1 / 28

An Analysis Framework for Security in Web Applications

An Analysis Framework for Security in Web Applications. Gary Wassermann and Zhendong Su University of California, Davis. Web Application Architecture. Application generates query based on user input. User input. Database query. Web page. Result set. Application. Database. Web browser.

michi
Download Presentation

An Analysis Framework for Security in Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis

  2. Web Application Architecture Application generates query based on user input User input Database query Web page Result set Application Database Web browser

  3. Command Injection Attacks String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”; Expected input: SELECT * FROM users WHERE username = ‘John’ AND password = ‘JohnsPass’; Result: John logs in

  4. Command Injection Attacks String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”; Malicious input: SELECT * FROM users WHERE username = ‘’ AND password = ‘’ OR ‘’ = ‘’; Result: Malicious user logs in as first user identified in the database. Frequently, the administrator!

  5. Motivation • ~60% of web applications are vulnerable • Found vulnerable sites easily in web search • Many ways to regulate user inputs • Limit length of input • Filter out “bad” strings • Escape quotes, etc. • Are the regulations sufficient? • Goal: Check whether any “dangerous” queries, not user inputs, exist

  6. Example: change admin password Attacker registers online: Username: admin’-- Password: password INSERT INTO users VALUES(‘admin’’--’, ‘password’)

  7. Example: change admin password Attacker changes password: Username: admin’-- OldPass: password NewPass: backdoor

  8. Example: change admin password Application checks correctness of old password: sql = “SELECT * FROM users WHERE username = ‘admin’’--’ AND password = ‘password’”; rso.open( sql, cn ); if (rso.EOF) {...}

  9. Example: change admin password Admin’s password gets changed: sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’

  10. Overview of Analysis Framework • Abstract Model of Generated Programs • Structure Discovery • Access Control • Ex: “customer” deletes inventory data • Tautologies • Ex: malicious user bypasses authentication Select statement Application code query =… Table lists Conditional expressions

  11. Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; String query = “SELECT * FROM stock WHERE ” + strID + “ = id”;

  12. Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “AND” + dat[i] + “=“ + inp[i]; dat year min from dropdown menu

  13. Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “AND” + dat[i] + “=“ + inp[i]; dat inp year min 2004 15 from dropdown menu from textbox

  14. Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ +inp[i]; dat inp Filtered with {“delete”, “xp\_”, “=”, “from”, “or”} year min 2004 15

  15. Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; dat inp Filtered with {“delete”, “xp\_”, “=”, “from”, “or”} year min 2004 15 SELECT * FROM stock WHERE 982= id ANDyear=2004ANDmin=15

  16. Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; dat inp Filtered with {“delete”, “xp\_”, “=”, “from”, “or”} min min 14 15) SELECT * FROM stock WHERE NOT(1= id ANDmin=14ANDmin=15)

  17. String Analysis (previous work) SELECT * FROM stock WHERE NOT(1= id ANDmin=14ANDmin=15) SELECT * FROM stock WHERE NOT ( x = id AND min = z ) y min ε =

  18. SELECT * FROM stock WHERE NOT ( x = id AND min = z ) y min ε = Structure Discovery (previous work) Boolean expression

  19. Tautology checking SELECT * FROM stock WHERE NOT ( x = id AND min = z ) y min ε = NOT ( x = id and min = y and min = z ) Theorem: We discover a tautology over linear arithmetic iff the FSA accepts one.

  20. Overview of Tautology Checking • Main idea: Generate finite number of validity queries from FSA • Challenges: Loops/cycles • Arithmetic • Boolean

  21. Tautology Checking: Arithmetic Loops +c W,X,Y,Z : 1 = W+XÆ X+W+Y = Y+ZÆ Z = 1 a,b,c W×(a) +X×(b) +Y×(c) ≥ Z×(b+c) a W Y ≥ b +c in = 1 b out = 1 Z X {W,Y,Z ← 1; X ← 0} b+c ≥ b+c

  22. b b b b b b b b a a a a Tautology Checking: Boolean Loops OR b b a OR OR OR n+2 = 4

  23. UPDATE users SET password = ‘ w ’ WHERE username = ‘ x ’ ’ -- Earlier Example Revisited UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’

  24. Earlier Example Revisited sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; This code may also generate a query with a tautology UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

  25. UPDATE users SET password = ‘ w ’ WHERE username = ‘ x ’ OR ‘ y ’ = ‘ z ’ Earlier Example Revisited UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

  26. Conclusions • Analysis Framework: Generate and analyze FSA model of all possible queries • Semantic analysis of generated programs • Not only types but values • Implementation in progress • Questions?

  27. Why n+2?

More Related