1 / 35

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs* + , Nazari Skrupsky + , V.N. Venkatakrishnan + +: University of Illinois, Chicago * : University of Chicago, Chicago.

esben
Download Presentation

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*+, Nazari Skrupsky+, V.N. Venkatakrishnan+ +: University of Illinois, Chicago * : University of Chicago, Chicago

  2. Background: User Input Validation • Web applications need to • Validate user supplied input • Reject invalid input • Examples: • “Credit card number is exactly16 digits” • “Expiration date of Jan 2009 is not valid” • Validation traditionally done at server: round-trip, load • Popular trend: Client-side validation through JavaScript

  3. Client Side Validation using JavaScript onSubmit= validateCard(); validateQuantities(); Validation Pass? Yes No send inputs to server reject inputs

  4. Problem: Client is Untrusted Environment • Validation can be bypassed • Previously rejected values, sent to server • Invalid quantity: -4 • Ideally: Re-validate at server-side and reject • If not, Parameter Tampering Attacks

  5. Threat is Real! • Prior work: CCS’10 • 9 /13 applications vulnerable to parameter tampering • Online banking: Unauthorized money transfers • Online shopping: Unlimited shopping discounts • Identify parameter tampering opportunities • server-side code blackbox • Manually construct exploits Question: If server side code is available, automatically construct parameter tampering exploits?

  6. Whitebox Parameter Tampering Detection • Results Summary: 45 exploits in 6 applications • First analysis that combines JavaScript/HTML, PHP, MySQL WAPTEC Client-side code (JavaScript/HTML) Server-side code (PHP, MySQL) exploits

  7. Intuition U • Fclient : inputs accepted by client • ┐ Fclient : inputs rejected by client • Fserver : inputs accepted by server inputs that client would have rejected but server accepted!! Venn diagram ┐Fclient ∩ Fserver Parameter Tampering Exploits

  8. Intuition (contd…) Input valid? Client-side code (JavaScript/HTML) error Input valid? Accepted inputs reach here error fclient=Program condition (logical formula) send to server Control Flow Graph Server-side code (PHP/MySQL) Input valid? error Input valid? Accepted inputs reach here fserver=satisfied conditions (logical formula) error Sensitive operation

  9. Intuition (contd…) Input valid? Client-side code (JavaScript/HTML) 2 1 generate benign inputs that reach a sensitive operation error Input valid? fclient∩ fserver error send to server ┐fclient fclient Control Flow Graph fserver fserver Server-side code (PHP/MySQL) Input valid? Check if rejected (hostiles) Inputs can reach the SAME sensitive operation error Input valid? error ┐fclient∩ fserver Sensitive operation

  10. Intuition: quantity example quantity ≥ 0 Client-side code (JavaScript/HTML) 1 2 error fclient = quantity ≥ 0 quantity = 1 send to server Control Flow Graph Server-side code (PHP/MySQL) fserver = true cost = quantity * price ┐fclient∩ fserver = (quantity < 0) Parameter tampering exploits quantity = -1, -2, …. mysql_query( insert … cost )

  11. WAPTEC Architecture

  12. WAPTEC Architecture

  13. WAPTEC Architecture

  14. WAPTEC Architecture

  15. WAPTEC Architecture

  16. WAPTEC Architecture

  17. WAPTEC Architecture

  18. Outline • Intuition • Computing fserver • 3. Evaluation • 4. Summary

  19. Fserver: Inputs that reach sensitive ops n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert … name = ” . n . “ … age = ” . d ) ; n == null exit a < 0 exit mysql_query Control Flow Graph ( all conditions on user inputs that must be satisfied to reach sensitive operations ) fserver =

  20. Computing fserver Computed dynamically: execute server-side code concretely with benign inputs name = bob age = 55 Server-side code Execution trace n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert …) ; n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); ( n != null ) ( a ≥ 0 ) f = mysql_query ( “insert…”) ( name != “”) ∩ ( age ≥ 0 ) fserver =

  21. Challenges in computing execution traces function f1(){ x = 10 f2(); y = x; } function f2 () { x = 20 } f1_x = 10; f2_x = 20; f1_y = f1_x; x = 10; x = 20; y = x; incorrect !! Use context information Execution trace PHP 5 Object-oriented Programs Uniquely identify objects class C { function m(){ x = 10; } } o1 -> m () o2 -> m () id1_m_x = 10; id2_m_x = 10; m_x = 10; m_x = 10;

  22. Computing fserver (contd…) Inputs reaching sensitive operations may still be rejected!! Server-side code name = bob n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( n == null ) exit ( “please specify user name” ); f = mysql_query ( “insert …) ; if ( f == null ) exit ( “please specify an address” ); Reaches SQL sink, but rejected because address is null Extract constraints imposed by database schema

  23. Computing fserver (contd…) Database schema: Set of SQL statements for creating tables / views. Column definitions specify constraints. Example: Profile table create table profiles { … addrDB … NOT NULL, } addrDB != null constraints on column names but fserver is in terms of inputs How to map?

  24. Computing fserver (contd…) Generate symbolic query from the trace insert into profile … set addrDB = _POST[‘address’] inserted in column addrDB user input address constraint on table column Bridging namespaces for database, PHP addrDB != null constraint on user input address != null

  25. Summary: Computing fserver n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( u == “”) exit ( “please specify user name” ); f = mysql_query ( “insert … naDB = ” . u . “…addrDB = ” . a ) ; if ( f == null ) exit ( “please specify address” ); 1 Conditions checked encode restrictions on inputs 2 Database may also encode restrictions on inputs 1 2 fserver = fcode + fdb

  26. Outline • Intuition • Computing Fserver • Evaluation • Summary

  27. Evaluation: Results 45 parameter tampering exploits 23 false positives 24 false negatives

  28. DcpPortal: Create Imposter Accounts • Vulnerability: duplicate check does not enforce length restriction • Exploit: Create imposter account • name = • Imposter account name “alice” • Client-side constraints: • length ( name ) ≤ 32 ) • Server-side code: • a. Check DB for duplicate name • (does not restrict length) • b. Insert name in DB • (truncates name to 32 char) alice a 32 characters 33rd character

  29. DcpPortal: Create Admin Account • Server-side code: • privilege = non-admin; • if ( _COOKIE[‘make_install_prn’] == 1 ) • privilege = admin; • Create account with privilege; • Vulnerability: attacker can set cookie make_install_prn • Exploit: Negative tampering - create admin account • No mention of make_install_prn in Fclient • Fserver contains (make_install_prn != 1)

  30. Some related work • Multi-tier analysis of web application • Legacy code: MiMosa: Balzarotti et al. CCS 2007, Chong et al. SIGMOD 2007 • Principled development of applications: Links, Google Web Toolkit, Corcoran et al. SIGMOD 2009 • Specification inference • AutoISES Tan et al. Security 2008, Engler et al. SOSP 2001, Felmetsger et al. Security 2010, Srivastava et al. PLDI 2011 • Test input generation • Saxena et al. SP 2010, Halfond et al. ISSTA 2009, Kiezun et al. ICSE 2009, Emmi et al. ISSTA 2007, Godefroid et al. NDSS 2008…. • Input validation • Su et al. POPL 2006, Balduzzi et al. NDSS 2011, Jayaraman et al. DBSec 2010 • Sanitization • Balzarotti et al. SP 2008…

  31. Summary • Parameter tampering vulnerabilities: widespread • First analysis that combined analysis of HTML/JavaScript, PHP, database imposed constraints. • Possible to infer specification of intended behavior from source code and use it in vulnerability detection. Thanks and Questions

  32. Backup

  33. WAPTEC Architecture

  34. Refining Search for a Success Sink Fclient = (i > 0) Server requires (i > 0 ∩ i < 11) First attempt benign: i = 11 Sink not reached Fserver = NOT (i > 0 ∩ i < 11) Refine client-side spec: Fclient ∩ NOT Fserver Intuition: Fserver for failed runs  contains condition that was not satisfied Second attempt: (i > 0) ∩ NOT ( NOT ( i > 0 ∩ i < 11)) i = 1 .. 10 (accepted by the server-side code)

  35. WAPTEC Architecture

More Related