Catch me if you can: detection of injection exploitation by validating query and API integrity

Presented at VB2019, Oct. 3, 2019, 11 a.m. (30 minutes).

Injection flaws remain one of the topmost risks as per the OWASP top 10 web application security risks. Injection flaws have ruled as the first web application vulnerability for a decade. Injection flaws include SQL, NoSQL, OS and LDAP injection techniques. Threat actor groups such as Axiom and Magic Hound have been observed using SQL injection to gain access to systems. The research community has extensively discussed exploitation details for SQL injection, NoSQL, OS command and LDAP injection exploits. In this presentation, we do not plan to spend time explaining once again what these exploits are. The talk and presentation will dive into the technical details of the novel detection algorithms to detect SQL, NoSQL, LDAP and OS command injection exploits.

Our algorithms to detect SQL injection, NoSQL, OS command and LDAP injection exploitation leverage code flow analysis. Injection attacks such as SQL, NoSQL, OS command and LDAP injection exploits add additional code, which leads to a change in the legitimate code of the application. The algorithm makes use of the abstract syntax tree (AST), program dependency graph (PDG) and the SQL parse tree to compute the changes in the original code due to the injection-based exploits. In our presentation, we will take an example of SQL, NoSQL, OS command and LDAP injection exploits and show the changes in the AST, PDG, and SQL parse tree due to the exploits. These changes in code are the fundamental principle of the detection algorithms used to detect SQL, NoSQL, OS command and LDAP injection which will be discussed in the subsequent part of the presentation.

The detection algorithm discussed in the presentation provides an inherent advantage. It not only detects the SQL, NoSQL, OS command and LDAP injection exploitation by a threat actor but also automatically identifies the vulnerable section of the application code. This automatic identification of the vulnerable part of the code will aid the application developers in patching the code, preventing further exploitation.


Presenters:

  • Abhishek Singh - Prismo Systems
    Abhishek Singh Abhishek is currently Chief Researcher at Prismo Systems. Prior to joining Prismo Systems, he led threat research and detection R&D at FireEye, Microsoft, and at Acalvio. He has authored/co-authored 24 patents (issued and pending), 15 research papers, six technical white papers for work done on the architecture of various technologies such as the virtual machine-based approach to real-time threat analysis, IPS, technologies to detect threats over the web, email, and at the endpoint. The patents, papers and technical reports also detail the novel approach to detect malware, vulnerability, lateral movement, exploitation techniques, behavioural algorithms, machine learning algorithms, emulators, code similarity and algorithms leveraging deceptions. @abhishek102938
  • Ramesh Mani - Prismo Systems
    Ramesh Mani Ramesh Mani is a senior principal architect at Prismo Systems. Prior to joining Prismo Systems, he worked at CA where he led the designing and building of APM agents in multiple languages using byte code instrumentation. He has extensive experience in Java, J2EE and .NET, and led the development of APM, CRM, B2B portal, e-commerce, workflow automation, financial and business systems. His work has resulted in more than 10 patents.

Links:

Similar Presentations: