Français Anglais
Accueil Annuaire Plan du site
Accueil > Evenements > Séminaires
Séminaire d'équipe(s)
Exploiting vulnerabilities in Web applications thanks to secure models.
Johan Oudinet

29 March 2013, 14h00
Salle/Bat : 465/PCRI-N
Contact :

Activités de recherche :

Résumé :
Web applications are a major target of attackers. The increasing
complexity of such applications and the subtlety of today's attacks make
it very hard for developers to manually secure their Web applications.
Penetration testing is considered an art; the success of a penetration
tester in detecting vulnerabilities mainly depends on his skills.
Recently, model-checkers dedicated to security analysis have proved
their ability to identify complex attacks on web-based security
protocols. However, bridging the gap between an abstract attack trace
output by a model-checker and a penetration test on the real Web
application is still an open issue.
In this talk, I present a methodology, developed within the EU project
spacios.eu, for testing Web applications starting from a secure model.
First, we mutate the model to introduce well-known vulnerabilities for
Web applications. Then, model-checking techniques find some abstract
attack traces (AATs) that exploit those vulnerabilities. Next, the AATs
are translated into concrete test cases by using a 2-step mapping.
Finally, the tests are executed on the real system using an automatic
procedure that may request the help of a test expert from time to time.
A prototype has been implemented and evaluated on WebGoat, an insecure
Web application maintained by OWASP. It successfully reproduced
Role-Based Access Control (RBAC) and Cross-Site Scripting (XSS) attacks.

Pour en savoir plus :
Séminaires
Some recent results on the integer linear programm
Théorie des graphes
Friday 30 November 2018 - 00h00
Salle : 445 - PCRI-N
Hung Nguyen .............................................

Maximum Independent Set in H-free graphs
Théorie des graphes
Friday 05 October 2018 - 14h30
Salle : 445 - PCRI-N
Edouard BONNET .............................................

A Family of Tractable Graph Distances
Gestion de données du Web
Wednesday 04 July 2018 - 10h30
Salle : 465 - PCRI-N
Stratis Ioannidis .............................................

Binary pattern of length greater than 14 are abeli
Combinatoire
Friday 29 June 2018 - 14h30
Salle : 445 - PCRI-N
Matthieu Rosenfeld .............................................

Distributionally Robust Optimization with Principa
Optimisation combinatoire et stochastique
Friday 29 June 2018 - 11h00
Salle : 455 - PCRI-N
Dr. Jianqiang Cheng .............................................