ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Attacking Session Management Juliette Lessing
PHP on Windows Improvements in PHP-Microsoft Interoperability PHP World Kongress Munich, Germany November 9, 2010.
Barracuda Web Application Firewall
Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.
CSC 450/550 Part 6: The Application Layer Example: The World Wide Web.
CSE 190: Internet E-Commerce Lecture 16: Performance.
DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
WEB ANALYTICS Prof Sunil Wattal. Business questions How are people finding your website? What pages are the customers most interested in? Is your website.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
C HAPTER 7 Client-State Manipulation Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
A Framework for Automated Web Application Security Evaluation
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
A Security Review Process for Existing Software Applications
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
Web Application Firewall (WAF) RSA ® Conference 2013.
Security Testing Case Study 360logica Software Testing Services.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Proxy Servers.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Web Technologies for Social Networking Dr Dan Everett Master of Internet Technology program University of Georgia, US.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.
A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.
Performance Testing - LR. 6/18/20162 Contents Why Load Test Your Web Application ? Functional vs. Load Web Testing Web-Based, Multi-Tiered Architecture.
REST API Design. Application API API = Application Programming Interface APIs expose functionality of an application or service that exists independently.
Project Webpage: Funded by: mod _ kaPoW: Mitigating Denial-of-Service with Transparent Proof-of-Work Ed Kaiser & Wu-chang.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
STI CLASSROOM HOME USE. STI CLASSROOM HOME USE From your home page, type in the following url:
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
CSCE 548 Student Presentation Ryan Labrador
Web Application Hacker’s Toolkit
Module: Software Engineering of Web Applications
Web Application Protection Against Hackers and Vulnerabilities
Module: Software Engineering of Web Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
API Security Auditing Be Aware,Be Safe
Warm Handshake with Websites, Servers and Web Servers:
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Marking Scheme for Semantic-aware Web Application Security
Welcome and thank you for choosing SharkGate
User Registration.
Web Application Development Using PHP
Presentation transcript:

ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis Columbia University (US) Evangelos P. Markatos FORTH-ICS (GREECE) ACNS 2012

Web Applications ARC, ACNS 2012Elias Athanasopoulos, Columbia University2 Web Server Web Browser HTTP Request GET login?username=joe HTTP Request GET login?username=joe HTTP Response HTTP OK

URLs in HTTP  URL: login?username=joe  Action: login  Parameters: username ARC, ACNS 2012Elias Athanasopoulos, Columbia University3 HTTP Request GET login?username=joe HTTP Request GET login?username=joe

Example: Web ARC, ACNS 2012Elias Athanasopoulos, Columbia University4 Login Read Delete Delete mailbox Logout login?username=joe action?type=read&id=42 action?type=delete&id=42 action?type=del_box&id=inbox logout?username=joe

Are all URLs valid? ARC, ACNS 2012Elias Athanasopoulos, Columbia University5 login?username=joe&type=delete&id=42 action?type=read&id=42&id=2 action?type=delete&id=2&id=42 action?type=del_box logout?username=joe&type=del_mbox&id=inbox

HTTP Parameter Pollution (HPP)  How is this URL interpreted?  Parsing goes from left to right (6 wins)  Parsing goes from right to left (42 wins)  Parsing direction does not matter (6 and 42, or 42 and 6 are concatenated) ARC, ACNS 2012Elias Athanasopoulos, Columbia University6 action?type=read&id=6&id=42 action?type=read&id=6

ARC, ACNS 2012Elias Athanasopoulos, Columbia University7

URL Space ARC, ACNS 2012Elias Athanasopoulos, Columbia University8 All possible URLs URLs that define Web Application’s Logic Attacker URLs

HPP Impact About 1,499 of 5,000 highly ranked in Alexa.com web sites are considered vulnerable to HPP exploitation  Automated discovery of parameter pollution vulnerabilities in web applications. Balduzzi et al., NDSS ARC, ACNS 2012Elias Athanasopoulos, Columbia University9

ARC, ACNS 2012Elias Athanasopoulos, Columbia University10

Goal ARC, ACNS 2012Elias Athanasopoulos, Columbia University11 All possible URLs URLs that define Web Application’s Logic Attacker URLs We need to serve these We need to block these

URL Schema  A URL schema has the form of: action?par1=&par2=...&parN= ARC, ACNS 2012Elias Athanasopoulos, Columbia University12 login=?username=joelogin?username=

Architecture  Training phase  Deployment phase ARC, ACNS 2012Elias Athanasopoulos, Columbia University13 Web application Passive Monitoring Collection of Legitimate URL schemas Web application ARC Client HTTP Request

Training Phase  Large frameworks (such as phpBB) are developed and tested by a large community  Big applications (like Facebook) test new features in a close environment ARC, ACNS 2012Elias Athanasopoulos, Columbia University14

ARC at run-time ARC, ACNS 2012Elias Athanasopoulos, Columbia University15 Web application ARC URL Schemas action?par1=&par2=&…&parN= HTTP Request Valid Schema Exists No Schema Reject Request

Implementation  ARC is a web application proxy implemented in Google’s Go  ARC uses Go structures for hash tables and lists, Go channels for multithreading ARC, ACNS 2012Elias Athanasopoulos, Columbia University16

Data Structures ARC, ACNS 2012Elias Athanasopoulos, Columbia University17 action type=id= action?type=forward&id=42&to=mark to=

ARC, ACNS 2012Elias Athanasopoulos, Columbia University18

Synthetic Traces Web AppURLsMin Par.Max Par.Density Small1, Medium10, Heavy100, ARC, ACNS 2012Elias Athanasopoulos, Columbia University19 Density: ratio of unique actions over all possible URL schemas.

Trace Selection ARC, ACNS 2012Elias Athanasopoulos, Columbia University20

Multithreading  We have implemented two version of ARC  Single Channel  4-Channel ARC, ACNS 2012Elias Athanasopoulos, Columbia University21

Request Resolution ARC, ACNS 2012Elias Athanasopoulos, Columbia University22 Requests are resolved in less than 10 microseconds.

Throughput ARC, ACNS 2012Elias Athanasopoulos, Columbia University23 Requests can be processed in a rate of hundreds of thousand URLS per second

Takeaways  ARC can protect HPP vulnerable applications by keeping a white list of accepted URL schemas  ARC is fast and can be transparently applied to legacy web applications ARC, ACNS 2012Elias Athanasopoulos, Columbia University24

ARC, ACNS 2012Elias Athanasopoulos, Columbia University25

HTTP Parameter Pollution (HPP)  New attack targeting web applications  HTTP parameters injection  Manipulation of web application’s control flow  Drive a web application according to attacker’s needs ARC, ACNS 2012Elias Athanasopoulos, Columbia University26

HPP in a slide  Web applications are driven through HTTP requests and responses, which encapsulate resource descriptors: URLs  URLs are composed by an action and a list of parameters   The list of parameters can be polluted with extra parameters ARC, ACNS 2012Elias Athanasopoulos, Columbia University27

URL example  This URL is associated with a script purchase, which is called with input argument item_id which has the value 42 ARC, ACNS 2012Elias Athanasopoulos, Columbia University28 Action: purchase Parameter: item_id=42

Attack Scenario: e-store  Two families of URLs: (1) show?category=1 (2) purchase?category=1&item_id=1 ARC, ACNS 2012Elias Athanasopoulos, Columbia University29

Normal Operation ARC, ACNS 2012Elias Athanasopoulos, Columbia University30 show?category=1 purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N category=1 + + purchase?item_id=1&category=1 purchase?item_id=2&category=1 … purchase?item_id=N&category=1 purchase?item_id=1&category=1 purchase?item_id=2&category=1 … purchase?item_id=N&category=1

Bob attacks  Bob lures Alice to click on links, like: show?category=1%26item_id=42  Channels: IM, fake web pages, , etc. ARC, ACNS 2012Elias Athanasopoulos, Columbia University31

HPP in Action ARC, ACNS 2012Elias Athanasopoulos, Columbia University32 show?category= 1%26item_id=42 purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N category=1 %26item_id= purchase?item_id=1&category=1&item_id=42 purchase?item_id=2&category=1&item_id=42 … purchase?item_id=N&category=1&item_id=42 purchase?item_id=1&category=1&item_id=42 purchase?item_id=2&category=1&item_id=42 … purchase?item_id=N&category=1&item_id=42

Normal Operation vs HPP ARC, ACNS 2012Elias Athanasopoulos, Columbia University33 purchase?item_id=1&category=1&item_id=42 purchase?item_id=1&category=1

ARC, ACNS 2012Elias Athanasopoulos, Columbia University34

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.