Catch me if you can: detection of injection exploitation by validating query and API integrity

Thursday 3 October 11:00 - 11:30, Red room

Abhishek Singh (Prismo Systems)
Ramesh Mani (Prismo Systems)

Injection flaws remain one of the topmost risks as per the OWASP top 10 web application security risks. Injection flaws have ruled as the first web application vulnerability for a decade. Injection flaws include SQL, NoSQL, OS and LDAP injection techniques. Threat actor groups such as Axiom and Magic Hound have been observed using SQL injection to gain access to systems. The research community has extensively discussed exploitation details for SQL injection, NoSQL, OS command and LDAP injection exploits. In this presentation, we do not plan to spend time explaining once again what these exploits are. The talk and presentation will dive into the technical details of the novel detection algorithms to detect SQL, NoSQL, LDAP and OS command injection exploits.

Our algorithms to detect SQL injection, NoSQL, OS command and LDAP injection exploitation leverage code flow analysis. Injection attacks such as SQL, NoSQL, OS command and LDAP injection exploits add additional code, which leads to a change in the legitimate code of the application. The algorithm makes use of the abstract syntax tree (AST), program dependency graph (PDG) and the SQL parse tree to compute the changes in the original code due to the injection-based exploits. In our presentation, we will take an example of SQL, NoSQL, OS command and LDAP injection exploits and show the changes in the AST, PDG, and SQL parse tree due to the exploits. These changes in code are the fundamental principle of the detection algorithms used to detect SQL, NoSQL, OS command and LDAP injection which will be discussed in the subsequent part of the presentation.

The detection algorithm discussed in the presentation provides an inherent advantage. It not only detects the SQL, NoSQL, OS command and LDAP injection exploitation by a threat actor but also automatically identifies the vulnerable section of the application code. This automatic identification of the vulnerable part of the code will aid the application developers in patching the code, preventing further exploitation.




Abhishek Singh

Abhishek is currently Chief Researcher at Prismo Systems. Prior to joining Prismo Systems, he led threat research and detection R&D at FireEye, Microsoft, and at Acalvio. He has authored/co-authored 24 patents (issued and pending), 15 research papers, six technical white papers for work done on the architecture of various technologies such as the virtual machine-based approach to real-time threat analysis, IPS, technologies to detect threats over the web, email, and at the endpoint. The patents, papers and technical reports also detail the novel approach to detect malware, vulnerability, lateral movement, exploitation techniques, behavioural algorithms, machine learning algorithms, emulators, code similarity and algorithms leveraging deceptions.




Ramesh Mani

Ramesh Mani is a senior principal architect at Prismo Systems. Prior to joining Prismo Systems, he worked at CA where he led the designing and building of APM agents in multiple languages using byte code instrumentation. He has extensive experience in Java, J2EE and .NET, and led the development of APM, CRM, B2B portal, e-commerce, workflow automation, financial and business systems. His work has resulted in more than 10 patents.

   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Panel: Bursting the myths about threat intelligence sharing

Kathi Whitbey (Palo Alto Networks)
Jeannette Jarvis (Fortinet)
Dan Saunders (NTT)
John Fokker (McAfee)

Kimsuky group: tracking the king of the spear-phishing

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)

Last-minute paper (TBA)

Speaker TBA (TBA)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.