AppSecUSA 2012 has ended
Thursday, October 25 • 4:00pm - 4:45pm
Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding Methods

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Attacks such as Cross-Site Scripting, HTTP header injection, and SQL injection take advantage of weaknesses in the way some web applications handle incoming character strings. One technique for defending against injection vulnerabilities is to sanitize untrusted strings using encoding methods. These methods convert the reserved characters in a string to an inert representation which prevents unwanted side effects. However, encoding methods which are insufficiently thorough or improperly integrated into applications can pose a significant security risk. This paper will outline an algorithm for identifying encoding methods through automated analysis of Java bytecode. The approach combines an efficient heuristic search with selective rebuilding and execution of likely candidates. This combination provides a scalable and accurate technique for identifying and profiling code that could constitute a serious weakness in an application.

avatar for Alex Emsellem

Alex Emsellem

Intern Software Engineer, Aspect Security
Currently pursuing a bachelor's degree in Computer Science. I'm primarily focused on software reverse engineering and exploitation. Around ten years ago I found my first vulnerability in a web application, and remember it vividly. I live for innovative ideas and the cutting-edge... Read More →

Thursday October 25, 2012 4:00pm - 4:45pm CDT
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

Attendees (0)