A carregar...
Publicação
Protecting Web Applications by Obfuscating Code using Text Steganography
| Nome: | Descrição: | Tamanho: | Formato: | |
|---|---|---|---|---|
| 2.39 MB | Adobe PDF |
Autores
Orientador(es)
Resumo(s)
Nowadays, plenty of PHP applications are still vulnerable to vulnerabilities such as SQL Injection
(SQLi) and Cross-Site Scripting (XSS), which can cause data loss and theft of user credentials
if successfully exploited. One way to minimize this issue is by hiding vulnerabilities with code
obfuscation, however, this technique is not ideal since obfuscation is always reversible to an extent,
either by human analysis or by static analysis tools.
This dissertation presents a novel way to mitigate vulnerabilities in PHP applications by
obfuscating the source code using text steganography. To achieve this, we developed StegaObfuscator,
a new tool that uses the novel Steganographic Obfuscation algorithm based on a text-to-text
steganographic technique. StegaObfuscator supports obfuscating code in two distinct ways, both
of them using the said algorithm in a different approach: (1) modifying the original PHP file by
manipulating its Abstract Syntax Tree (AST) or (2) generating a cover text in the form of PHP code —
containing the original code — with the help of a grammar that generates AST nodes.
We evaluated the StegaObfuscator tool with a large dataset of PHP files. The results demonstrated
that the tool is effective since it successfully hides vulnerabilities in the original source code, the
deobfuscation process is robust, the obfuscated code has a very low similarity with the original code
and human desobfuscation is not trivial. As a disadvantage, the file size of obfuscated code increases,
however, such increase can be minimized by packing (i.e. compressing) the code after obfuscation.
Descrição
Tese de mestrado, Engenharia Informática, 2024, Universidade de Lisboa, Faculdade de Ciências
Palavras-chave
vulnerabilidades em aplicações web ofuscação de código esteganografia de texto análise estática de código privacidade no software Teses de mestrado - 2024