API Security Issues

  1. General Status Code Error
  2. Access Control
  3. Injection
  4. XSS

Brief Summary (updated on 10/09/2020)

  1. Papers on web penetration testing are interesting in way that they propose several state-machine based tools that help to automate web penetration testing and identify the state changes.

  2. Papers on Injection are mostly about defense mechanism, that utilizes machine learning or other techniques to filter out the malicious traffic. As for attacking algorithm, most are discussing the algorithm structure rather than payload generation.

  3. Papers on XSS are more novel. Many discuss the payload generation and intelligent fuzzing procedure.

  4. XML vulnerabilities are not well discussed in research domain. One paper in USENIX explained XML Parser Vulnerabilities.

  5. Most of the research papers focus on blackbox situation.

Possible Directions

  1. Survey on API vulnerabilities
  2. A complete tool that covers the identified vulnerabilities in API scanning (based on the stateful tool)
  3. Intelligent fuzzing algorithm (library based + some fuzzing algorithm)
  4. Test the proposed solution against other traditional tools.

Papers

General Web Penetration

  1. Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final225.pdf

    This is a state-machine based web vulnerability scanner that focuses on fuzzing. The author used w3af fuzzing plugin, so no novel fuzzing methods provided.

  2. Vulnerability Assessment and Penetration Testing of Web Application: https://ieeexplore.ieee.org.remotexs.ntu.edu.sg/stamp/stamp.jsp?tp=&arnumber=8463920

    A summary of common checkpoints in web application vulnerability assessment and penetration testing. Similar to other survey paper, a brief summary is provided but no novel methods.

SQL Injection

  1. SQL Injection is Still Alive: A Study on SQL Injection Signature Evasion Techniques: https://ieeexplore.ieee.org.remotexs.ntu.edu.sg/stamp/stamp.jsp?tp=&arnumber=6702821

    Some encoding bypass technique. Very common and basic techniques in pentest domain. Reading this paper is a waste of time.

  2. Research on SQL Injection Attack and Prevention Technology Based on Web: https://ieeexplore.ieee.org.remotexs.ntu.edu.sg/stamp/stamp.jsp?tp=&arnumber=8912016

    Paper with common techniques of SQL Injection types. Those are already well implemented in all kinds of SQL injection toolsets.

  3. A taxonomy of SQL Injection Attacks: https://ieeexplore.ieee.org.remotexs.ntu.edu.sg/stamp/stamp.jsp?tp=&arnumber=6702822

    Another research paper introducing the common SQL Injection techniques.

  4. Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications: https://link.springer.com.remotexs.ntu.edu.sg/content/pdf/10.1007/s10207-016-0359-4.pdf

    An interesting paper discussing the methodologies of XQuery injection in web apps. Unfortunately, no novel injection payload generation methods are described.

XSS

  1. L-WMxD: Lexical based Webmail XSS Discoverer: https://ieeexplore.ieee.org.remotexs.ntu.edu.sg/stamp/stamp.jsp?tp=&arnumber=5928954. Blackbox based XSS with payload generation algorithm
  2. ETSSDetector: a tool to automatically detect CrossSite Scripting vulnerabilities: https://ieeexplore.ieee.org.remotexs.ntu.edu.sg/stamp/stamp.jsp?tp=&arnumber=6924244. The experiment is not really clear and sound. No payload generation algorithms are mentioned.

XXE

  1. SoK: XML Parser Vulnerabilities: https://www.usenix.org/system/files/conference/woot16/woot16-paper-spath.pdf Explain the basics about XML External Entities (XXE).

Industrial Tools

w3af, skipfish

Top Security Conferences Paper Reading

Ideas:

Penetration Testing = vulnerability discover + consequence analysis + exploit development

web vulnerability assessment = vulnerability discovery

  1. Pentesting Tool: example: CCS19_IoT_Penetration_Testing_Tool
  2. Vulnerability discovery/ vulnerability assessment