WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction - PowerPoint PPT Presentation

slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction PowerPoint Presentation
Download Presentation
WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction

play fullscreen
1 / 35
WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction
178 Views
Download Presentation
esben
Download Presentation

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*+, Nazari Skrupsky+, V.N. Venkatakrishnan+ +: University of Illinois, Chicago * : University of Chicago, Chicago

  2. Background: User Input Validation • Web applications need to • Validate user supplied input • Reject invalid input • Examples: • “Credit card number is exactly16 digits” • “Expiration date of Jan 2009 is not valid” • Validation traditionally done at server: round-trip, load • Popular trend: Client-side validation through JavaScript

  3. Client Side Validation using JavaScript onSubmit= validateCard(); validateQuantities(); Validation Pass? Yes No send inputs to server reject inputs

  4. Problem: Client is Untrusted Environment • Validation can be bypassed • Previously rejected values, sent to server • Invalid quantity: -4 • Ideally: Re-validate at server-side and reject • If not, Parameter Tampering Attacks

  5. Threat is Real! • Prior work: CCS’10 • 9 /13 applications vulnerable to parameter tampering • Online banking: Unauthorized money transfers • Online shopping: Unlimited shopping discounts • Identify parameter tampering opportunities • server-side code blackbox • Manually construct exploits Question: If server side code is available, automatically construct parameter tampering exploits?

  6. Whitebox Parameter Tampering Detection • Results Summary: 45 exploits in 6 applications • First analysis that combines JavaScript/HTML, PHP, MySQL WAPTEC Client-side code (JavaScript/HTML) Server-side code (PHP, MySQL) exploits

  7. Intuition U • Fclient : inputs accepted by client • ┐ Fclient : inputs rejected by client • Fserver : inputs accepted by server inputs that client would have rejected but server accepted!! Venn diagram ┐Fclient ∩ Fserver Parameter Tampering Exploits

  8. Intuition (contd…) Input valid? Client-side code (JavaScript/HTML) error Input valid? Accepted inputs reach here error fclient=Program condition (logical formula) send to server Control Flow Graph Server-side code (PHP/MySQL) Input valid? error Input valid? Accepted inputs reach here fserver=satisfied conditions (logical formula) error Sensitive operation

  9. Intuition (contd…) Input valid? Client-side code (JavaScript/HTML) 2 1 generate benign inputs that reach a sensitive operation error Input valid? fclient∩ fserver error send to server ┐fclient fclient Control Flow Graph fserver fserver Server-side code (PHP/MySQL) Input valid? Check if rejected (hostiles) Inputs can reach the SAME sensitive operation error Input valid? error ┐fclient∩ fserver Sensitive operation

  10. Intuition: quantity example quantity ≥ 0 Client-side code (JavaScript/HTML) 1 2 error fclient = quantity ≥ 0 quantity = 1 send to server Control Flow Graph Server-side code (PHP/MySQL) fserver = true cost = quantity * price ┐fclient∩ fserver = (quantity < 0) Parameter tampering exploits quantity = -1, -2, …. mysql_query( insert … cost )

  11. WAPTEC Architecture

  12. WAPTEC Architecture

  13. WAPTEC Architecture

  14. WAPTEC Architecture

  15. WAPTEC Architecture

  16. WAPTEC Architecture

  17. WAPTEC Architecture

  18. Outline • Intuition • Computing fserver • 3. Evaluation • 4. Summary

  19. Fserver: Inputs that reach sensitive ops n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert … name = ” . n . “ … age = ” . d ) ; n == null exit a < 0 exit mysql_query Control Flow Graph ( all conditions on user inputs that must be satisfied to reach sensitive operations ) fserver =

  20. Computing fserver Computed dynamically: execute server-side code concretely with benign inputs name = bob age = 55 Server-side code Execution trace n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert …) ; n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); ( n != null ) ( a ≥ 0 ) f = mysql_query ( “insert…”) ( name != “”) ∩ ( age ≥ 0 ) fserver =

  21. Challenges in computing execution traces function f1(){ x = 10 f2(); y = x; } function f2 () { x = 20 } f1_x = 10; f2_x = 20; f1_y = f1_x; x = 10; x = 20; y = x; incorrect !! Use context information Execution trace PHP 5 Object-oriented Programs Uniquely identify objects class C { function m(){ x = 10; } } o1 -> m () o2 -> m () id1_m_x = 10; id2_m_x = 10; m_x = 10; m_x = 10;

  22. Computing fserver (contd…) Inputs reaching sensitive operations may still be rejected!! Server-side code name = bob n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( n == null ) exit ( “please specify user name” ); f = mysql_query ( “insert …) ; if ( f == null ) exit ( “please specify an address” ); Reaches SQL sink, but rejected because address is null Extract constraints imposed by database schema

  23. Computing fserver (contd…) Database schema: Set of SQL statements for creating tables / views. Column definitions specify constraints. Example: Profile table create table profiles { … addrDB … NOT NULL, } addrDB != null constraints on column names but fserver is in terms of inputs How to map?

  24. Computing fserver (contd…) Generate symbolic query from the trace insert into profile … set addrDB = _POST[‘address’] inserted in column addrDB user input address constraint on table column Bridging namespaces for database, PHP addrDB != null constraint on user input address != null

  25. Summary: Computing fserver n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( u == “”) exit ( “please specify user name” ); f = mysql_query ( “insert … naDB = ” . u . “…addrDB = ” . a ) ; if ( f == null ) exit ( “please specify address” ); 1 Conditions checked encode restrictions on inputs 2 Database may also encode restrictions on inputs 1 2 fserver = fcode + fdb

  26. Outline • Intuition • Computing Fserver • Evaluation • Summary

  27. Evaluation: Results 45 parameter tampering exploits 23 false positives 24 false negatives

  28. DcpPortal: Create Imposter Accounts • Vulnerability: duplicate check does not enforce length restriction • Exploit: Create imposter account • name = • Imposter account name “alice” • Client-side constraints: • length ( name ) ≤ 32 ) • Server-side code: • a. Check DB for duplicate name • (does not restrict length) • b. Insert name in DB • (truncates name to 32 char) alice a 32 characters 33rd character

  29. DcpPortal: Create Admin Account • Server-side code: • privilege = non-admin; • if ( _COOKIE[‘make_install_prn’] == 1 ) • privilege = admin; • Create account with privilege; • Vulnerability: attacker can set cookie make_install_prn • Exploit: Negative tampering - create admin account • No mention of make_install_prn in Fclient • Fserver contains (make_install_prn != 1)

  30. Some related work • Multi-tier analysis of web application • Legacy code: MiMosa: Balzarotti et al. CCS 2007, Chong et al. SIGMOD 2007 • Principled development of applications: Links, Google Web Toolkit, Corcoran et al. SIGMOD 2009 • Specification inference • AutoISES Tan et al. Security 2008, Engler et al. SOSP 2001, Felmetsger et al. Security 2010, Srivastava et al. PLDI 2011 • Test input generation • Saxena et al. SP 2010, Halfond et al. ISSTA 2009, Kiezun et al. ICSE 2009, Emmi et al. ISSTA 2007, Godefroid et al. NDSS 2008…. • Input validation • Su et al. POPL 2006, Balduzzi et al. NDSS 2011, Jayaraman et al. DBSec 2010 • Sanitization • Balzarotti et al. SP 2008…

  31. Summary • Parameter tampering vulnerabilities: widespread • First analysis that combined analysis of HTML/JavaScript, PHP, database imposed constraints. • Possible to infer specification of intended behavior from source code and use it in vulnerability detection. Thanks and Questions

  32. Backup

  33. WAPTEC Architecture

  34. Refining Search for a Success Sink Fclient = (i > 0) Server requires (i > 0 ∩ i < 11) First attempt benign: i = 11 Sink not reached Fserver = NOT (i > 0 ∩ i < 11) Refine client-side spec: Fclient ∩ NOT Fserver Intuition: Fserver for failed runs  contains condition that was not satisfied Second attempt: (i > 0) ∩ NOT ( NOT ( i > 0 ∩ i < 11)) i = 1 .. 10 (accepted by the server-side code)

  35. WAPTEC Architecture