• About the College
• Undergraduate Programs
• Graduate Programs
• Research
• Co-op
• People and Organizations
• Technical Help
• Contact Us

Events — Colloquia & Seminars

Detecting and Preventing Attacks Against Web Applications

Speaker: William Robertson, University of California, Santa Barbara

Date: Friday, April 17, 2009

Talk: 11:30 AM, 366 WVH

Abstract

During the last decade, web applications have become an extremely popular method of providing a diverse array of services to users. Unfortunately, web applications have been found to contain large numbers of vulnerabilities, most notably -- but in no way limited to -- cross-site scripting (XSS) and SQL injection. Consequently, web applications have also become a favored target of cyber-criminals, who leverage web application vulnerabilities to steal sensitive information or host malicious software. In the absence of mitigating improvements in security, this trend is expected to continue as web applications increase in complexity and, accordingly, in attack surface.

In this talk, I will approach the problem of securing web applications from two complementary angles. First, I will present my work on the anomaly-based detection of attacks against web applications, an effective black-box technique for protecting existing web applications. In this context, I will discuss webanomaly, a tool that incorporates online unsupervised machine learning techniques to automatically characterize the normal behavior of web applications in order to detect and prevent a variety of attacks against both web servers and clients. Then, I will present recent work on developing next-generation web application frameworks that are free of common classes of vulnerabilities by construction. In particular, I will discuss a language-based approach to statically preventing the introduction of cross-site scripting and SQL injection vulnerabilities in web applications.

Brief Biography

William Robertson is a Ph.D. Candidate at the University of California, Santa Barbara, and is co-advised by Dick Kemmerer and Giovanni Vigna. His research interests include web application security, intrusion detection, malware analysis, and electronic voting systems. He was a Red Team member in both the California TTBR and Ohio EVEREST reviews of electronic voting systems, and discovered critical vulnerabilities in the iVotronic and ES voting systems. He was also a co-founder of WebWise Security, Inc., a Santa Barbara-based security consulting firm that provides penetration testing and source code auditing services to clients worldwide.