ASU Electronic Theses and Dissertations
This collection includes most of the ASU Theses and Dissertations from 2011 to present. ASU Theses and Dissertations are available in downloadable PDF format; however, a small percentage of items are under embargo. Information about the dissertations/theses includes degree information, committee members, an abstract, supporting data or media.
In addition to the electronic theses found in the ASU Digital Repository, ASU Theses and Dissertations can be found in the ASU Library Catalog.
Dissertations and Theses granted by Arizona State University are archived and made available through a joint effort of the ASU Graduate College and the ASU Libraries. For more information or questions about this collection contact or visit the Digital Repository ETD Library Guide or contact the ASU Graduate College at gradformat@asu.edu.
Filtering by
- All Subjects: Black-Box
- Creators: Doupe, Adam
and developers use automated vulnerability analysis tools, also known as
scanners, to automatically find vulnerabilities in their web applications during development.
Scanners have traditionally fallen into two types of approaches: black-box
and white-box. In the black-box approaches, the scanner does not have access to the
source code of the web application whereas a white-box approach has access to the
source code. Today’s state-of-the-art black-box vulnerability scanners employ various
methods to fuzz and detect vulnerabilities in a web application. However, these
scanners attempt to fuzz the web application with a number of known payloads and
to try to trigger a vulnerability. This technique is simple but does not understand
the web application that it is testing. This thesis, presents a new approach to vulnerability
analysis. The vulnerability analysis module presented uses a novel approach
of Inductive Reverse Engineering (IRE) to understand and model the web application.
IRE first attempts to understand the behavior of the web application by giving
certain number of input/output pairs to the web application. Then, the IRE module
hypothesizes a set of programs (in a limited language specific to web applications,
called AWL) that satisfy the input/output pairs. These hypotheses takes the form of
a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt
to detect vulnerabilities in this DAG. Further, it generates the payload based on the
DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability
(based on our understanding of the program). It then tests this potential
vulnerability using the generated payload on the actual web application, and creates
a verification procedure to see if the potential vulnerability is actually vulnerable,
based on the web application’s response.