1 / 36

NoTamper : Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications

NoTamper : Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. Prithvi Bisht , Timothy Hinrichs , Nazari Skrupsky , Radoslaw Bobrowicz , V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) .

efrem
Download Presentation

NoTamper : Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications PrithviBisht , Timothy Hinrichs, NazariSkrupsky, RadoslawBobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab

  2. Outline • Introduction • Architecture & Challenges • Implementation • Evaluation • Related Work • Conclusion Advanced Defense Lab

  3. Introduction • A novel approach for automatically detecting potential server-side vulnerabilities of parameter-tampering in existing web applications. Advanced Defense Lab

  4. Introduction Advanced Defense Lab

  5. Introduction • Attack 1: Negative quantities. • Resulting in a “discount”. • Attack 2: Charging another user’s account. • A malicious user can purchase products and charge someone else’s account. • Attack 3: Pattern validation bypass. • XSS and SQL injection. Advanced Defense Lab

  6. Introduction – Problem Description • ∑: the set of alphabet. • I = ∑* x ∑* x ∑* x … x ∑* • I -> { true , false } • Pserver: constraint-checking function on the server. • Pclient: constraint-checking function on the client. • Pserver(I) = true -> Pclient(I) = true • Pserver(I) = true ^ Pclient(I) = false (BUG) Advanced Defense Lab

  7. Introduction – Problem Description • Fclient: a logical representation of Pclient. • Fserver: a logical representation of Pserver. • (hostile) h1,…,hn such that Fclient(hi) = false for each i. • (benign) b1,…,bm such that Fclient(bj) = true for each j. • (hostile responses from the server) H1,…,Hn • (benign responses from the server) B1,…,Bm • The more similar a hostile response is to the benign responses, the more likely the hostile input was successful. Advanced Defense Lab

  8. Outline • Introduction • Architecture & Challenges • Implementation • Evaluation • Related Work • Conclusion Advanced Defense Lab

  9. ARCHITECTURE & CHALLENGES Advanced Defense Lab

  10. ARCHITECTURE & CHALLENGES Advanced Defense Lab

  11. ARCHITECTURE & CHALLENGESHTML/JS Analyzer • To simulates an environment similar to a JavaScript interpreter in a browser, including the DOM (AJAX not supported). • Executes all the init. Code for the web form concretely. Advanced Defense Lab

  12. ARCHITECTURE & CHALLENGESHTML/JS Analyzer • Identifying JS validation code • When a form is submitted. • Each time the user enters or changes data on the form. • Analyzing JS validation code • Employing a mixed concrete-symbolic execution approach. • Symbolic execution provides coverage of all control paths. • Concrete execution enables NoTamper to ignore irrelevant code. • Resolving DOM references • Constructing the pertinent portion of the DOM. • Simulating DOM functions that are used to modify the DOM structure. Advanced Defense Lab

  13. ARCHITECTURE & CHALLENGESInput Generator • Avoiding spurious rejections • Checking that all “required” variables have values of the right type. (Manually overridden) • Generating orthogonal hostile inputs • Converts Fclient to disjunctive normal form (DNF). • Coping with incomplete information • Accepting hints (delta) from human that guide the search for hostile and benign inputs. • Addressing state changes • Providing a optional list of variables required to have unique values. Advanced Defense Lab

  14. Outline • Introduction • Architecture & Challenges • Implementation • Evaluation • Related Work • Conclusion Advanced Defense Lab

  15. Implementation Advanced Defense Lab

  16. IMPLEMENTATIONClient Constraint Extraction • By collecting all the event handlers (and associated scripts) and generating a single function that invokes all those event handlers. • Simulates a small set of core methods • getElementById() • document.wite() • document.innerHTML() Advanced Defense Lab

  17. IMPLEMENTATIONClient Constraint Extraction Advanced Defense Lab

  18. IMPLEMENTATIONHostile Input Guidance • Initial values • Numbers • Hidden fields (Session identifier) • Types • The HTML widget associated with (<SELECT>) • Initial value • Occurrence in arithmetic constraints • Required variables • Analyzing the HTML (e.g., asterisks next to field labels) • Drop-down list • Unique variables Advanced Defense Lab

  19. IMPLEMENTATIONInput Generation • Benign inputs • Converts Fclient to DNF • Finds one solution per disjunct(or). • Hostile inputs • !Fclient Advanced Defense Lab

  20. IMPLEMENTATIONConstraint Solving • HAMPI[13] Advanced Defense Lab

  21. IMPLEMENTATIONConstraint Solving Advanced Defense Lab

  22. IMPLEMENTATIONHTML Response Comparison • Compares the server’s response against a response that is known to have been generated by benign (valid) inputs. • Edit distance • Ratcliff/Obsershelp algorithm. • Remove the noise in B1 and B2 and produce C1. • Remove the noise in B1 and Hi and produce C2. • Compare C1 and C2 and result in “difference rank”. Advanced Defense Lab

  23. IMPLEMENTATION • HTML analysis • On top of the APIs provided by the HTML Parser. • JavaScript analysis • Using a modified Narcissus JavaScript engine-based symbolic evaluator. • Input Generator • HAMPI • Opportunity Detector • Java-based module relayed HTTTP requests to the test server. Advanced Defense Lab

  24. Outline • Introduction • Architecture & Challenges • Implementation • Evaluation • Related Work • Conclusion Advanced Defense Lab

  25. Evaluation • Selected 8 open source applications and 5 live websites. • http://opensourcescripts.com • Testing • Linux Apache web server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM) • Ubuntu 9.10 (2.45 Ghz Quad Intel, 2.0 GB RAM) NoTamper Advanced Defense Lab

  26. Evaluation Advanced Defense Lab

  27. Evaluation Advanced Defense Lab

  28. Evaluation • Unauthorized money transfers • www.selfreliance.com • Unlimited shopping rebates • www.codemicro.com • Fixed within 24 hours • Privilege escalation • OpenIT • By manipulating the userid parameter. Advanced Defense Lab

  29. EvaluationFalse Positives • Pertaining to the maxlength constraints on form inputs that couldn’t be exploited to any serious vulnerability. • Rewritten by the server without any observable difference in HTML output. Advanced Defense Lab

  30. Evaluation Advanced Defense Lab

  31. Evaluation Advanced Defense Lab

  32. EvaluationPerformance • Input Generator • Solved 315 formulas in a total of 219 seconds. • Giving an average time of 0.7 seconds per input. • HTML / JavaScript • Run in under a second • Opportunity Detector • Run in sub-second time for each application. Advanced Defense Lab

  33. Outline • Introduction • Architecture & Challenges • Implementation • Evaluation • Related Work • Conclusion Advanced Defense Lab

  34. Related Work • NoTamer’s goals are focusing on discovering vulnerabilities in existing ( legacy ) applications. Advanced Defense Lab

  35. Outline • Introduction • Architecture & Challenges • Implementation • Evaluation • Related Work • Conclusion Advanced Defense Lab

  36. Conclusion • NoTamper’s results highlight a significant gap between the server-side parameter validation that should occur and the server-side validation that does occur in today’s web applications. Advanced Defense Lab

More Related