The world wide web is an essential part of our infrastructure and a
predominant mean for people to interact, do business, and participate to
democratic processes.
Unfortunately, in recent years, the web has also become a more
dangerous place. In fact, web-based attacks are now a prevalent and serious
threat. These attacks target both web applications, which store sensitive
data (such as financial and personal records) and are trusted by large user
bases, and web clients, which, after a compromise, can be mined for private
data or used as drones of a botnet.
In this talk, we will present an overview of our techniques to detect,
analyze, and mitigate malicious activity on the web.
In particular, I will present a system, called Wepawet, which targets the
problem of detecting web pages that launch drive-by-download attacks
against their visitors. Wepawet visits web pages with an instrumented
browser and records events that occur during the interpretation of their
HTML and JavaScript code. This observed activity is analyzed using anomaly
detection techniques to classify web pages as benign or malicious. We made
our tool available as an online service, which is currently used by several
thousands of users every month.
We will also discuss techniques to automatically detect vulnerabilities and
attacks against web applications. In particular, we will focus on static
analysis techniques to identify ineffective sanitization routines and to
detect vulnerabilities stemming from the interaction of multiple modules of
a web application. These techniques found tens of vulnerabilities in
several real-world web applications.