Presentation is loading. Please wait.

Presentation is loading. Please wait.

SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher Kruegel and Nenad Jovanovic Secure Systems Lab Vienna.

Similar presentations


Presentation on theme: "SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher Kruegel and Nenad Jovanovic Secure Systems Lab Vienna."— Presentation transcript:

1 SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher Kruegel and Nenad Jovanovic Secure Systems Lab Vienna University of Technology Austria

2 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 2 Outline Motivation Problem Definition Typical Vulnerabilities Automated Attack & Analysis Concepts SecuBat Implementation Related Tools Prototype Results Findings & Case Study

3 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 3 Motivation Highly increasing number of web applications Developers lack awareness of typical vulnerabilities The Why me? belief Manual vulnerability checking causes much work Automated tool would solve the problems and raise the security level

4 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 4 Problem Definition Demonstrate how easy an attacker can find soft targets on the web if web vulnerabilities are not fixed Implement a crawling engine for collecting potential targets Find generic and automatically executable attack techniques for the chosen approaches (SQL Injection, Cross-Site Scripting) Find suitable analysis techniques Assemble these parts together into a pluggable vulnerability analysis and detection framework

5 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 5 Typical Vulnerabilities 1/2 – SQL Injection Problem: No input validation before using values to query database Dynamically built SQL query: q = select * from user where mail= + mail + and pw= + pw + Enter values using SQL syntax: mail: or 1=1-- password: or 1=1-- Query has changed its semantics: q = select * from user where mail= or 1=1-- and pw= or 1=1-- Resulting query: q = select * from user

6 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 6 Typical Vulnerabilities 2/2 - Cross-Site Scripting Injecting HTML/Javascript by attacker – displayed & executed in victims browser Reflected vs. Stored XSS Stealing of user data (Cookies, Credentials…) Example: Redirecting login form to hackers web server Create exploit URLs & use for authentic Phishing s

7 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 7 Attack & Analysis Concepts 1/4 - General Open framework for easily implementing & adding new attacks Attack & Analysis modules (Black Box) Runtime configurable Plugins Use common Crawling and Attacking APIs Store analysis results into database

8 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 8 Attack & Analysis Concepts 2/4 - SQL Injection 1.Attack module prepares new attack & sends it to server (e.g. single quote) 2.Server sends back a response page 3.Analysis module parses response for keywords, builds summary confidence factor q = select * from user where mail=

9 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 9 Attack & Analysis Concepts 3/4 - XSS Attack 1.Attack module prepares new attack & sends it to server (e.g. Javascript to show a message box) 2.Server sends back a response page 3.Analysis module parses response checking for the occurrence of the injected string (and the executability)

10 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 10 Attack & Analysis Concepts 4/4 – Enhanced Attacks Enhanced XSS attack Uses decimal HTML encoding to bypass input filters Replaces characters, e.g.: => ' Form-Redirecting XSS scenario Checks for potential assets (stealable credentials) Uses an encoded injection string redirecting the found login form to the attackers server Simulates a real XSS attack, does not only check input validation

11 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 11 SecuBat Implementation 1/2

12 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 12 SecuBat Implementation 2/2 Implementation Details C# Data Store: MS SQL Database Requirements MS Windows 2000, XP, 2003 MS.NET Framework 2.0 MS SQL Server 2000/2005 or MSDE/SQL Express 2005

13 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 13 Related Tools Acunetix Web Vulnerability Scanner (commercial) + Web server technology detection + Application level attacks: Simple SQL injection, XSS - Closed source, no papers, no details to the public Nessus, Nikto - Rely on repositories of known vulnerabilities NMap, Xprobe... - Port scanners only - Network/OS level, no application level attacks

14 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 14 Prototype Results Evaluation Run Results (Google search for login): crawled pages web forms 4 attack types SQL Injection: 6,63% Simple XSS: 4,30% Enhanced XSS: 5,60% Form-Red. XSS: 5,52%

15 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 15 Findings Critical XSS Vulnerabilities (assets) eBay (Auction access) Austrian Finance Ministry (E-Government access) Geizhals (Price management) Crit.org (Security associated content) Apple (Developer access) …

16 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 16 A Case Study eBay.de Press %74%70%3A%2F%2F%70%72%65%73%73%65%2E%65 %62%61%79%2E%64%65%2F%26%71%75%6F%74%3B %3E...

17 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 17 Notifications Query recipients using WhoIs service 591 Mails sent 306 recipient unknown 48 detail inquiries after 1 week

18 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 18 Conclusion Increasing use of web technology needs increasing security effort Rather simple attacks (SQL Injection, XSS Attack) but many vulnerable web sites An automated detection approach can increase your sites security Implementation of an extensible (pluggable) analysis framework (SecuBat) First results of a prototype version show proof of concept

19 2006/05/25SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals 19 The End


Download ppt "SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher Kruegel and Nenad Jovanovic Secure Systems Lab Vienna."

Similar presentations


Ads by Google