NAVEX: Precise and scalable exploit generation for dynamic web applications

NAVEX: Precise and scalable exploit generation for dynamic web applications Alhuzali et al., USENIX Security 2018

NAVEX (https://github.com/aalhuz/navex) is a very powerful tool for finding executable exploits in dynamic web applications. It combines static and dynamic analysis (to cope with dynamically generated web content) to find vulnerable points in web applications, determine whether inputs to those are appropriately sanitised, and then builds a navigation graph for the application and uses it to construct a series of HTTP requests that trigger the vulnerability.

It also works at real-world scale: NAVEX was used on 26 PHP applications with a total of 3.2M SLOC and 22.7K PHP files. It generated 204 concrete exploits across these applications in a total of 6.5 hours. While the current implementation of NAVEX targets PHP applications, the approach could be generalised to other languages and frameworks.

In this paper, our main contribution is a precise approach for vulnerability analysis of multi-tier web applications with dynamic features… our approach combines dynamic analysis of web applications with static analysis to automatically identify vulnerabilities and generate concrete exploits as proof of those vulnerabilities.

Here’s a example of what NAVEX can do. From the 64K Continue reading

Bob Ross, Lorem Ipsum, Heroku and Cloudflare Workers

Bob Ross, Lorem Ipsum, Heroku and Cloudflare Workers

It may not be immediately obvious how these things are related, but bear with me... It was 4pm Friday and one of the engineers on the Cloudflare Tools team came to me with an emergency. "Steve! The Bob Ross Ipsum generator is down!".

If you've not heard of Lorem Ipsum, it's an extract from a latin poem that designers use as placeholder text when designing the layout of a document. There are generators all over the web that will spit out as much text as you need.

Bob Ross, Lorem Ipsum, Heroku and Cloudflare Workers
Source: Wikipedia

Of course, the web being the web that we all love, there are also endless parodies of Lorem Ipsum. You can generate Hodor Ipsum, Cat Ipsum and Hipster Ipsum. I have a new, undisputed favourite: Bob Ross Ipsum.

Not growing up in the U.S., I hadn't come across the lovable, calm, serene and beautiful human that is Bob Ross. If you haven't spent 30 mins watching him paint a landscape, you should do that now. He built a following as host of the TV show “The Joy of Painting” which ran on the U.S. PBS channel from 1983-1994. He became famous for Continue reading

Introducing Real World Serverless – Practical advice on how to use Cloudflare Workers

Introducing Real World Serverless - Practical advice on how to use Cloudflare Workers

We’re getting the best minds on serverless technology from Cloudflare together to lead a series of talks on practical use cases for Cloudflare Workers. Join any of these six global talks for stories of how companies and developers are using serverless in the real world.

San Francisco - London - Austin - Singapore - Sydney - Melbourne

Want a Real World Serverless event in your city? Interested in sharing your stories and experience deploying serverless apps in production? Email [email protected] and let’s put something together.

Check out the event details and register through the Eventbrite links below.

Real World Serverless - San Francisco

Introducing Real World Serverless - Practical advice on how to use Cloudflare Workers
Photo by Tim Foster / Unsplash

Sept 11th, 2018, 6:00pm-9:00pm
In partnership with Serverless Meetup
Location: Heavybit - 325 9th St, San Francisco, CA 94103

View Event Details & Register Here »

Real World Serverless - London

Introducing Real World Serverless - Practical advice on how to use Cloudflare Workers
Photo by Robert Tudor / Unsplash

Sept 18th, 2018, 6:00pm-9:00pm
Location: Cloudflare London - 25 Lavington St, Second floor SE1 0NZ London

View Event Details & Register Here »

Real World Serverless - Austin

Introducing Real World Serverless - Practical advice on how to use Cloudflare Workers
Photo by Cosmic Timetraveler / Unsplash

October 2nd, 2018, 6:00pm-9:00pm
In partnership with ATX Serverless Meetup
Location: Downtown Austin

View Event Details Continue reading

The Anna Key-Value Store Now Has 355x the Performance of DynamoDB for the Dollar

 

New databases used to be announced seemingly every week. While database neogenesis has slowed down considerably, it has not gone necrotic.

RISELabs, those wonderfully innovative folks over at Berkeley, have uplifted their Anna datatabase—a shared-nothing, thread-per-core architecture to achieve lightning-fast speeds by avoiding all coordination mechanisms—to become cloud-aware.

What's changed?

Anna is not only incredibly fast, it’s incredibly efficient and elastic too: an autoscaling, multi-tier, selectively-replicating cloud service. All that adaptivity means that Anna ramps down resource consumption for cold things, and ramps up consumption for hot things. You get all the multicore Anna performance you want, but you don’t pay for what you don’t need.
Just to throw out some numbers, we measured Anna providing 355x the performance of DynamoDB for the dollar. No, I don’t think that is because AWS is earning a 355x margin on DynamoDB! The issue is that Anna is now orders of magnitude more efficient than competing systems, in addition to being orders of magnitude faster.
They've posted about Anna's new superpowers in Going Fast and Cheap: How We Made Anna Autoscale:
Using Anna v0 as an in-memory storage engine, we set out to address the cloud storage problems described Continue reading

Website Security Myths

Website Security Myths
Photo by MILKOVÍ / Unsplash
Website Security Myths

Some conversations are easy; some are difficult. Some are harmonious and some are laborious. But when it comes to website security, the conversation is confusing.
Every organisation agrees, in theory, that their websites need to be secure. But in practice, there is resistance to investing enough time and budget. Reasons for neglecting security include misconceptions surrounding Web Application security.

Below I’ve outlined some of the most  common myths and misconceptions that can often put your website at serious security risks.

My website is not the target of an attack because it is small and I run a small business.

An average small business website is attacked 44 times per day. In addition,  a low profile website is a nice playground for hackers to try out new tools and techniques. Hackers often use automated tools to find various vulnerable websites and don't discriminate when it comes to the size of the target. Any web application, even if it is not itself a target, may be of interest to attackers. Web applications with lax security are easy pickings for hackers and can be subject to  a mass or targeted cyber attack.
The good news is that Continue reading

Even Better MANRS During August

We already discussed the MANRS activities during SANOG 32 where we organised a Network Security Workshop and signed an MoU with the ISP Association of Bangladesh (ISPAB), but the Internet Society was also involved with three other events during the month of August. This included the Symposium on Internet Routing Security and RPKI, VNIX-NOG 2018 and the inaugural INNOG 1.

Symposium on Internet Routing Security and RPKI

ZDNS along with CNCERT organised a symposium on 17th August at Crowne Plaza Beijing to discuss routing security issues and how RPKI can help address this problem. There were many prominent participants representing local, regional and international entities including Baidu, Tencent, Alibaba, Huawei, ZTE, the Chinese Academy of Sciences, APNIC, ICANN, along with the Internet Society.

Dr Stephen Kent (BBN) was the keynote speaker, having played an important role in the SIDR (Secure Internet Domain Routing) Working Group at the IETF (Internet Engineering Task Force) and also co-authored many RFCs (Request for Comments) on RPKI. He discussed the ideas behind RPKI and Route Origin Authorization/Validation.

George Michaelson (APNIC) who along with his colleague Geoff Huston co-authored RFC 6483 – Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations Continue reading

KVM Host High CPU Fix

I run my labs on an Ubuntu 1604 host using KVM for the hypervisor and some of the network VM images (Cisco CRS1000v, Juniper vMX, etc..) run with very high CPU. A recent thread on Twitter helped me to find a solution to this problem so I will outline it here as it may be helpful for others. ...

Newest OpenStack release comes with bare-metal installs in mind

The OpenStack Foundation has announced the general availability of the 18th iteration of its cloud platform, called OpenStack Rocky. The major new functionalities to the platform are faster upgrades and enhanced support for bare metal infrastructure.Bare-metal cloud is a term for cloud services that come with zero software. When you rent an instance on Amazon S3 or Microsoft Azure, you get a virtualized environment that is run on a hypervisor and shared with another, unknown user. This often causes performance issues, since you never know what kind of neighbor you will get each time.To read this article in full, please click here

Newest OpenStack release comes with bare-metal installs in mind

The OpenStack Foundation has announced the general availability of the 18th iteration of its cloud platform, called OpenStack Rocky. The major new functionalities to the platform are faster upgrades and enhanced support for bare metal infrastructure.Bare-metal cloud is a term for cloud services that come with zero software. When you rent an instance on Amazon S3 or Microsoft Azure, you get a virtualized environment that is run on a hypervisor and shared with another, unknown user. This often causes performance issues, since you never know what kind of neighbor you will get each time.To read this article in full, please click here

1 1,481 1,482 1,483 1,484 1,485 3,849