1 / 40

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. Marco Balduzzi , Carmen Torrano Gimenez , Davide Balzarotti , and Engin Kirda , NDSS (2011) . OUTLINE. Introduction HTTP Parameter Pollution Attacks Automated HPP Vulnerability Detection with PAPAS

camdyn
Download Presentation

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications Marco Balduzzi, Carmen TorranoGimenez , DavideBalzarotti, and EnginKirda, NDSS (2011)

  2. OUTLINE • Introduction • HTTP Parameter Pollution Attacks • Automated HPP Vulnerability Detection with PAPAS • Evaluation • Conclusion

  3. Introduction • According to SANS, attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet • HTTP Parameter Pollution (HPP) • HPP was first presented in 2009 at the OWASP conference

  4. Introduction • HPP attacks consist of injecting encoded query string delimiters into otherexisting parameters • HPP attacks can potentially override existing hardcoded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access andpossibly exploit variables that may be out of direct reach

  5. Introduction • The mosteffective means of discovering HPP vulnerabilities in web-sites is via manual inspection • PArameter Pollution Analysis System (PAPAS), uses ablack-box scanning technique

  6. HTTP Parameter Pollution Attacks • Even though injecting a new parameter can sometimes be enough to exploit an application, the attacker is usually more interested in overriding the value of an already existing parameter • Achieved by masking the old parameter by introducing a new one with the same name • It’snecessary for the web application to misbehave in the presence of duplicated parameters

  7. Parameter Precedence in Web Applications • TheHTTP protocol allows the user’s browser to transferinformation inside the -URI itself (i.e., GET parameters) - HTTP headers (e.g., in the Cookie field - Request body (i.e., POST parameters)

  8. Parameter Precedence in Web Applications • The term Query String is commonly used to refer to the part between the “?” and the end ofthe URI • The querystring is passed unmodified to the application, and consistsof one or more field=value pairs, separated by either anampersand(&) or a semicolon(;) character http://host/path/somepage.pl?name=john&age=32

  9. Parameter Precedence in Web Applications

  10. Parameter Precedence in Web Applications • However, the problem arises when the developer expectsto receive a single item and, invokes methods(such as getParameter in JSP) that only return a single value

  11. Parameter Precedence in Web Applications

  12. Parameter Pollution

  13. HPP to bypass CSRF tokens • Use HPP attacks to bypass the protection mechanism used to prevent cross-site request forgery • Using a secret request token to protect web applications against CSRF attacks is a common technique • A HPP vulnerability can be used to inject parameters inside the existing links generated by the application (include a valid secret token)

  14. HPP to bypass CSRF tokens • A CSRF bypassing attack using HPP was demonstratedin 2009 against Yahoo Mail

  15. Automated HPP Vulnerability Detection with PAPAS Communicateswith the browser through a bidirectional channel Vulnerability Scanner Precedence Scanner Fetching the webpages Rendering the content Extracting all the links and form URLs

  16. Browser and Crawler Components • Extracts the content, the list of links, and the forms in the page • Instrumented browser in PAPAS uses a number of simple heuristics to automatically fill forms • When inputs fail occur, the crawler can be assisted by manually logging into the application using the browser

  17. P-Scan:Analysis of the ParameterPrecedence • For URLsthat contain several parameters, each one is analyzed untilthe page’s precedence has been determined or all availableparameters have been tested • Step 1 : taking the first parameter of the URL (in the form par1=val1), and generates a new parameter value val2 that is similar to the existing one • Step 2 : the scanner asks the browser to generate two new requests

  18. P-Scan:Analysis of the ParameterPrecedence

  19. P-Scan:Analysis of the ParameterPrecedence • P-Scan component resolves the dynamic contentproblem in two stages • Step 1 : pre-processes the page and eliminate all dynamic content that does not depend on the values of the application parameters • Step 2 : removing all the URLs that reference the page itself

  20. P-Scan:Analysis of the ParameterPrecedence • Identity Test • Checks whether the parameter has any impact on the content of the page • If P0’ == P1’ == P2’, the parameter isconsidered to be ineffective

  21. P-Scan:Analysis of the ParameterPrecedence • Base Test • Based on the assumption that the dynamic components is perfectly remove from the page that is under analysis • If P1’ == P2’ , the second (last) parameter has precedence over the first • If P2’ == P0’ , the first parameter has precedence over the second

  22. P-Scan:Analysis of the ParameterPrecedence • Join Test • Checks the pages for indications that show that the two values of the homonym parameters are somehow combined together by the application

  23. P-Scan:Analysis of the ParameterPrecedence • Fuzzy Test • Cope with pages whose dynamic components have not been perfectly sanitized • The similarity algorithm is based onthe Ratcliff/Obershelp pattern recognition algorithm

  24. P-Scan:Analysis of the ParameterPrecedence • Error Test • Checks if the application crashes, or returns an ”internal” error when an identical parameter is injected multiple times

  25. P-Scan:Analysis of the ParameterPrecedence • If none of these five tests succeed, the parameter is discarded from the analysis

  26. V-Scan: Testing for HPP vulnerabilities • For every page that V-Scan receives from the crawler,it tries to inject a URL-encoded version of an innocuousparameter into each existing parameter of the query string • Then, for each injection, verifies the presenceof the parameter in links, action fields and hidden fields offorms in the answer page.

  27. V-Scan: Testing for HPP vulnerabilities • PURL = [PU1 , PU2 , . . . PUn ] , means the parameters present in the page URL • PBody = [PB1 , PB2 , . . . PBm ] , means the parameters present in the links or forms contained in the page body • Then computes the PA , PB and PC sets

  28. V-Scan: Testing for HPP vulnerabilities • V-Scan starts by injecting the new parameter inthe PA set, then PB set, and finally PC set par1=var1&language=en%26foo%3Dbar

  29. Implementation • The browser component of PAPAS is implemented as a Firefox extension • The others is written in Python • Using a black-box approachto test for HPP vulnerabilities

  30. Limitation • PAPAS does not support the crawling of links embedded in active content such as Flash • PAPAS focuses only on HPP vulnerabilities that can be exploited via client-side attacks

  31. Evaluation–HPPPrevalence in Popular Websites • Collected 5,000 unique URLsfrom the public database of Alexa • Thecrawler to start from the homepage and visit the sub-pagesup to a distance of three • Limited the analysis to 5 instances per page

  32. Evaluation–HPPPrevalence in Popular Websites • Scanned5,016 websites, corresponding to a total of 149,806 uniquepagesin 13 days

  33. Evaluation–Parameter Precedence

  34. Evaluation-HPP Vulnerabilities • PAPAS discovered that 1499 web-sites (29.88%) contained at leastone page vulnerable to HTTP Parameter Injection. • Splitting the vulnerable set into two separate groups • In 872 websites (17.39%), the injection was ona link or a form’s action field. • Remaining 627 cases(12.5%), the injection was on a form’s hidden field.

  35. Evaluation-HPP Vulnerabilities • The final result was that at least 702 out of the 872 applications of the first group were exploitable • At least 702 out of the 1499 vulnerable websites (46.8%) would have been possible to exploit the HPP vulnerability to override one of the hard-coded parameters, or to inject another malicious parameter that would affect the behavior of the application

  36. Evaluation-HPP Vulnerabilities

  37. Evaluation-False Positives • False positives rate was 1.12% (10 applications) • Due to parameters that were usedby the application as an entire target for one of the links • 11% ofthe vulnerable pages were directly linked from the home-page, while the remaining 89% were equally distributed between the distance of 2 and 3

  38. Examples of Discovered Vulnerabilities • Facebook Share • Facebook, Twitter, Digg and other social networking sites offer a share component to easily share the content of a webpage over a user profile

  39. Examples of Discovered Vulnerabilities • Shopping Carts • Some online shopping websites that allow the attacker to tamper with the user interaction with the shopping cart component

  40. Conclusion • Present the first automated approach for the discovery of HPP vulnerabilities in web applications • PAPAS is able to crawl websites and discover HPP vulnerabilities by parameter injection • Results show that about 30% of the sites we analyzed contain vulnerable parameters and that at least 14% of them can be exploited using HPP

More Related