You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications

SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid static-dynamic analysis for PHP web applications that limits each PHP function for accessing the database. Our tool, SQLBlock, reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function. We implement SQLBlock as a plugin for MySQL and PHP. Our approach does not require any modification to the web app. W evaluate SQLBlock on 11 SQLi vulnerabilities in Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that SQLBlock successfully prevents all 11 SQLi exploits with negligible performance overhead (i.e., a maximum of 3% on a heavily-loaded web server)Comment: Accepted in ASIACCS 202

Security Testing: A Survey

Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application

Automated repair of internationalization presentation failures in web pages using style similarity clustering and search-based techniques

Internationalization enables companies to reach a global audience by adapting their websites to locale specific language and content. However, such translations can often introduce Internationalization Presentation Failures (IPFs) - distortions in the intended appearance of a website. It is challenging for developers to design websites that can inherently adapt to varying lengths of text from different languages. Debugging and repairing IPFs is complicated by the large number of HTML elements and CSS properties that define a web page's appearance. Tool support is also limited as existing techniques can only detect IPFs, with the repair remaining a labor intensive manual task. To address this problem, we propose a search-based technique for automatically repairing IPFs in web applications. Our empirical evaluation showed that our approach was able to successfully resolve 98% of the reported IPFs for 23 real-world web pages. In a user study, participants rated the visual quality of our fixes significantly higher than the unfixed versions

Understanding the Role of Wnt Signaling in Schwann Cell Tumors

Faculty Advisor: David LargaespadaMalignant Peripheral Nerve Sheath Tumors (MPNSTs) originate in the Schwann cell and often occur in patients with Neurofibromatosis Type 1 (NF1), but can also form spontaneously (3). NF1 is a genetic disease that occurs in 1 in 3,000 live births, and predisposes patients to benign neurofibromas. 10% of NF1 patients will have one of their benign neurofibromas undergo malignant transformation into an MPNST, the leading cause of death in NF1 patients (3). The average survival rate with patients with MPNSTs is 21 months and due to the lack of complete understanding of the genetic basis for MPNST development, the common treatments for these MPNSTs are surgery and non-specific chemotherapy (3). A current goal in the field is to understand which signaling pathways drive MPNST development and progression, with the hopes of discovering novel targeted therapies to improve the treatment these patients.This research was supported by the Undergraduate Research Opportunities Program (UROP)