Locality-Sensitive hashing for efficientweb application security testing

Ilan Ben-Bassat; Erez Rokah

doi:10.5220/0007255301930204

Locality-Sensitive hashing for efficientweb application security testing

Ilan Ben-Bassat, Erez Rokah

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Web application security has become a major concern in recent years, as more and more content and services are available online. A useful method for identifying security vulnerabilities is black-box testing, which relies on an automated crawling of web applications. However, crawling Rich Internet Applications (RIAs) is a very challenging task. One of the key obstacles crawlers face is the state similarity problem: How to determine if two client-side states are equivalent. As current methods do not completely solve this problem, a successful scan of many real-world RIAs is still not possible. We present a novel approach to detect redundant content for security testing purposes. The algorithm applies locality-sensitive hashing using MinHash sketches in order to analyze the Document Object Model (DOM) structure of web pages, and to efficiently estimate similarity between them. Our experimental results show that this approach allows a successful scan of RIAs that cannot be crawled otherwise.

Original language	English
Title of host publication	ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy
Editors	Paolo Mori, Steven Furnell, Olivier Camp
Publisher	SciTePress
Pages	193-204
Number of pages	12
ISBN (Electronic)	9789897583599
DOIs	https://doi.org/10.5220/0007255301930204
State	Published - 2019
Event	5th International Conference on Information Systems Security and Privacy, ICISSP 2019 - Prague, Czech Republic Duration: 23 Feb 2019 → 25 Feb 2019

Publication series

Name	ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy

Conference

Conference	5th International Conference on Information Systems Security and Privacy, ICISSP 2019
Country/Territory	Czech Republic
City	Prague
Period	23/02/19 → 25/02/19

Keywords

Automated Crawling
DOM Similarity
Locality-Sensitive Hashing
MinHash
Rich Internet Applications
Security Testing

Access to Document

10.5220/0007255301930204

Cite this

Ben-Bassat, I., & Rokah, E. (2019). Locality-Sensitive hashing for efficientweb application security testing. In P. Mori, S. Furnell, & O. Camp (Eds.), ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy (pp. 193-204). (ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy). SciTePress. https://doi.org/10.5220/0007255301930204

Ben-Bassat, Ilan ; Rokah, Erez. / Locality-Sensitive hashing for efficientweb application security testing. ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy. editor / Paolo Mori ; Steven Furnell ; Olivier Camp. SciTePress, 2019. pp. 193-204 (ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy).

@inproceedings{37085605e89a49528b9646ecdcbc6a28,

title = "Locality-Sensitive hashing for efficientweb application security testing",

abstract = "Web application security has become a major concern in recent years, as more and more content and services are available online. A useful method for identifying security vulnerabilities is black-box testing, which relies on an automated crawling of web applications. However, crawling Rich Internet Applications (RIAs) is a very challenging task. One of the key obstacles crawlers face is the state similarity problem: How to determine if two client-side states are equivalent. As current methods do not completely solve this problem, a successful scan of many real-world RIAs is still not possible. We present a novel approach to detect redundant content for security testing purposes. The algorithm applies locality-sensitive hashing using MinHash sketches in order to analyze the Document Object Model (DOM) structure of web pages, and to efficiently estimate similarity between them. Our experimental results show that this approach allows a successful scan of RIAs that cannot be crawled otherwise.",

keywords = "Automated Crawling, DOM Similarity, Locality-Sensitive Hashing, MinHash, Rich Internet Applications, Security Testing",

author = "Ilan Ben-Bassat and Erez Rokah",

note = "Publisher Copyright: {\textcopyright} 2019 by SCITEPRESS - Science and Technology Publications, Lda.; null ; Conference date: 23-02-2019 Through 25-02-2019",

year = "2019",

doi = "10.5220/0007255301930204",

language = "אנגלית",

series = "ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy",

publisher = "SciTePress",

pages = "193--204",

editor = "Paolo Mori and Steven Furnell and Olivier Camp",

booktitle = "ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy",

}

Ben-Bassat, I & Rokah, E 2019, Locality-Sensitive hashing for efficientweb application security testing. in P Mori, S Furnell & O Camp (eds), ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy. ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy, SciTePress, pp. 193-204, 5th International Conference on Information Systems Security and Privacy, ICISSP 2019, Prague, Czech Republic, 23/02/19. https://doi.org/10.5220/0007255301930204

Locality-Sensitive hashing for efficientweb application security testing. / Ben-Bassat, Ilan; Rokah, Erez.

ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy. ed. / Paolo Mori; Steven Furnell; Olivier Camp. SciTePress, 2019. p. 193-204 (ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Locality-Sensitive hashing for efficientweb application security testing

AU - Ben-Bassat, Ilan

AU - Rokah, Erez

PY - 2019

Y1 - 2019

N2 - Web application security has become a major concern in recent years, as more and more content and services are available online. A useful method for identifying security vulnerabilities is black-box testing, which relies on an automated crawling of web applications. However, crawling Rich Internet Applications (RIAs) is a very challenging task. One of the key obstacles crawlers face is the state similarity problem: How to determine if two client-side states are equivalent. As current methods do not completely solve this problem, a successful scan of many real-world RIAs is still not possible. We present a novel approach to detect redundant content for security testing purposes. The algorithm applies locality-sensitive hashing using MinHash sketches in order to analyze the Document Object Model (DOM) structure of web pages, and to efficiently estimate similarity between them. Our experimental results show that this approach allows a successful scan of RIAs that cannot be crawled otherwise.

AB - Web application security has become a major concern in recent years, as more and more content and services are available online. A useful method for identifying security vulnerabilities is black-box testing, which relies on an automated crawling of web applications. However, crawling Rich Internet Applications (RIAs) is a very challenging task. One of the key obstacles crawlers face is the state similarity problem: How to determine if two client-side states are equivalent. As current methods do not completely solve this problem, a successful scan of many real-world RIAs is still not possible. We present a novel approach to detect redundant content for security testing purposes. The algorithm applies locality-sensitive hashing using MinHash sketches in order to analyze the Document Object Model (DOM) structure of web pages, and to efficiently estimate similarity between them. Our experimental results show that this approach allows a successful scan of RIAs that cannot be crawled otherwise.

KW - Automated Crawling

KW - DOM Similarity

KW - Locality-Sensitive Hashing

KW - MinHash

KW - Rich Internet Applications

KW - Security Testing

UR - http://www.scopus.com/inward/record.url?scp=85064654682&partnerID=8YFLogxK

U2 - 10.5220/0007255301930204

DO - 10.5220/0007255301930204

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85064654682

T3 - ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy

SP - 193

EP - 204

BT - ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy

A2 - Mori, Paolo

A2 - Furnell, Steven

A2 - Camp, Olivier

PB - SciTePress

Y2 - 23 February 2019 through 25 February 2019

ER -

Ben-Bassat I, Rokah E. Locality-Sensitive hashing for efficientweb application security testing. In Mori P, Furnell S, Camp O, editors, ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy. SciTePress. 2019. p. 193-204. (ICISSP 2019 - Proceedings of the 5th International Conference on Information Systems Security and Privacy). https://doi.org/10.5220/0007255301930204

Locality-Sensitive hashing for efficientweb application security testing

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this