{"id":17355,"date":"2020-01-06T10:52:18","date_gmt":"2020-01-06T18:52:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/06\/news-11091\/"},"modified":"2020-01-06T10:52:18","modified_gmt":"2020-01-06T18:52:18","slug":"news-11091","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/06\/news-11091\/","title":{"rendered":"VB2019 paper: Catch me if you can: detection of injection exploitation by validating query and API integrity"},"content":{"rendered":"<p>Any web app that relies on some kind of user input is potentially vulnerable to some kind of command injection, be it MySQL, NoSQL or OS command injection. Indeed, OWASP lists this as one of the topmost security risks.<\/p>\n<p>In a paper presented at VB2019 in London, <em>Prismo Systems<\/em> researchers Abhishek Singh and Ramesh Mani discussed code injection vulnerabilities and presented a tool that could detect this vulnerability class.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" style=\"display: block; margin-left: auto; margin-right: auto;\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/2140f35805ea39639659f0b79e4f43fd_f3962.png\" alt=\"Figure3.0.png\" width=\"500\" height=\"329\" \/><span class=\"centered-caption\">Dynamic call graph with OS command injection exploit.<\/span><\/p>\n<p>Today we publish Abhishek and Ramesh&#8217;s paper in both <a title=\"VB2019 paper: Catch me if you can: detection of injection exploitation by validating query and API integrity\" href=\"https:\/\/www.virusbulletin.com\/virusbulletin\/2020\/01\/vb2019-paper-catch-me-if-you-can-detection-injection-exploitation-validating-query-and-api-integrity\/\">HTML<\/a> and <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/magazine\/2019\/VB2019-Singh-Mani.pdf\" target=\"_blank\">PDF <\/a>format. We have also uploaded the recording of their presentation at VB2019 in London to our <em>YouTube<\/em> channel.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\" width=\"100%\" height=\"420\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/sx6NnzN35cE\" frameborder=\"0\" width=\"100%\" height=\"420\" style=\"\"> <\/iframe><\/p>\n<p>\u00a0<\/p>\n<p><em>Did you see we have opened the <a title=\"VB2020 call for papers - now open!\" href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/12\/vb2020-call-papers-now-open\/\">Call for Papers<\/a> for VB2020 in Dublin? Submit your abstract before 15 March for a chance to make it onto the programme of one of the most international threat intelligence conferences!<\/em><\/p>\n<p>outertext<br \/><a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/01\/vb2019-paper-catch-me-if-you-can-detection-injection-exploitation-validating-query-and-api-integrity\/\" target=\"bwo\" >https:\/\/www.virusbulletin.com\/rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/2140f35805ea39639659f0b79e4f43fd_f3962.png\"\/><br \/>                                 In a paper presented at VB2019 in London, Prismo Systems researchers Abhishek Singh and Ramesh Mani discussed code injection vulnerabilities and presented a tool that could detect this vulnerability class. Today we publish their paper and the recording of their presentation.                <\/p>\n<p>                 <a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/01\/vb2019-paper-catch-me-if-you-can-detection-injection-exploitation-validating-query-and-api-integrity\/\">Read more<\/a>                                <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[23177,10378,23176],"tags":[],"class_list":["post-17355","post","type-post","status-publish","format-standard","hentry","category-magazine","category-security","category-virusbulletin"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17355"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17355\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17355"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}