Presentation is loading. Please wait.

Presentation is loading. Please wait.

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*

Published byJustin Dean Modified over 8 years ago

Similar presentations

Presentation on theme: "WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*"— Presentation transcript:

1 WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs* +, Nazari Skrupsky +, V.N. Venkatakrishnan + +: University of Illinois, Chicago * : University of Chicago, Chicago

2 Background: User Input Validation Web applications need to Validate user supplied input Reject invalid input E xamples: “Credit card number is exactly16 digits” “Expiration date of Jan 2009 is not valid” Validation traditionally done at server: round-trip, load Popular trend: Client-side validation through JavaScript

3 Client Side Validation using JavaScript onSubmit= validateCard(); validateQuantities(); Validation Pass? send inputs to server reject inputs YesNo

4 Problem: Client is Untrusted Environment Validation can be bypassed Previously rejected values, sent to server Invalid quantity: -4 Ideally: Re-validate at server-side and reject If not, Parameter Tampering Attacks

5 Prior work: CCS’10  9 /13 applications vulnerable to parameter tampering  Online banking: Unauthorized money transfers  Online shopping: Unlimited shopping discounts  Identify parameter tampering opportunities server-side code blackbox Manually construct exploits Question: If server side code is available, automatically construct parameter tampering exploits? Threat is Real!

6 Results Summary: 45 exploits in 6 applications First analysis that combines JavaScript/HTML, PHP, MySQL Client-side code (JavaScript/HTML) exploits WAPTEC Server-side code (PHP, MySQL) Whitebox Parameter Tampering Detection

7 Intuition F client : inputs accepted by client ┐ F client : inputs rejected by client F server : inputs accepted by server inputs that client would have rejected but server accepted!! Venn diagram U Parameter Tampering Exploits ┐F client ∩ F server

8 Intuition (contd…) error Input valid? send to server Input valid? error Client-side code (JavaScript/HTML) Accepted inputs reach here f client = Program condition (logical formula) Server-side code (PHP/MySQL) error Input valid? Sensitive operation f server = satisfied conditions (logical formula) Control Flow Graph error Input valid? Accepted inputs reach here

9 Intuition (contd…) error Input valid? send to server Input valid? error Client-side code (JavaScript/HTML) Server-side code (PHP/MySQL) error Input valid? Sensitive operation Control Flow Graph error Input valid? generate benign inputs that reach a sensitive operation Check if rejected (hostiles) Inputs can reach the SAME sensitive operation f client f server ┐f client f server 12 f client ∩ f server ┐f client ∩ f server

10 Intuition: quantity example error quantity ≥ 0 send to server Client-side code (JavaScript/HTML) Server-side code (PHP/MySQL) cost = quantity * price mysql_query( insert … cost ) Control Flow Graph quantity = 1 ┐f client ∩ f server = (quantity < 0) 12 f client = quantity ≥ 0 f server = true Parameter tampering exploits quantity = -1, -2, ….

11 WAPTEC Architecture

12

13

14

15

16

17

18 1.Intuition 2.Computing f server 3. Evaluation 4. Summary Outline

19 n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert … name = ”. n. “ … age = ”. d ) ; F server : Inputs that reach sensitive ops f server = ( all conditions on user inputs that must be satisfied to reach sensitive operations ) n == null mysql_query a < 0 exit Control Flow Graph exit

20 n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert …) ; Computing f server Computed dynamically: execute server-side code concretely with benign inputs name = bob age = 55 n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); Server-side codeExecution trace f server = ( name != “”) ∩ ( age ≥ 0 ) ( n != null ) ( a ≥ 0 ) f = mysql_query ( “insert…”)

21 Challenges in computing execution traces x = 10; x = 20; y = x; incorrect !! function f1(){ x = 10 f2(); y = x; } function f2 () { x = 20 } Execution trace PHP 5 Object-oriented Programs Use context information f1_x = 10; f2_x = 20; f1_y = f1_x; class C { function m(){ x = 10; } o 1 -> m () o 2 -> m () m_x = 10; id1_m_x = 10; id2_m_x = 10; Uniquely identify objects

22 n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( n == null ) exit ( “please specify user name” ); f = mysql_query ( “insert …) ; if ( f == null ) exit ( “please specify an address” ); Computing f server (contd…) Inputs reaching sensitive operations may still be rejected!! name = bob Server-side code Reaches SQL sink, but rejected because address is null Extract constraints imposed by database schema

23 create table profiles { … addrDB … NOT NULL, } Computing f server (contd…) Database schema: Set of SQL statements for creating tables / views. Column definitions specify constraints. Example: Profile table addrDB != null Column Definition Constraint enum ( a, b, c )column IN {a, b, c} NOT NULLcolumn != null VARCHAR ( n )length ( column ) ≤ number constraints on column names but f server is in terms of inputs How to map?

24 Computing f server (contd…) Generate symbolic query from the trace addrDB != null constraint on table column insert into profile … set addrDB = _POST[‘address’] user input addressinserted in column addrDB constraint on user input address != null Bridging namespaces for database, PHP

25 n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( u == “”) exit ( “please specify user name” ); f = mysql_query ( “insert … naDB = ”. u. “…addrDB = ”. a ) ; if ( f == null ) exit ( “please specify address” ); Summary: Computing f server 1 Conditions checked encode restrictions on inputs 2 Database may also encode restrictions on inputs 12 f server = +f code f db

26 1.Intuition 2.Computing F server 3.Evaluation 4.Summary Outline

27 Evaluation: Results ApplicationSize (LOC) WAPTEC Confirmed Exploits DcpPortal145K 32 SPHPBlog27K 1 Lanshop15K 3 MyBloggie9K 6 SnipeGallery9K 2 PHPNews6K 1 45 parameter tampering exploits Confirmed Exploits CCS’2010 13 1 3 1 2 1 23 false positives 24 false negatives

28 DcpPortal: Create Imposter Accounts Vulnerability: duplicate check does not enforce length restriction Exploit: Create imposter account  name =  Imposter account name “alice” Client-side constraints: 1.length ( name ) ≤ 32 ) Server-side code: a. Check DB for duplicate name (does not restrict length) b. Insert name in DB (truncates name to 32 char) alice 32 characters33 rd character a

29 DcpPortal: Create Admin Account Vulnerability: attacker can set cookie make_install_prn Exploit: Negative tampering - create admin account  No mention of make_install_prn in F client  F server contains (make_install_prn != 1) Server-side code: privilege = non-admin; if ( _COOKIE[‘make_install_prn’] == 1 ) privilege = admin; Create account with privilege;

30 Some related work Multi-tier analysis of web application  Legacy code: MiMosa: Balzarotti et al. CCS 2007, Chong et al. SIGMOD 2007  Principled development of applications: Links, Google Web Toolkit, Corcoran et al. SIGMOD 2009 Specification inference  AutoISES Tan et al. Security 2008, Engler et al. SOSP 2001, Felmetsger et al. Security 2010, Srivastava et al. PLDI 2011 Test input generation  Saxena et al. SP 2010, Halfond et al. ISSTA 2009, Kiezun et al. ICSE 2009, Emmi et al. ISSTA 2007, Godefroid et al. NDSS 2008…. Input validation  Su et al. POPL 2006, Balduzzi et al. NDSS 2011, Jayaraman et al. DBSec 2010 Sanitization  Balzarotti et al. SP 2008…

31 Summary Parameter tampering vulnerabilities: widespread First analysis that combined analysis of HTML/JavaScript, PHP, database imposed constraints. Possible to infer specification of intended behavior from source code and use it in vulnerability detection. Thanks and Questions

32 Backup

33 WAPTEC Architecture

34 Refining Search for a Success Sink F client = (i > 0) Server requires (i > 0 ∩ i < 11) First attempt benign: i = 11 Sink not reached F server = NOT (i > 0 ∩ i < 11) Refine client-side spec: F client ∩ NOT F server Intuition: F server for failed runs  contains condition that was not satisfied Second attempt: (i > 0) ∩ NOT ( NOT ( i > 0 ∩ i < 11)) i = 1.. 10 (accepted by the server-side code)

35 WAPTEC Architecture

Download ppt "WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*"

Similar presentations

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech.

Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*,

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht ( Timothy Hinrichs*,
Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.

Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi.

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

Similar presentations

Ads by Google