String Analysis for the Detection of Web Application Flaws

Similar documents
Certified Secure Web Application Engineer

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Copyright

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

CSWAE Certified Secure Web Application Engineer

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Security GVSAGE Theater

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

C1: Define Security Requirements

Application Security through a Hacker s Eyes James Walden Northern Kentucky University


SQL Injection. EECS Introduction to Database Management Systems

Notes From The field

Application vulnerabilities and defences

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

SECURITY TESTING. Towards a safer web world

Secure coding practices

Web Application Vulnerabilities: OWASP Top 10 Revisited

Outline STRANGER. Background

OWASP Top 10 The Ten Most Critical Web Application Security Risks

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Malicious Code Analysis II

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

EasyCrypt passes an independent security audit

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

TIBCO Cloud Integration Security Overview

Finding Vulnerabilities in Source Code

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

1 About Web Security. What is application security? So what can happen? see [?]

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Advanced Web Technology 10) XSS, CSRF and SQL Injection

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

Web Application Security. Philippe Bogaerts

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

NET 311 INFORMATION SECURITY

CIS 4360 Secure Computer Systems XSS

John Coggeshall Copyright 2006, Zend Technologies Inc.

Enterprise Java Unit 1- Chapter 3 Prof. Sujata Rizal Introduction to Servlets

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

Web Application Security

Web Penetration Testing

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

HPE Security Fortify Plugins for Eclipse Software Version: Installation and Usage Guide

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

P2_L12 Web Security Page 1

Securing ArcGIS Services

Web Application Penetration Testing

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Engineering Your Software For Attack

Solutions Business Manager Web Application Security Assessment

ClearPath Secure Java Overview For ClearPath Libra and Dorado Servers

HPE Security Fortify Plugins for Eclipse

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web Security, Part 2

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

RBS NetGain Enterprise Manager Web Interface Multiple Vulnerabilities of 9

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

JSP MOCK TEST JSP MOCK TEST III

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

IS 2150 / TEL 2810 Introduction to Security

Configuring User Defined Patterns

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

WebGoat& WebScarab. What is computer security for $1000 Alex?

GOING WHERE NO WAFS HAVE GONE BEFORE

Certified Network Security Open Source Software Developer VS-1145

INNOV-09 How to Keep Hackers Out of your Web Application

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Exploiting and Defending: Common Web Application Vulnerabilities

Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)

Web Application Firewall Subscription on Cyberoam UTM appliances

Vulnerabilities in web applications

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

DreamFactory Security Guide

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Penetration Testing with Kali Linux

WEB SECURITY: XSS & CSRF

CS 161 Computer Security

Vulnerability Signature Update

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

A Data Driven Approach to Designing Adaptive Trustworthy Systems

Secure Web App. 제목 : Secure Web Application v1.0 ( 채수민책임 ) Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 -

Exam4Free. Free valid exam questions and answers for certification exam prep

Securing Your Company s Web Presence

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Aguascalientes Local Chapter. Kickoff

Transcription:

String Analysis for the Detection of Web Application Flaws Luca Carettoni l.carettoni@securenetwork.it Claudio Merloni c.merloni@securenetwork.it CONFidence 2007 - May 12-13, Kraków, Poland 04/05/07 1

Web Applications Web Applications are everyday more pervasive Easy to implement, yet very powerful way to give access to services and content Can be made of a handful of simple scripts or a very complex architecture Today, web application development often doesn't take into consideration the specific risks coming from the exposure to the web itself 04/05/07 2

Web Application Security Giving access to web application means asking the world to send HTTP request Attackers more and more actively look for web application flaws as they are: surprisingly common often the key to subvert the victim's data and networks it is quite easy for an attacker to hide his identity using well known anonymizing techniques 04/05/07 3

Input Validation - 1 Every data handled by a web application should be considered unsafe HTTP request are the primary input feed Attackers can alter any part of an HTTP request: pieces of info coming from a client (also if subject to client side validation) should never be considered safe: GET and POST parameters request headers cookies, and so on. 04/05/07 4

Input Validation - 2 Tampering the input an attacker can perform a variety of attacks, for example: injection of SQL code, OS commands, and so on injection of client side scripts to compromise other users' session data and credentials or attack the local machine buffer overflows directory traversal to disclose server-side sensitive info Complete input filtering is often too complex to handle 04/05/07 5

Input Validation - 3 SQL injection example: $query = sprintf( SELECT * FROM %s WHERE owner= %s AND nickname= %s, $this- >table, $this->owner,$alias); $res = $this->dbh->query($query); What if $alias was UNION ALL SELECT * FROM address WHERE 1 = 1? Directory traversal example: <?php $template = 'blue.php'; if ( is_set( $_COOKIE['TEMPLATE'] ) ) $template = $_COOKIE['TEMPLATE']; include ( "/home/users/phpguru/templates/". $template );?> What if the attacker tampered the HTTP request the following way? GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd 04/05/07 6

Input Validation - 4 Path Based Access Control public class PathBasedAccessControl extends LessonAdapter { [...] String dir = s.getcontext().getrealpath( "/images" ); // A [...] String file = s.getparser().getrawparameter( FILE, "" ); // B [...] File f = new File( (dir + "\\" + file).replaceall("\\\\","/")); // C } A: we are in /images/ (Absolute Path on my Linux box: /var/lib/tomcat- 5.5/webapps/WebGoat/) B: from the HTML form, we take the FILE input parameter C: Creating a File object... 04/05/07 7

Input Validation - 5 We can request a file inside the allowed images folder: right.gif But we can also try to break out of the web root with a correctly crafted path: %2e%2e%2f%2e%2e%2f2e%2e%2f2e%2e%2f2e%2e% 2f2e%2e%2fetc/passwd 04/05/07 8

How to deal with that? The solution is the combination of secure desing and development, testing, training and review Directly filtering before they reach the application Interacting with the application or analyzing its source code: Source Code Analyzer Web Application Scanner Database Scanner Binary Analysis Tool Runtime Analysis Tool Configuration Scanner HTTP Proxy Source analysis: pattern matching or data flow analysis 04/05/07 9

Checking the input Input processing in web applications is mainly performed through the exchange of text strings between the client and the server. That's why we focus on methods working on strings. Validating the input: checkpoint Blacklist: defining what bad input is. Then escaping, substituting, and so on Whitelist: defining what good input is and filtering anything that doesn't match 04/05/07 10

Hotspot - 1 We use the term hotspot to identify the function calls that in a vulnerable application would be exploited as the result of unvalidated input Every hotspot is associated to a specific signature, composed by type of vulnerability, fully qualified method name, number and type of parameters We are interested in tracing the possible values that hotspots' String and StringBuffer parameters could take during the application execution 04/05/07 11

Hotspot - 2 Path traversal: methods accessing the filesystem. java.io.file(java.lang.string) java.io.filereader(java.lang.string),... SQL injection: database connectivity. java.sql.statement.executequery(java.lang.string) java.sql.connection.preparestatement(java.lang.string),... Command injection: command execution, class loading and so on. java.lang.runtime.exec(java.lang.string, ) java.lang.system.load(java.lang.string),... 04/05/07 12

Automaton definition In a single execution a variable will take, in a specific execution step, a well defined value Considering every possible execution we obtain the set of values that the variable could take Language: a finite-state automaton representing the set of those possible values The core of our analysis method relies on evaluating the language associated to every hotspots' string parameter. 04/05/07 13

Analysis method Phase 1: parsing the application source code looking for hotspots Phase 2: Building the language associated to every candidate parameter Phase 3: Comparing those languages with our knowledge base of safe languages 04/05/07 14

Language comparison Unvalidated input: using the input vectors (eg. par1) it is possible to modify hotspot parameters (eg. qry) The hotspot parameter could then take a value which isn't valid SQL In our knowledge base we defined the safe language for the hotspot as the common SQL language The complement of this language define the values that qry shouldn't be allowed to take If the intersection between language built by analyzing the application data flow and the complement of our safe language is not null then there is a potential flaw import java.servlet.*; public class Servlet extends HttpServlet{ public void doget( ){ String str1 = request.getparameter( par1 ); String qry = SELECT pass FROM table WHERE myrow= ; qry = qry.concat(str1); qry = qry.concat( ); Connection cn = ; Statement cmd = cn.createstatement(); ResultSet res = cmd.executequery(qry); }} 04/05/07 15

Building a tool - 1 Tightly integrated into the Eclipse IDE Code / Compile / Check / Fix No user intervention needed in the analysis phase Different level of severity in scanning and reporting Vulnerabilities defined as plugins that describe the automaton associated 04/05/07 16

Building a tool - 2 The analysis is performed using both bytecode (data-flow) and source code (reporting) Project resources scanning based both on Eclipse Framework and on raw filesystem analysis: The Eclipse Framework define source locations, classe locations and provide methods to quickly navigate the project structure Filesystem resources can be easily analyzed using both source and class Java reflection 04/05/07 17

Testing results Testing has been conducted on the OWASP WebGoat project (v3.7, 55 Java classes, 16160 lines) Our tool: Analysis time: 483 sec. Vulnerabilities found: 16 SQL Injection, 16 Path Traversal LAPSE: Analysis time: 32 sec. Vulnerabilities found: 2 Command Injection, 1 Cross-Site Scripting, 13 SQL Injection 04/05/07 18

Let's see it! DEMO 04/05/07 19

Summing up It is nowadays critical to enforce security policies on the whole web application lifecycle Source code static analysis cannot completely solve the web app security problem but it's definitely an important step in the right direction Our approach is more complex than others but gives more accurate results Tightly integrating the security analysis with the IDE can be the key to train the developers about the secure coding practices 04/05/07 20

Future work Build a detector knowledge base, able to effectively identify at least the most common vulnerabilities Automatically parse project resources contained inside j2ee archives. Automatically compile Jsp resources to servlets Implement the backward slice feature Rework the data flow analysis components to make the tool able to process more programming languages 04/05/07 21

Questions? Luca ikki Carettoni - l.carettoni@securenetwork.it Claudio paper Merloni - c.merloni@securenetwork.it SecureNetwork S.r.l.: www.securenetwork.it 04/05/07 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback