Loading...

Attack Detection in Web Applications Firewall by Learning from Application’s Source Code

Alizadeh Nikoo, Amir Reza | 2018

762 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 51164 (19)
  4. University: Sharif University of Technology
  5. Department: Computer Engineering
  6. Advisor(s): Amini, Morteza
  7. Abstract:
  8. Due to increasing web-based attacks against web applications and inefficiency of intrusion detection and prevention systems for detecting and preventing web attacks in the application layer, web application firewalls (WAF) developed to deal with this problem. There are most common attacks affecting today’s web applications like SQL Injection (SQLi), Cross-Site Scripting (XSS) and Logical attacks. The Logical attack focuses on the abuse or exploitation of a web application’s logic flow, and unlike SQLi and XSS, it depends on the web application functionality. Nowadays, there are a lot of methods for designing a WAF which are divided into two categories: Signature-based and Anomaly-based detection.The former uses signatures blacklist and rules defined by experts in the system,while the latter monitors system activities and obtains normal behavior by learning from network traffic. Then, it detects anomalous behavior as an attack.There are two major disadvantages for these detection methods. The first one is high rate of false positives and false negatives, and the second one is need for human effort in the process of learning and extracting the normal behavior of a web application. In this thesis, in addition to reviewing and analysing related works, we propose a new method which is a kind of anomaly-based detection methods. In the proposed approach, learning the normal behavior of a web application is done by analysing the php source code of the application protected by WAF. Proxy server and ICAP protocol are two main components of the approach. We develop a code analyser which extracts logical relations between pages of the application as well as a table of features of the application such as valid pages and their parameters. Then, we forward the code analyser results to WAF for detecting Logical, SQLi and XSS attacks. The accuracy of the proposed approach for five open source web applications (with knowing their vulnerabilities) is equal to 99=6%. On the other hand, the performance overhead of using this method is negligible
  9. Keywords:
  10. Web Application ; Firewall ; Web Attack ; Attack Detection ; Internet Content Adaptation Protacal (ICAP)

 Digital Object List

 Bookmark