Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding Methods

Presented at AppSec USA 2012, Oct. 25, 2012, 4 p.m. (45 minutes).

Attacks such as Cross-Site Scripting, HTTP header injection, and SQL injection take advantage of weaknesses in the way some web applications handle incoming character strings. One technique for defending against injection vulnerabilities is to sanitize untrusted strings using encoding methods. These methods convert the reserved characters in a string to an inert representation which prevents unwanted side effects. However, encoding methods which are insufficiently thorough or improperly integrated into applications can pose a significant security risk.

This paper will outline an algorithm for identifying encoding methods through automated analysis of Java bytecode. The approach combines an efficient heuristic search with selective rebuilding and execution of likely candidates. This combination provides a scalable and accurate technique for identifying and profiling code that could constitute a serious weakness in an application.


Presenters:

  • Alex Emsellem - Intern Software Engineer - Aspect Security
    Currently pursuing a bachelor's degree in Computer Science. I'm primarily focused on software reverse engineering and exploitation. Around ten years ago I found my first vulnerability in a web application, and remember it vividly. I live for innovative ideas and the cutting-edge.
  • Matthew Paisner
  • Arshan Dabirsiaghi

Links:

Similar Presentations: