不需要人工干预 Zero Day Confidential and Proprietary 6 自动工作流 TRIGGER ACTION ACTION ACTION Discover asset Scan asset for Assign high Create ticket in via DHCP vulnerabilities criticality tag ServiceNow When new asset If asset has risk If asset is is discovered score > 500 Windows server New Intuitive User Interface 8 漏洞验证n_MetaSploit Pro Validate with Metasploit • 安全地漏洞验证机制 • 专注在已知的安全风险 • 闭环的漏洞管理 Confidential and Proprietary 9 TRADITIONAL VULNERABILITY MANAGEMENT 漏洞告警列表 清晰、直观、可操作 ID Title Occurrences MS05-43 Microsoft Windows DCOM RPCSS Service Vulnerabilities 14352 MS04-61 Microsoft Windows DCOM RPC Interface Buffer Overrun Vuln 11253 MS05-72 Microsoft Windows ASN.1 Library Integer Handling 2456 MS03-32 Windows TCP/IP Remote Code Execution 522 AP04-32 Apache Tomcat Directory Traversal 414 AW01-34 APR-util Library Integer Overflow 255 AP04-16 Apache 1.3 and 2.0 Web Server 116 FT01 ProFTPD 1.3 2xc2 and Prior_mod SQL Injection 98 VZ02 OpenVZ Multiple Vulnerabilities 64 HPJ01 HP NonStop Servers and Java 55 HW08 Huawei Multiple Device Bypass 32 MS04-47 Microsoft Messenger Service Buffer Overrun Vulnerability 28 RHL013 Red Hat Linux Instance 1.3 Multiple Vulnerabilities 28 PP32-1 Plug and Play Remote Access Vulnerability 19 SMOSL1 SQL_mod remote Once Single Access 18 Confidential and Proprietary 10 合规分析和报告 Policy Scanning & • 自定义所需要的报告 Reporting PCI HIPAA SOX NERC COMPLAINT • 国际认可的各类合规报告: • PCI Compliance Reports Pass Pass Fail Pass Pass Confidential and Proprietary 11 Web 风险控制 _创新的黑盒测试 Gartner 评测排名 Rapid7's offering earned the highest rating for Web AST due to DAST features. These include its "universal translator," which enables testing of various types of exposed back-end interfaces, such as JSON, REST, SOAP, XML-RPC, Google Web Toolkit (GWT) RPC and Action Message Format (AMF). These features also include its enterprise capabilities — enterprise console, RBAC, one-click vulnerability verification, bug- tracking integration and extensive WAF integration. Gartner, Critical Capabilities for Application Security Testing - Joseph Feiman, Neil MacDonald, August 17, 2015 13 Covers more Universal Translator_转换器 technologies than any other DAST Web 3.0 & Mobile Scanner. (JSON, REST, AMF, SOAP) Web 2.0 (AJAX) JavaScript Application Frameworks CGI EXPOSURE GAP EXPOSURE Static Other Testing Tools Pages 扫描覆盖: 先进的网页抓取 • You cannot attack what you cannot crawl • Crucial to crawl entire site • Limit manual training time • Designed for human users, creates challenges for crawling ‒ JavaScript & AJAX . Dynamic links & pages ‒ Form input validation . Requires valid data • 扫描需求的变化 早已不是“HTML based” 的应用 今天的Web应用有更多的动态内容,更加复杂 通过Universal Translator进行扫描 Start Parse HTML & Javascript Modify URO with attack Find new links, and inputs payloads Parses many formats into a common description Attack Requests sent color=Blue” onmouseover=“alert(123) Mobile & Web services JSON, REST, AMF, SOAP URO - Universal Request object Type: JSON Inputs - http.cookie[0].session, 98734njfaius282 - filters[0].item, Shirt - filters[1].color, Blue Responses analyzed for vulnerability discovery 覆盖Web应用的流程 • Must attack while respecting the workflow #1 #2 #3 #4 #5 #6 #7 Add item View Cart Checkout Shipping Billing Confirm Receipt to cart info info order Error mysql_error: You have an error in your SQL syntax; near 'Smith'' at line 10 Attack Detect Clean Clean Clean Clean Clean ‘Last name’ Vulnerability • Proper attacking must follow the expected workflow • Only NTOSpider is able to automate this testing process Reporting: 详细呈现抓取过程 • 不能只呈现内容给审计人员 • 要给开发人员呈现更多内容 – Enables those with better understanding of the application to assess the completeness of the scan Reporting: 关联分析 • Consolidates numerous vulnerabilities into “Root causes” • Facilitates prioritization, coordination and tracking of remediation Reporting: 呈现攻击内容 • Easy to communicate source of problem to developers • Provides simple and usable data for all levels of the process Reporting: 呈现攻击内容 • Easy to communicate source of problem to developers • Provides simple and usable data for all levels of the process, including reproducing attacks WAF / IPS联动 Sourcefire F5 DenyAll Barracuda ModSecurity Imperva NitroSecurity Confidential and Proprietary 23 Defect Tracking联动 Jira HP Quality Center RSA Archer Confidential and Proprietary 24 DevOPS / SDL联动 Selenium Jenkins Hudson Bamboo Burp Fiddler WebScarab Paros Swagger Coverity Checkmarx Confidential and Proprietary 25 Attacks类别 Passive Attacks: Apache Struts Detection Active Attacks: ASP.NET ViewState security Apache Struts 2 Framework File Inclusion Session Strength Auto Complete Attribute Checks Forced Browsing Source Code Disclosure Browser Cache directive (leaking Arbitrary File Upload Form Session Strength SQL Injection sensitive information) ASP.Net Misconfiguration Heartbleed Check SQL Injection Authentication Browser Cache directive (web Blind SQL Injection HTTP Response Splitting Bypass application performance) Brute Force (Form Auth) HTTPS Downgrade SSL Strength Cookie Attributes Brute Force (HTTP Auth) Java Grinder (downloads jar files, Un-Validated Redirect Credentials stored in clear test in Business Logic Abuse Attacks extracts and decompiles class files Web Beacon cookies Cross-Origin Resource and examines their content for Web Service Parameter Cross Site Scripting (DOM-Based) Sharing (CORS) security-related code) Fuzzing E-Mail Disclosure Cross-Site Request Forgery LDAP Injection XML External Entity Attack Information Disclosure in (CSRF) OS Commanding XPath Injection Comments Cross Site Scripting Parameter Fuzzing Information Disclosure in (XSS,Reflected) Predictable Resource Location Response Cross Site Scripting Reflection Analysis Information Disclosure in Scripts (XSS,Simple) Reverse Proxy Information Leakage in Form Cross Site Tracing (XST) Server Configuration Submission Custom Directory Module Server Side Include Injection ( SSI) Information Leakage in Custom Parameter Module Session Fixation Responses Directory Indexing Privacy Disclosure Expression Language Profanity Injection Secure and Non-Secure Content Mix Sensitive Data Exposure Incident Detection and Response 尽可能缩短窗口期… DAY 1 DAY 2 DAY 3 DAY 206 DAY 234 attacker threat threat threat threat gains entry detectedmalwarecontained detected contained ? ? ? 1. Detect compromise the same day 2. Scope the complete incident fast 3. Quickly hand off to remediation team Confidential and Proprietary 28 终端数据收集 • Active Directory • LDAP • DHCP • DNS • VPN • IDS / IPS • Web Proxy • Firewall • E-mail Servers • Security Console • Enterprise Cloud Applications • Intruder Traps Single, Integrated Experience 29 InsightIDR Solution Architecture Remote Endpoints Network Events Real-Time Security Endpoint Team Events SSL InsightIDR Attacker Analytics Intruder On-Premise SSL Traps Insight Platform Collectors • User Behavior • Machine • Fully Searchable Analytics Learning Data Set Applications Enterprise Existing Cloud Apps Security Solutions, Alerts, and Events Mobile Devices 事件源 FOUNDATIONAL EVENT SOURCES VALUE-ADD EVENT SOURCES LDAP › DNS Microsoft Active Directory LDAP › VPN › IDS / IPS Active Directory › Web Proxy Microsoft Active Directory Domain › Firewall Controllers › E-mail Servers › Security Console DHCP › Enterprise Cloud Applications Cisco iOS › Intruder Traps Infoblox Trinzic ISC dhcpd Microsoft DHCP 31 DNS Cisco IronPort IDS / IPS Okta ISC Bind9 Fortinet FortiGate Cisco Sourcefire Salesforce.com Infoblox Trinzic Intel Security (fka McAfee) Web Dell iSensor Microsoft DNS Reporter Dell SonicWall Advanced Malware MikroTik Sophos Secure Web Gateway HP TippingPoint FireEye NX PowerDNS Squid McAfee IDS Palo Alto Networks WildFire Watchguard XTM Metaflows IDS Data Exporters WebSense Web Security GatewaySecurity Onion SIEMs/Log Aggregators FireEye Threat Analytics Platform Snort HP ArcSight HP ArcSight & ArcSight Logger E-mail IBM QRadar Splunk Microsoft ActiveSync (mobile Rapid7 Intel Security (fka McAfee) devices) Windows Agentless Endpoint NitroSecurity VPN Microsoft Exchange Monitor LogRhythm Cisco ASA VPN Outlook Web Access Mac Agentless Endpoint Monitor Splunk F5 Networks FirePass Honeypot & Honey Users Fortinet FortiGate Firewall Metasploit Virus Scanners Juniper SA Check Point Firewall Nexpose McAfee ePO Microsoft IAS (RADIUS) Cisco ASA Firewall & VPN Sophos Enduser Protection Sophos Enduser Protection Microsoft Network Policy Server Cisco Meraki Symantec Endpoint Protection Symantec Enduser Protection Microsoft Remote Web Access Fortinet Fortigate OpenVPN Juniper Netscreen Cloud Services Application Monitoring SonicWALL Firewall & VPN Palo Alto Networks Firewall AWS Cloud Trails Atlassian Confluence SonicWALL Box.com Microsoft SQL Server Web Proxy Sophos Firewall Duo Security Barracuda Web Filter Stonesoft Firewall Google Apps Blue Coat Proxy Watchguard XTM Office 365 32 攻击链条 Infiltration and Reconnaissance Lateral Mission Target Maintain Persistence • Get user list Movement • Access critical Presence • Phish users • Scout targets
Load more

Recommended publications
  • Un Enfoque Semántico
    UNIVERSIDAD DE CHILE FACULTAD DE CIENCIAS FISICAS Y MATEMATICAS DEPARTAMENTO DE CIENCIAS DE LA COMPUTACION BÚSQUEDA Y VISUALIZACIÓN DE IMÁGENES EN MEMORIA CHILENA: UN ENFOQUE SEMÁNTICO MEMORIA PARA OPTAR AL TITULO DE INGENIERO CIVIL EN COMPUTACION FELIPE IGNACIO SAAVEDRA CÉSPEDES PROFESOR GUIA: CLAUDIO GUTIERREZ GALLARDO MIEMBROS DE LA COMISION: CARLOS HURTADO LARRAIN SANTIAGO DE CHILE SEPTIEMBRE 2007 RESUMEN DE LA MEMORIA PARA OPTAR AL TITULO DE INGENIERO CIVIL EN COMPUTACION POR: FELIPE SAAVEDRA CESPEDES FECHA: 23/10/2007 PROF. GUIA: Sr. CLAUDIO GUTIERREZ. BÚSQUEDA Y VISUALIZACIÓN DE IMÁGENES EN MEMORIA CHILENA: UN ENFOQUE SEMÁNTICO La Web Semántica ha cambiado la forma de presentar los contenidos en la web. Ha logrado el desarrollo de nuevos estándares descriptores para los recursos presentados denominados metadatos, como también estructurarlos y relacionarlos. Esto ha permitido una ganancia en cuanto a expresividad de contenidos, a la vez de posibilitar su interacción tanto por la profundidad de las relaciones como por la interactividad lograda con el usuario. En la actualidad, se están utilizando metadatos principalmente como una manera de relacionar los recursos y almacenar mayor información descriptiva sobre recursos de distintas naturalezas (textos, multimediales, etc). Aún no resulta común encontrar aplicaciones que permitan al usuario interactuar directamente con las relaciones proporcionadas por el modelo de datos inherente de algún portal, y si se añade un interés especial en contenidos multimediales es aún menor. Un caso particular se encuentra en el sitio web de Memoria Chilena, cuyos contenidos presentan metadatos. En el siguiente trabajo se proporciona un enfoque para lograr explotar los metadatos y brindar mayor expresividad para el usuario final, con el motivo final de presentar recursos visuales que faciliten al usuario explorar contenidos y realizar búsquedas de contenidos.
    [Show full text]
  • Assessing the Effectiveness of the Model View Controller Architecture for Creating Web Applications
    Assessing the Effectiveness of the Model View Controller Architecture for Creating Web Applications Nick Heidke, Joline Morrison, and Mike Morrison Department of Computer Science University of Wisconsin-Eau Claire Eau Claire, WI 54702 [email protected] Abstract The Model View Controller (MVC) architecture has been widely embraced as an approach for developing Web-based applications that contain a server-side programming component. The bulk of the published literature on MVC Web applications to date describes the architecture and underlying specification of specific systems, but does not specifically address the effectiveness of MVC for developing these applications. This research seeks to fill this gap by comparing MVC to other widely-used Web development methods in terms of development time, maintainability, and the ability to support communication among designers and programmers by contrasting a non-MVC Web application with an MVC-based Web application, and highlighting the advantages and disadvantages of each approach. Introduction The Model View Controller (MVC) software engineering architecture has been widely embraced as an approach for developing Web-based systems that contain a server-side programming component, particularly for those requiring database access. MVC isolates the business logic from the user interface, with the goal of creating applications that are easier to manage and maintain because designers can modify the visual appearance of the application and programmers can modify the underlying business rules with fewer harmful side effects. The bulk of the published literature on MVC Web applications describes the architecture and underlying specification of these systems, but does not specifically address the effectiveness of the architecture. The purpose of this research is to compare MVC to other widely-used Web development methods in terms of development time, maintainability, and ability to support and enhance interaction among designers and programmers.
    [Show full text]
  • Getting Started with Apache Struts 2 , with Netbeans 6.1
    Getting started with Apache Struts 2 , with Netbeans 6.1 There are plenty of guides that tell you how to start with struts 2, but most of them are incomplete or don’t work. This guide even makes sure you have IDE JavaDoc support for struts 2 libraries. (Press Ctrl- Space to get details about methods and classes in struts 2 libraries) Download Struts 2 here : http://struts.apache.org/download.cgi Download the Full Distro, so that we get all libraries and docs. (docs are important if u want to have IDE support help and tooltips and syntax) • Full Distribution: o struts-2.0.11.2-all.zip (91mb) [ PGP ] [ MD5 ] As of this writing , this is the latest version of Struts. Download Netbeans 6.1 here : http://www.netbeans.org/downloads/ or here : http://dlc.sun.com.edgesuite.net/netbeans/6.1/final/ Download the full bundle (under the All column) size about 220 MB Choose a folder for all your JAVA material that has NO SPACES in its path. Like C:\Java “C:\Program Files” has a space, so it has some issues with the Sun Application Platform, which you might need after development. Other downloads : [These are not necessary now, but just download them while working on this guide] Eclipse for JavaEE Dev : http://www.eclipse.org/downloads/ Eclipse IDE for Java EE Developers (163 MB) Java Application Platform : http://java.sun.com/javaee/downloads/index.jsp App Platform + JDK† Java Standard Edition [SE] : http://java.sun.com/javase/downloads/index.jsp JDK 6 Update 7 Install as follows : This is how a pro I knew advised to set a comp up for Java EE Dev.
    [Show full text]
  • The Mvc-Web Design Pattern
    THE MVC-WEB DESIGN PATTERN Ralph F. Grove and Eray Ozkan Department of Computer Science, James Madison University, Harrisonburg, VA, U.S.A. Keywords: Web, Web framework, Design patterns, Model view controller pattern. Abstract: The Model-View-Controller design pattern is cited as the architectural basis for many web development frameworks. However, the version of MVC used for web development has changed as it has evolved from the original Smalltalk MVC. This paper presents an analysis of those changes, and proposes a separate Web-MVC pattern that more accurately describes how MVC is implemented in web frameworks. 1 INTRODUCTION 2 SMALLTALK MVC The Model-View-Controller (MVC) design pattern The MVC design pattern was introduced with the is cited as the basis for the architecture of several Smalltalk programming environment as a way to web application frameworks, such as ASP .Net, structure interactive applications in a modular Rails, and Struts. The MVC pattern was originally fashion (Krasner and Pope, 1988). As the name implemented in the Smalltalk-80 programming implies, the MVC design pattern decomposes environment developed at Xerox PARC (Goldberg functionality into three major components. and Robson, 1985). As it has been adapted for web The model component encapsulates the domain- frameworks the MVC pattern has evolved in specific structure and functionality of the different ways, resulting in implementations that application. This essentially includes the state of the differ significantly from each other and from the application and operations that can change state. The original Smalltalk implementation. model also maintains dependencies of view and The first goal of this paper is to present the MVC controller components, which it notifies in the event design pattern, both in its original form (section 2) of changes in state.
    [Show full text]
  • Archív Fotoateliéru
    MASARYKOVA UNIVERZITA F}w¡¢£¤¥¦§¨ AKULTA INFORMATIKY !"#$%&'()+,-./012345<yA| Archív Fotoateliéru DIPLOMOVÁ PRÁCA Bc. Štefan Sakala Brno, jar 2014 KÓPIA LISTU ZADANIA DIPLOMOVEJ PRÁCE KÓPIA LISTU ZADANIA DIPLOMOVEJ PRÁCE ii Prehlásenie Prehlasujem, že táto diplomová práca je mojím pôvodným autorským die- lom, ktoré som vypracoval samostatne. Všetky zdroje, pramene a literatúru, ktoré som pri vypracovaní používal alebo z nich ˇcerpal,v práci riadne citu- jem s uvedením úplného odkazu na príslušný zdroj. Vedúci práce: Mgr. JiˇríVíšek Konzultant: RNDr. Jaroslav Pelikán, Ph.D. iii Pod’akovanie Dakujemˇ Mgr. JiˇrímuVíškovi a RNDr. Jaroslavovi Pelikánovi, Ph.D. za od- borné vedenie diplomovej práce a za cenné rady. Dalejˇ d’akujem všetkým, ktorí mi verili a ešte viac tým, ktorí nie. V neposlednom rade patrí azda najväˇcšiavd’aka mojej rodine a priatel’om, menovite Bc. Martinovi Makar- skému, Márii Straskej a Mgr. Jakubovi Zajacovi. iv Zhrnutie Diplomová práca pozostáva z dvoch hlavných ˇcastí.Prvou ˇcast’ou je vý- voj webovej aplikácie s využitím vzoru MVC. Aplikácia bude obsahovat’ kompletný archív prác študentov Fotografie I-III, spolu s možnost’ou pri- dávania d’alších roˇcníkov. Bude implementovaný odovzdávací systém prác pre študentov fotografie, ˇcímvzniká možnost’ konzultácie s vyuˇcujúcimuž poˇcaspráce. Druhá ˇcast’ práce, je vypracovanie 15 portrétnych štúdií, za úˇcelomvytvorenia študijného materiálu pre študentov Fotografie III. Tieto študijné materiály budú prístupné vo webovej aplikácii formou jednodu- chých návodov ako tieto práce reprodukovat’. Fyzický výstup obrazovej formy bude dostupný vo forme makety knihy formátu A4. v Kl’úˇcovéslová ASP.NET, digitální fotografie, fotografický ateliér, fotografický portrét, fra- mework, MVC, návrhový vzor, svetelná konštrukcia, webová aplikácia vi Obsah 1 Úvod ...................................3 1.1 Vol’ba témy .
    [Show full text]
  • How Secure Your Web Framework Is? Based on Apache Struts 2
    “… use the source …” How secure your web framework is? Based on Apache Struts 2 @lukaszlenart @TheApacheStruts [email protected] Agenda About me What is the Apache Struts 2 Hacking the framework What about the others Home work Q&A About me Apache Struts 2 Lead & Member of ASF Creative Software Engineer @ Blogger, @lukaszlenart IntelliJ IDEA addict ☺ Husband, father, biker ☺ :-) Struts 1 …. is dead, baby ☺ Struts 1 reached EOL! (over a year ago!) Struts 2 is a new kid on the block No single line shared with Struts 1 No form beans, no session-scoped actions Pure POJOs, Interface steering Strongly interceptor oriented Highly extendable – lots of plugins Designed to be customisable Powerful OGNL expression language The King is dead Long live the King! Struts 2 is now the Apache Struts With great power… How does it work? ${…} Expression Language #ognl %{…} Expressions are everywhere struts.xml index.jsp IndexAction.properties Hacking the framework …. be the bad guy S2-006 aka Client side code injection When Dynamic Method Invocation is enabled action name is generated based on the provided request Non-existing action will generate an error page with injected client code Issue is specific to Weblogic server ! ! ! http://struts.apache.org/2.x/docs/s2-006.html S2-006 aka Client side code injection - example /HelloWorld.action?action%3Alogin!login%3AcantLogin%3Cscript %3Ealert%28window.location%29%3C%2Fscript%3E %3Dsome_value=Submit S2-006 aka Client side code injection - solution Disable DMI <constant name="struts.enable.DynamicMethodInvocation"
    [Show full text]
  • Preview Struts 2.X Tutorial
    Struts 2 Struts 2 About the Tutorial Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. This framework is designed to streamline the full development cycle from building, to deploying and maintaining applications over time. Apache Struts 2 was originally known as Web Work 2. This tutorial will teach you, how to use Apache Struts for creating enterprise-ready Java web applications in simple and easy steps. Audience This tutorial is designed for Java programmers who are interested to learn the basics of Struts 2.x framework and its applications. Prerequisites Before proceeding with this tutorial, you should have a good understanding of the Java programming language. A basic understanding of MVC Framework and JSP or Servlet is very helpful. Disclaimer & Copyright Copyright 2015 by Tutorials Point (I) Pvt. Ltd. All the content and graphics published in this e-book are the property of Tutorials Point (I) Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute, or republish any contents or a part of contents of this e-book in any manner without written consent of the publisher. We strive to update the contents of our website and tutorials as timely and as precisely as possible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt. Ltd. provides no guarantee regarding the accuracy, timeliness, or completeness of our website or its contents including this tutorial. If you discover any errors on our website or in this tutorial, please notify us at [email protected] i Struts 2 Table of Contents About the Tutorial .................................................................................................................................
    [Show full text]
  • Doktora Tezi
    A METRICS-BASED APPROACH TO THE TESTING PROCESS AND TESTABILITY OF OBJECT-ORIENTED SOFTWARE SYSTEMS A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF INFORMATICS OF THE MIDDLE EAST TECHNICAL UNIVERSITY BY TOLGA YURGA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN THE DEPARTMENT OF INFORMATION SYSTEMS FEBRUARY 2009 Approval of the Graduate School of Informatics Prof. Dr. Nazife BAYKAL Director I certify that this thesis satisfies all the requirements as a thesis for the degree of Doctor of Philosophy. Prof. Dr. Yasemin YARDIMCI Head of Department This is to certify that we have read this thesis and that in our opinion it is fully adequate, in scope and quality, as a thesis for the degree of Doctor of Philosophy. Prof. Dr. Semih BİLGEN Assoc. Prof. Ali H. DOĞRU Co-Supervisor Supervisor Examining Committee Members Dr. Ali ARİFOĞLU (METU, II) Assoc. Prof. Ali H. DOĞRU (METU, CENG) Prof. Dr. Semih BİLGEN (METU, EEE) Assist. Prof. Dr. Aysu Betin CAN (METU, II) Dr. Sadık EŞMELİOĞLU (BİLGİ GRUBU) I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this wok. Name, Last name : Tolga YURGA Signature : _________________ iii ABSTRACT A METRICS-BASED APPROACH TO THE TESTING PROCESS AND TESTABILITY OF OBJECT-ORIENTED SOFTWARE SYSTEMS Yurga, Tolga Ph.D., Department of Information Systems Supervisor: Assoc. Prof. Dr. Ali Hikmet DOĞRU Co-Supervisor: Prof.
    [Show full text]
  • Montiweb - Modular Development of Web Information Systems
    MontiWeb - Modular Development of Web Information Systems Michael Dukaczewski Dirk Reiss Bernhard Rumpe Mark Stein Software Engineering Institut f. Wirtschaftsinformatik RWTH Aachen Abt. Informationsmanagement http://www.se-rwth.de Technische Universität Braunschweig http://www.tu-braunschweig.de/wi2 ABSTRACT approach [21, 15, 14] is usually a good choice. Abstract- The development process of web information systems is of- ing from implementation details, the developer can focus on ten tedious, error prone and usually involves redundant steps specifying the essentials of the system. These are in partic- of work. Therefore, it is rather efficient to employ a model- ular (1) means to define the data structure of the applica- driven approach for the systematic aspects that comprise tion, (2) ways that enable the developer to define views on such a system. This involves models for the data structure the data structure and (3) the possibility to connect these that shall be handled by the system (here: class diagrams), views and specify the relevant parts of a complete web ap- various editable and read-only presentations (views) on com- plication. From the models describing these aspects, one binations and extractions of the underlying data (here: a or more code generators can create many necessary parts special view language) and ways to connect these views and of a web-based system. Of course the discussed languages define data flow between them (here: activity diagrams). do not cover every aspect (e.g. complicated authentication or application specific functionality is not covered), but the In this paper, we present the MontiWeb approach to model generators and their frameworks used provide a large part and generate these aspects in a modular manner by incor- of the basic functionality.
    [Show full text]
  • Security Advisory Report - OBSO-1703-02
    Security advisory for OBSO-1703-02 Security Advisory Report - OBSO-1703-02 Apache Struts 2 RCE Flaw (CVE-2018-11776), Apache Struts2 Jakarta Multipart Parser File Upload Remote Code Execution (CVE 2017-5638) Creation Date: 2017-03-28 16:11:00 Last Update: 2018-10-12 16:11:20 Summary Update: new vulnerability There is a new Apache Struts RCE Flaw that lets Hackers Take Over Web Servers https://thehackernews.com/2018/08/apache-struts-vulnerability.html https://nvd.nist.gov/vuln/detail/CVE-2018-11776 Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution known vulnerability Apache Struts2 contains a flaw that is triggered when handling invalid Content-Type, Content- Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code. Unify products do not use Apache Struts 2 and thus are not affected. Details Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. http://struts.apache.org/index.html 1 / 4 Security advisory for OBSO-1703-02 A new critical vulnerability was found for Apache Struts2: (CVE-2018-11776) Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true. https://nvd.nist.gov/vuln/detail/CVE-2018-11776 Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.
    [Show full text]
  • Symantec WAF Remote Code Execution & Command Injection in Apache Struts 2 Authors: Gary Tomic, Shay Berkovich & Colin Delaney
    TECHNICAL BRIEF Symantec WAF Remote Code Execution & Command Injection in Apache Struts 2 Authors: Gary Tomic, Shay Berkovich & Colin Delaney Introduction Apache Struts is a popular open-source MVC web application framework for Java-based web applications. A zero–day security vulnerability (CVE-2017-5638) against this framework is being actively exploited. It impacts the Jakarta-based multipart parser used in Struts 2. Exploitation attempting to land remote code execution and command injection payloads has been identified. The high-profile Apache Struts 2 breach last fall is, unfortunately, a security risk all companies handling sensitive customer information face. Details of the breach are available here. The specific payload does not matter when using CVE-2017-5638 as the vector of attack, as there are several proofs of concept (POCs) available and there are likely thousands of ways to exploit this vulnerability. The Symantec Web Application Firewall solution leverages a unique Content Nature Detection approach that can correctly identify CVE-2017- 5638 attacks without requiring a signature update or virtual patch. Symantec Web Application Firewall (WAF) customers are protected by default, and no additional action is required. What are the details of the Attack? Many POC attack payloads are flooding the web, including this exploit in the Metasploit Framework: https://github.com/rapid7/metasploit- framework/issues/8064. For our analysis, we use the python script from the core of this exploit. When running the script against a vulnerable target: The Wireshark packet capture shows the HTTP request: The response from the vulnerable server contains the result of running the command as it would run on localhost.
    [Show full text]
  • MASTER THESIS Web Frameworks Comparison Concerning The
    CHARLES UNIVERSITY, PRAGUE FACULTY OF MATHEMATICS AND PHYSICS MASTER THESIS Tomáš Mihalčin Web Frameworks Comparison Concerning the Efficiency of Development Department of Software Engineering Advisor: RNDr. Tomáš Bureš, Ph.D. Study Program: Computer Science I would like to thank my advisor Tomáš Bureš for his valuable comments and advice. I would also like to thank my consultant Tomáš Krátky. His help and professional experience in the web frameworks area helped me to improve the quality of this thesis. I hereby certify that I wrote the thesis by myself, using only the referenced sources. I agree with making the thesis publicly available. Prague, 22.7.2007 Tomáš Mihalčin Názov práce: Porovnanie webových frameworkov s ohľadom na efektivitu vývoja Autor: Tomáš Mihalčin Katedra: Katedra softwarového inžinierstva Vedúci diplomovej práce: RNDr. Tomáš Bureš, Ph.D. e-mail vedúceho: [email protected] Abstrakt: Skoro všetky podnikové webové projekty sú dnes implementované v nejakom webovom frameworku. Frameworky sa líšia vo filozofii, vlastnostiach a podpore pre ostatné populárne frameworky a technológie. Cieľ tejto práce bolo porovnať frameworky Struts 2, Tapestry a Spring WebFlow a dať aplikačným programátorom a architektom prehľad o procese implementácie a zložitosti každého frameworku, aby sa mohli rozhodnúť, ktorý framework si vybrať pre svoj projekt.. Práca definuje kritériá pre porovnanie frameworkov. Porovnanie bolo vykonané na štúdii, ktorá bola implementovaná v Struts 2 a Tapestry a bol vykonaný výskum o možnostiach integrácie Spring WebFlow so Struts 2 a Tapestry. Proces implementácie bol detailne popísaný so všetkými problémami, ktoré sa objavili v implementačnej fáze. Nakoniec boli vykonané merania podľa definovaných kritérii a boli navrhnuté konečné odporúčania.
    [Show full text]