The growing trend of web applications led to the increase of data exposed through the Internet. In turn, this resulted a growing concern by the software industry to protect sensitive data contained in web applications. This sensitive data can be accessed from unauthorized subjects exploiting some flaws present in the program, that are called vulnerabilities. In this thesis, we focus on one particular vulnerability: Insecure Deserialization. In particular, we apply static analysis to test the source code for the presence of Insecure Deserialization vulnerabilities. The aim of this thesis is to create a benchmark application that evaluates the effectiveness of static security scanners when testing for Insecure Deserialization vulnerabilities. In order to achieve this, we have made an experiment in which we have selected a sample of five static analysis tools and we have analyzed their behavior in relation to seven target web applications, vulnerable to Insecure Deserialization. Thanks to the results of this experiment, we have evaluated the performances of the tools and, learning from them, we have created our own web application vulnerable to Insecure Deserialization, called BenchStress, that deliberately blocks testing techniques. This will be a benchmark for testing the effectiveness of testing tools in detecting Insecure Deserialization Vulnerabilities.
La rapida diffusione delle applicazioni web ha portato all'aumento dei dati esposti via internet. A sua volta, questo ha provocato una crescente preoccupazione da parte dell'industria del software per proteggere i dati sensibili contenuti nelle applicazioni web. Questi dati sensibili possono essere accessibili da soggetti non autorizzati sfruttando alcuni difetti presenti nel programma, che sono chiamati vulnerabilità. In questa tesi, ci concentriamo su una particolare vulnerabilità: la Deserializzazione Insicura. In particolare, applichiamo l'analisi statica per testare la presenza nel codice sorgente della vulnerabilità di deserializzazione insicura. Lo scopo di questa tesi è quello di creare un'applicazione di benchmark che valuti l'efficacia degli scanner di sicurezza statica durante i test per le vulnerabilità di deserializzazione insicura. Per raggiungere questo obiettivo, abbiamo fatto un esperimento in cui abbiamo selezionato un campione di cinque tool di analisi statica e ne abbiamo analizzato il loro comportamento in relazione a sette diverse applicazioni web target vulnerabili alla deserializzazione insicura. Grazie ai risultati di questo esperimento, abbiamo valutato le prestazioni dei tool e, imparando da essi, abbiamo creato la nostra applicazione web vulnerabile alla deserializzazione insicura, chiamata BenchStress, che blocca deliberatamente le tecniche di testing. Questa applicazione sarà un benchmark per testare l'efficacia degli strumenti di test nel rilevare vulnerabilità di deserializzazione insicura.
Evaluating the testability of insecure deserialization vulnerabilities via static analysis
Sabatini, Alessandro
2020/2021
Abstract
The growing trend of web applications led to the increase of data exposed through the Internet. In turn, this resulted a growing concern by the software industry to protect sensitive data contained in web applications. This sensitive data can be accessed from unauthorized subjects exploiting some flaws present in the program, that are called vulnerabilities. In this thesis, we focus on one particular vulnerability: Insecure Deserialization. In particular, we apply static analysis to test the source code for the presence of Insecure Deserialization vulnerabilities. The aim of this thesis is to create a benchmark application that evaluates the effectiveness of static security scanners when testing for Insecure Deserialization vulnerabilities. In order to achieve this, we have made an experiment in which we have selected a sample of five static analysis tools and we have analyzed their behavior in relation to seven target web applications, vulnerable to Insecure Deserialization. Thanks to the results of this experiment, we have evaluated the performances of the tools and, learning from them, we have created our own web application vulnerable to Insecure Deserialization, called BenchStress, that deliberately blocks testing techniques. This will be a benchmark for testing the effectiveness of testing tools in detecting Insecure Deserialization Vulnerabilities.| File | Dimensione | Formato | |
|---|---|---|---|
|
Thesis Sabatini Alessandro.pdf
accessibile in internet per tutti
Descrizione: The growing trend of web applications led to the increase of data exposed through the Internet. In turn, this resulted a growing concern by the software industry to protect sensitive data contained in web applications. This sensitive data can be accessed from unauthorized subjects exploiting some flaws present in the program, that are called vulnerabilities. In this thesis, we focus on one particular vulnerability: Insecure Deserialization. In particular, we apply static analysis to test the source code for the presence of Insecure Deserialization vulnerabilities. The aim of this thesis is to create a benchmark application that evaluates the effectiveness of static security scanners when testing for Insecure Deserialization vulnerabilities. In order to achieve this, we have made an experiment in which we have selected a sample of five static analysis tools and we have analyzed their behavior in relation to seven target web applications, vulnerable to Insecure Deserialization. Thanks to the results of this experiment, we have evaluated the performances of the tools and, learning from them, we have created our own web application vulnerable to Insecure Deserialization, called BenchStress, that deliberately blocks testing techniques. This will be a benchmark for testing the effectiveness of testing tools in detecting Insecure Deserialization Vulnerabilities.
Dimensione
1.86 MB
Formato
Adobe PDF
|
1.86 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/187947