Detection of Logic Flaws in Web Applications

Size: px

Start display at page:

Download "Detection of Logic Flaws in Web Applications"

Joan Lindsey
6 years ago
Views:

1 Detection of Logic Flaws in Web Applications Davide Balzarotti Giancarlo Pellegrino

2 Distributed, Service-oriented, Web-based applications Seller Inc. Bank Inc. U S P Order item I Transfer value(i) to S Shipping in 2 days 2

3 Distributed, Service-oriented, Web-based applications Seller Inc. Bank Inc. U S P Order item I Transfer value(i) to S Shipping in 2 days 3

4 Distributed, Service-oriented, Web-based applications Buyer Inc. Seller Inc. Bank Inc. U IdP AS S P Order item I Log U in to S Grant U the access to S Transfer value(i) to S Log U in to P Grant U the access for paying I Shipping in 2 days 4

5 Distributed, Service-oriented, Web-based applications Buyer Inc. Seller Inc. Bank Inc. U IdP AS S P Order item I Log U in to S Grant U the access to S Transfer value(i) to S Log U in to P Grant U the access for paying I Shipping in 2 days 5

6 Security Risks Buyer Inc. Seller Inc. Bank Inc. U Log U in to S IdP AS S P Order item I Impersonate U Grant U the access to S Order Ferrari Transfer value(i) to S Transfer 0.00 Log U in to P Grant U the access for paying I Shipping in 2 days 6

7 Threats to Business Applications Increased attack surface: monolothic and centralized n-tier and distributed over the Web In 2012: 92% of the attacks from external attackers +33% of web-attacks from 2011 Web-attacks costed in avg >$1M per organization A large number of techniques exist to test web applications for the presence of several classes of vulnerabilities SQL injection Parameter pollution 7

8 Logic Vulnerabilities Still lack a formal definition Design flaws, business logic errors, Weaknesses [ ] that commonly allow attackers to manipulate the business logic of an application. CWE Database Mainly caused by insufficient validation of the workflow and/or data flow of the application Detecting logic vulnerabilities requires a model of the application logic Logic Vulnerabilities can exhibit patterns, e.g. Information disclosure Authentication bypass 8

9 The Rise of Logic Vulnerabilities Poorly studied Increasing Importance: Improper authentication overtook XSS in OWASP 2013 Top10 Logic flaws 2nd security risk in 2013 according to TrustWave Number of CVE entries associated to logic flaws over the years is increasing 9

10 State of the Art Yes Formal Model No Source code Yes No White-box testing [BalzarottiCCS07, FelmetsgerUSENIX10,...] Scalability issues Not applicable for business applications for which source code is not available 10

11 State of the Art Yes Formal Model No Source code Yes No White-box testing Design Verification via Model Checking [LoweTACAS96, MitchellUSENIX98, ArmandoCSF07,...] Attacks discovered by the model checker are only valid at model-level Attack interpretation and execution against implementations is done manually 11

12 State of the Art Yes Formal Model No Source code Yes No White-box testing Design Verification via Model Checking Black-box Security Testing [DoupèDIMVA10, WangS&P11, WangS&P12] Mostly based on crawlers and fuzzers Still unable to automatically detect logic flaws The entire testing is mainly done manually 12

13 State of the Art Yes Formal Model No Automated tools Source code Yes No Manual inspection 13

14 Bridging the Gap From the Model Checking side Requires abstract, simplified (but precise) models of the application/protocol Flaws in the model needs to be manually verified in the real system From the System Security Testing side Requires a real deployment of the application/protocol Without a model, it is hard to detect logic flaws 14

15 Bridging the Gap From the Model Checking side Requires abstract, simplified (but precise) models of the application/protocol Flaws in the model needs to be manually verified in the real system From the System Security Testing side Requires a real deployment of the application/protocol Without a model, it is hard to detect logic flaws 15

16 Manual Testing Understand the web application Intended workflow and data flow between pages Model how the application is supposed to work Design tests that try unconventional behaviors On the worflow plane (e.g., re-orded steps) On the data plane (e.g., replay tokens) Run tests Observe the results and identify vulnerabilities 16

17 Overview of the Approach [NDSS14] Extraction 17

18 Model Inference Navigation graph Extraction 18

19 Model Inference 19

20 Behavioral Patterns Extraction Extraction 20

21 Workflow Traces: Navigation Graph: 21

22 Workflow Traces: Navigation Graph: TrWP : Trace Waypoints St : Singleton Nodes : Multi-step Operations Rp : Repeatable Operations MWP : Model Waypoints 22

23 Data Flow Trace 1: <HTML> <a href= /view.php?tid=23 > [ ] Trace 2: <HTML> <a href= /add.php?tid=6 > [ ] <HTML> <a href= /add.php?tid=23 > [ ] <HTML> <a href= /checkout > [ ] <HTML> <a href= /checkout > [ ] 23

24 1 2 3 Data Flow Trace 1: <HTML> <a href= /view.php?tid=23 > [ ] Client Generated <HTML> <a href= /add.php?tid=23 > [ ] Server Generated <HTML> <a href= /checkout > [ ] 24

25 Data Flow Trace 1: <HTML> <a href= /view.php?tid=23 > [ ] Trace 2: <HTML> <a href= /add.php?tid=6 > [ ] <HTML> <a href= /add.php?tid=23 > [ ] <HTML> <a href= /checkout > [ ] <HTML> <a href= /checkout > [ ] 25

26 Data Propagation Chains 26

27 Test Case Generation Extraction 27

28 Attack Pattern-based Test Case Generation 28

29 Attack Pattern-based Test Case Generation 29

30 Test Case Execution and Oracle 30

31 Test Case Execution and Oracle LTL Security Property: 31 31

32 Oracle HTTP conversation Events extraction App. logic checker Verdict store/login <HTML> <a href= /view?id=23 > Login yes store/view?id=23 <HTML> <a href= /add?id=23 > View 23 π? = ϕ store.com/add?id=23 no <HTML> <a href= /checkout > Add 23

33 Case Study: Shopping Cart Web Applications Shopping Cart Web Apps y Bu Customers Cashier-as-a-Service Pa y (former Payment Gateways) 33

34 Excerpt of Results Applications CaaS # Test Cases # TC Exec. Violations # Bugs # Vulns AbanteCart Std Magento Exp Std OpenCart Exp Std oscommerce Exp Std PrestaShop Exp TomatoCart Exp Std CS-Cart Exp Std Total

35 Vulnerabilities Application Popularity Shop for free AbanteCart 21,200 x Magento 3,130,000 Pay less No agreement on price OpenCart 9,710,000 x x oscommerce 80,500 x x PrestaShop 650,000 Session Fixation TomatoCart 119,000 x x x x CS-Cart 260,000 x 35

36 oscommerce and AbanteCart: Shopping for Free 36

37 Security Testing Model Checking Passive model inference Extraction of workflow and data flow patterns Attack pattern-based test case generation Assessment of real-world web applications Detection of 10 critical vulnerabilities that affect millions of websites 37

38 Missing Pieces Replace attack patterns with Model Checking Our models are still too complex We need a good attacker model for the Web The oracle needs to be provided by the analyst Explore inference techniques to generate logic invariants Extend the technique to other: classes of vulnerabilities (e.g., improper authentication) classes of applications (e.g., online banking, travel booking, conference systems,...) 38

Toward Black-box Detection of Logic Flaws in Web Applications

Toward Black-box Detection of Logic laws in Web Applications Giancarlo Pellegrino gpellegrino@deeds.informatik.tu-darmstadt.de Davide Balzarotti davide.balzarotti@eurecom.fr San Diego, 25/02/2014 1 Agenda