Presentation is loading. Please wait.

Presentation is loading. Please wait.

ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis.

Similar presentations


Presentation on theme: "ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis."— Presentation transcript:

1 ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis Columbia University (US) Evangelos P. Markatos FORTH-ICS (GREECE) ACNS 2012

2 Web Applications ARC, ACNS 2012Elias Athanasopoulos, Columbia University2 Web Server Web Browser HTTP Request GET login?username=joe HTTP Request GET login?username=joe HTTP Response HTTP OK

3 URLs in HTTP  URL: login?username=joe  Action: login  Parameters: username ARC, ACNS 2012Elias Athanasopoulos, Columbia University3 HTTP Request GET login?username=joe HTTP Request GET login?username=joe

4 Example: Web ARC, ACNS 2012Elias Athanasopoulos, Columbia University4 Login Read Delete Delete mailbox Logout login?username=joe action?type=read&id=42 action?type=delete&id=42 action?type=del_box&id=inbox logout?username=joe

5 Are all URLs valid? ARC, ACNS 2012Elias Athanasopoulos, Columbia University5 login?username=joe&type=delete&id=42 action?type=read&id=42&id=2 action?type=delete&id=2&id=42 action?type=del_box logout?username=joe&type=del_mbox&id=inbox

6 HTTP Parameter Pollution (HPP)  How is this URL interpreted?  Parsing goes from left to right (6 wins)  Parsing goes from right to left (42 wins)  Parsing direction does not matter (6 and 42, or 42 and 6 are concatenated) ARC, ACNS 2012Elias Athanasopoulos, Columbia University6 action?type=read&id=6&id=42 action?type=read&id=6

7 ARC, ACNS 2012Elias Athanasopoulos, Columbia University7

8 URL Space ARC, ACNS 2012Elias Athanasopoulos, Columbia University8 All possible URLs URLs that define Web Application’s Logic Attacker URLs

9 HPP Impact About 1,499 of 5,000 highly ranked in Alexa.com web sites are considered vulnerable to HPP exploitation  Automated discovery of parameter pollution vulnerabilities in web applications. Balduzzi et al., NDSS ARC, ACNS 2012Elias Athanasopoulos, Columbia University9

10 ARC, ACNS 2012Elias Athanasopoulos, Columbia University10

11 Goal ARC, ACNS 2012Elias Athanasopoulos, Columbia University11 All possible URLs URLs that define Web Application’s Logic Attacker URLs We need to serve these We need to block these

12 URL Schema  A URL schema has the form of: action?par1=&par2=...&parN= ARC, ACNS 2012Elias Athanasopoulos, Columbia University12 login=?username=joelogin?username=

13 Architecture  Training phase  Deployment phase ARC, ACNS 2012Elias Athanasopoulos, Columbia University13 Web application Passive Monitoring Collection of Legitimate URL schemas Web application ARC Client HTTP Request

14 Training Phase  Large frameworks (such as phpBB) are developed and tested by a large community  Big applications (like Facebook) test new features in a close environment ARC, ACNS 2012Elias Athanasopoulos, Columbia University14

15 ARC at run-time ARC, ACNS 2012Elias Athanasopoulos, Columbia University15 Web application ARC URL Schemas action?par1=&par2=&…&parN= HTTP Request Valid Schema Exists No Schema Reject Request

16 Implementation  ARC is a web application proxy implemented in Google’s Go  ARC uses Go structures for hash tables and lists, Go channels for multithreading ARC, ACNS 2012Elias Athanasopoulos, Columbia University16

17 Data Structures ARC, ACNS 2012Elias Athanasopoulos, Columbia University17 action type=id= action?type=forward&id=42&to=mark to=

18 ARC, ACNS 2012Elias Athanasopoulos, Columbia University18

19 Synthetic Traces Web AppURLsMin Par.Max Par.Density Small1, Medium10, Heavy100, ARC, ACNS 2012Elias Athanasopoulos, Columbia University19 Density: ratio of unique actions over all possible URL schemas.

20 Trace Selection ARC, ACNS 2012Elias Athanasopoulos, Columbia University20

21 Multithreading  We have implemented two version of ARC  Single Channel  4-Channel ARC, ACNS 2012Elias Athanasopoulos, Columbia University21

22 Request Resolution ARC, ACNS 2012Elias Athanasopoulos, Columbia University22 Requests are resolved in less than 10 microseconds.

23 Throughput ARC, ACNS 2012Elias Athanasopoulos, Columbia University23 Requests can be processed in a rate of hundreds of thousand URLS per second

24 Takeaways  ARC can protect HPP vulnerable applications by keeping a white list of accepted URL schemas  ARC is fast and can be transparently applied to legacy web applications ARC, ACNS 2012Elias Athanasopoulos, Columbia University24

25 ARC, ACNS 2012Elias Athanasopoulos, Columbia University25

26 HTTP Parameter Pollution (HPP)  New attack targeting web applications  HTTP parameters injection  Manipulation of web application’s control flow  Drive a web application according to attacker’s needs ARC, ACNS 2012Elias Athanasopoulos, Columbia University26

27 HPP in a slide  Web applications are driven through HTTP requests and responses, which encapsulate resource descriptors: URLs  URLs are composed by an action and a list of parameters   The list of parameters can be polluted with extra parameters ARC, ACNS 2012Elias Athanasopoulos, Columbia University27

28 URL example  This URL is associated with a script purchase, which is called with input argument item_id which has the value 42 ARC, ACNS 2012Elias Athanasopoulos, Columbia University28 Action: purchase Parameter: item_id=42

29 Attack Scenario: e-store  Two families of URLs: (1) show?category=1 (2) purchase?category=1&item_id=1 ARC, ACNS 2012Elias Athanasopoulos, Columbia University29

30 Normal Operation ARC, ACNS 2012Elias Athanasopoulos, Columbia University30 show?category=1 purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N category=1 + + purchase?item_id=1&category=1 purchase?item_id=2&category=1 … purchase?item_id=N&category=1 purchase?item_id=1&category=1 purchase?item_id=2&category=1 … purchase?item_id=N&category=1

31 Bob attacks  Bob lures Alice to click on links, like: show?category=1%26item_id=42  Channels: IM, fake web pages, , etc. ARC, ACNS 2012Elias Athanasopoulos, Columbia University31

32 HPP in Action ARC, ACNS 2012Elias Athanasopoulos, Columbia University32 show?category= 1%26item_id=42 purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N category=1 %26item_id= purchase?item_id=1&category=1&item_id=42 purchase?item_id=2&category=1&item_id=42 … purchase?item_id=N&category=1&item_id=42 purchase?item_id=1&category=1&item_id=42 purchase?item_id=2&category=1&item_id=42 … purchase?item_id=N&category=1&item_id=42

33 Normal Operation vs HPP ARC, ACNS 2012Elias Athanasopoulos, Columbia University33 purchase?item_id=1&category=1&item_id=42 purchase?item_id=1&category=1

34 ARC, ACNS 2012Elias Athanasopoulos, Columbia University34


Download ppt "ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis."

Similar presentations


Ads by Google