Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Am´ elioration de la s´ ecurit´ e par la conception des logiciels web Theodoor

Am´ elioration de la s´ ecurit´ e par la conception des logiciels web Theodoor Scholte To cite this version: Theodoor Scholte. Am´ elioration de la s´ ecurit´ e par la conception des logiciels web. Web. T´ el´ ecom ParisTech, 2012. Fran¸ cais. . HAL Id: tel-01225776 https://pastel.archives-ouvertes.fr/tel-01225776 Submitted on 6 Nov 2015 HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entiﬁc research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L’archive ouverte pluridisciplinaire HAL, est destin´ ee au d´ epˆ ot et ` a la diﬀusion de documents scientiﬁques de niveau recherche, publi´ es ou non, ´ emanant des ´ etablissements d’enseignement et de recherche fran¸ cais ou ´ etrangers, des laboratoires publics ou priv´ es. 2012-ENST-024 EDITE - ED 130 Doctorat ParisTech T H È S E pour obtenir le grade de docteur délivré par TELECOM ParisTech Spécialité « Réseaux et Sécurité » présentée et soutenue publiquement par Theodoor SCHOLTE le 11/5/2012 Securing Web Applications by Design Directeur de thèse : Prof. Engin KIRDA Jury Thorsten HOLZ, Professeur, Ruhr-Universit at Bochum, Germany Rapporteur Martin JOHNS, Senior Researcher, SAP AG, Germany Rapporteur Davide BALZAROTTI, Professeur, Institut EURECOM, France Examinateur Angelos KEROMYTIS, Professeur, Columbia University, USA Examinateur Thorsten STRUFE, Professeur, Technische Universit at Darmstadt, Germany Examinateur TELECOM ParisTech école de l’Institut Télécom - membre de ParisTech Acknowledgements This dissertation would not have been possible without the support of many people. First, I would like to thank my parents. They have thaught and are teaching me every day a lot. They have raised me with a good mixture of strictness and love. I believe that they play an important role in all the good things in my life. I am very grateful to prof. Engin Kirda. It is through his lectures that I have become interested in security. He has been an extraordinary advi- sor, always available to discuss. After he moved to the United States, he continued to be the person ‘next door’, always available to help me out. Fur- thermore, I would like to thank prof. Davide Balzarotti and prof. William Robertson. Completing this dissertation would not have been possible with- out their continuous support. Thanks to my good friends Jaap, Gerben, Roel, Inge, Luit, Ellen and others I probably forget to mention. Over the years, we have shared and discussed our experiences of the professional working life. More importantly, we had a lot of fun. Although we lived in diﬀerent parts of Europe, we managed to keep in touch as good friends do. Thanks to my ‘local’ friends: Claude, Luc, Alessandro, Marco, Leyla, Simone, Gerald and Julia. You have lightened up the years of hard work with activities such as drinking or brewing beer, barbecuing, climbing and skiing. I would like to thank my friends in particular for the moral support as personal life has not always been easy. I would like to thank my colleagues at SAP, in particular Anderson, Gabriel, Henrik, Sylvine, Jean-Christophe, Volkmar and Agnès. Thank you all for your support and creating a good working environment. Thanks to the staﬀat EURECOM, in particular to Gwenäelle for helping me and always being there when needed. Finally, thanks to prof. Davide Balzarotti, prof. Thorsten Holz, prof. Angelos Keromytis, prof. Thorsten Strufe and Martin Johns for agreeing to be reporters and examinators. iii Contents 1 Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Research Problems . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Thesis Structure . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Related Work 9 2.1 Security Studies . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1 Large Scale Vulnerability Analysis . . . . . . . . . . . 9 2.1.2 Evolution of Software Vulnerabilities . . . . . . . . . . 10 2.2 Web Application Security Studies . . . . . . . . . . . . . . . . 15 2.3 Mitigating Web Application Vulnerabilities . . . . . . . . . . 16 2.3.1 Attack Prevention . . . . . . . . . . . . . . . . . . . . 16 2.3.2 Program Analysis . . . . . . . . . . . . . . . . . . . . 20 2.3.3 Black-Box Testing . . . . . . . . . . . . . . . . . . . . 22 2.3.4 Security by Construction . . . . . . . . . . . . . . . . 23 3 Overview of Web Applications and Vulnerabilities 25 3.1 Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.1.1 Web Browser . . . . . . . . . . . . . . . . . . . . . . . 26 3.1.2 Web Server . . . . . . . . . . . . . . . . . . . . . . . . 27 3.1.3 Communication . . . . . . . . . . . . . . . . . . . . . . 28 3.1.4 Session Management . . . . . . . . . . . . . . . . . . . 33 3.2 Web Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . 33 3.2.1 Input Validation Vulnerabilities . . . . . . . . . . . . . 33 3.2.2 Broken Authentication and Session Management . . . 39 3.2.3 Broken Access Control and Insecure Direct Object References . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.2.4 Cross-Site Request Forgery . . . . . . . . . . . . . . . 43 4 The Evolution of Input Validation Vulnerabilities in Web Applications 45 4.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.1.1 Data Gathering . . . . . . . . . . . . . . . . . . . . . . 46 v 4.1.2 Vulnerability Classiﬁcation . . . . . . . . . . . . . . . 47 4.1.3 The Exploit Data Set . . . . . . . . . . . . . . . . . . 47 4.2 Analysis of the Vulnerabilities Trends . . . . . . . . . . . . . 48 4.2.1 Attack Sophistication . . . . . . . . . . . . . . . . . . 49 4.2.2 Application Popularity . . . . . . . . . . . . . . . . . . 54 4.2.3 Application and Vulnerability Lifetime . . . . . . . . . 56 4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 5 Input Validation Mechanisms in Web Applications and Lan- guages 63 5.1 Data Collection and Methodology . . . . . . . . . . . . . . . . 64 5.1.1 Vulnerability Reports . . . . . . . . . . . . . . . . . . 64 5.1.2 Attack Vectors . . . . . . . . . . . . . . . . . . . . . . 65 5.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5.2.1 Language Popularity and Reported Vulnerabilities . . 66 5.2.2 Language Choice and Input Validation . . . . . . . . . 68 5.2.3 Typecasting as an Implicit Defense . . . . . . . . . . . 70 5.2.4 Input Validation as an Explicit Defense . . uploads/Litterature/ thesescholte-pdf.pdf