Presentation Transcript

1. ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches

   Elias Athanasopoulos, Vassileios P. Kemerlis, MichalisPolychronakis Columbia University (US) Evangelos P. Markatos FORTH-ICS (GREECE) ACNS 2012
2. Web Applications HTTP Request GET login?username=joe Web Server Web Browser HTTP ResponseHTTP OK Elias Athanasopoulos, Columbia University
3. URLs in HTTP URL: login?username=joe Action: login Parameters: username HTTP Request GET login?username=joe Elias Athanasopoulos, Columbia University
4. Example: Web e-mail Login login?username=joe Read e-mail action?type=read&id=42 Delete e-mail action?type=delete&id=42 Delete mailbox action?type=del_box&id=inbox Logout logout?username=joe Elias Athanasopoulos, Columbia University
5. Are all URLs valid? login?username=joe&type=delete&id=42 action?type=read&id=42&id=2 action?type=delete&id=2&id=42 action?type=del_box logout?username=joe&type=del_mbox&id=inbox Elias Athanasopoulos, Columbia University
6. HTTP Parameter Pollution (HPP) How is this URL interpreted? Parsing goes from left to right (6 wins) Parsing goes from right to left (42 wins) Parsing direction does not matter (6 and 42, or 42 and 6 are concatenated) action?type=read&id=6 action?type=read&id=6&id=42 Elias Athanasopoulos, Columbia University
7. HPP is yet another injection attackAmbiguity in parsing parameters makes HPP possible Elias Athanasopoulos, Columbia University
8. URL Space All possible URLs URLs that define Web Application’s Logic Attacker URLs Elias Athanasopoulos, Columbia University
9. HPP Impact About 1,499 of 5,000 highly ranked in Alexa.com web sites are considered vulnerable to HPP exploitation Automated discovery of parameter pollution vulnerabilities in web applications.Balduzzi et al., NDSS 2011. Elias Athanasopoulos, Columbia University
10. Application Request Caches Elias Athanasopoulos, Columbia University
11. Goal We need to serve these We need to block these All possible URLs URLs that define Web Application’s Logic Attacker URLs Elias Athanasopoulos, Columbia University
12. URL Schema A URL schema has the form of: action?par1=&par2=...&parN= login=?username=joe login?username= Elias Athanasopoulos, Columbia University
13. Architecture Training phase Deployment phase Web application Collection of Legitimate URLschemas Passive Monitoring Web application Client HTTP Request ARC Elias Athanasopoulos, Columbia University
14. Training Phase Large frameworks (such as phpBB) are developed and tested by a large community Big applications (like Facebook) test new features in a close environment Elias Athanasopoulos, Columbia University
15. ARC at run-time Web application Valid Schema Exists ARC URL Schemas action?par1=&par2=&…&parN= HTTP Request No SchemaReject Request Elias Athanasopoulos, Columbia University
16. Implementation ARC is a web application proxy implemented in Google’s Go ARC uses Go structures for hash tables and lists, Go channels for multithreading Elias Athanasopoulos, Columbia University
17. Data Structures action?type=forward&id=42&to=mark type= id= to= action Elias Athanasopoulos, Columbia University
18. Evaluation Elias Athanasopoulos, Columbia University
19. Synthetic Traces Density: ratio of unique actions over all possible URL schemas. Elias Athanasopoulos, Columbia University
20. Trace Selection Elias Athanasopoulos, Columbia University
21. Multithreading We have implemented two version of ARC Single Channel 4-Channel Elias Athanasopoulos, Columbia University
22. Request Resolution Requests are resolved in less than 10 microseconds. Elias Athanasopoulos, Columbia University
23. Throughput Requests can be processed in a rate of hundreds of thousand URLS per second Elias Athanasopoulos, Columbia University
24. Takeaways ARC can protect HPP vulnerable applications by keeping a white list of accepted URL schemas ARC is fast and can be transparently applied to legacy web applications Elias Athanasopoulos, Columbia University
25. BACKUP SLIDES Elias Athanasopoulos, Columbia University
26. HTTP Parameter Pollution (HPP) New attack targeting web applications HTTP parameters injection Manipulation of web application’s control flow Drive a web application according to attacker’s needs Elias Athanasopoulos, Columbia University
27. HPP in a slide Web applications are driven through HTTP requests and responses,whichencapsulate resource descriptors: URLs URLs are composed by an action and a list of parameters http://site/login?user=joe&country=SG The list of parameters can be polluted with extra parameters Elias Athanasopoulos, Columbia University
28. URL example This URL is associated with a script purchase, which is called with input argument item_id which has the value 42 http://www.e-store.com/purchase?item_id=42 Action: purchase Parameter: item_id=42 Elias Athanasopoulos, Columbia University
29. Attack Scenario: e-store Two families of URLs: (1) show?category=1 (2) purchase?category=1&item_id=1 Elias Athanasopoulos, Columbia University
30. Normal Operation show?category=1 purchase?item_id=1purchase?item_id=2 … purchase?item_id=N + category=1 purchase?item_id=1&category=1purchase?item_id=2&category=1 … purchase?item_id=N&category=1 Elias Athanasopoulos, Columbia University
31. Bob attacks Bob lures Alice to click on links, like: show?category=1%26item_id=42 Channels: IM, fake web pages, e-mail, etc. Elias Athanasopoulos, Columbia University
32. HPP in Action show?category=1%26item_id=42 purchase?item_id=1purchase?item_id=2 … purchase?item_id=N + category=1%26item_id=42 purchase?item_id=1&category=1&item_id=42purchase?item_id=2&category=1&item_id=42 … purchase?item_id=N&category=1&item_id=42 Elias Athanasopoulos, Columbia University
33. Normal Operation vs HPP purchase?item_id=1&category=1 purchase?item_id=1&category=1&item_id=42 Elias Athanasopoulos, Columbia University
34. The web application logic has been altered by the attacker Elias Athanasopoulos, Columbia University