1 / 23

Penetration Testing with Improved Input Vector Identification

Penetration Testing with Improved Input Vector Identification. William G.J. Halfond, Shauvik Roy Choudhary , and Alessandro Orso College of Computing Georgia Institute of Technology. DB. Web Application. HTML. End Users. Web Server. Servlets. Other Systems.

jera
Download Presentation

Penetration Testing with Improved Input Vector Identification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia Institute of Technology

  2. DB Web Application HTML End Users Web Server Servlets Other Systems Web Application Overview HTTP Requests HTML Pages

  3. DB Web Application HTML White Hat Tester Servlets Other Systems Penetration Testing Overview !@#$ Secret Data!

  4. Web Application HTML White Hat Tester Servlets Penetration Testing Phases Information Gathering Attack Generation Attacks Information Target Selection Analysis Feedback Response Analysis Responses Report

  5. Example Web Application Code public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() !

  6. Our Approach • Goal: • Improve penetration testing by improving information gathering and response analysis. Improvements to penetration testing: • Information gathering  Static interface analysis • Attack Generation  Generate realistic test-inputs • Response Analysis  Produce observable side effect of attack

  7. Phase 1: Identify Input Parameters (IP) names Phase 2: Compute IP domain information Phase 3: Group IP into distinct interfaces 1) Information Gathering: Interface Analysis Interface Analysis [FSE 2007] Web Application Identify IP Names Interfaces HTML Compute IP Domains Servlets Group IPs

  8. 1) Interface Analysis: Identify IP Names userAction login password public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() login address

  9. 1) Interface Analysis: Compute IP Domains userAction:String {“createLogin”, “provideAddress”} userAction login password public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() password:String password:Integer login login:String login:String address:String address

  10. 1) Interface Analysis: Group IPs 1 userAction:String {“createLogin”, “provideAddress”} 2 userAction login password public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() password:String password:Integer login 3 10 login:String 14 11 4 15 12 5 login:String address:String address 6 13 8 9 7

  11. 1) Information Gathering: Summary

  12. White Hat Tester 2) Attack Generation Interface userAction login password userAction = ? login = <attack string> password = ? userAction = createLogin login = <attack string> password = 1234 IP Domain Information

  13. 3) Response Analysis with WASP • Response Analysis: • Send attack to web application • If WASP detects attack • Block attack • Send out-of-band signal • Check for signal on client side • WASP: • Positive tainting: Identify and mark developer-trusted strings. Propagate taint markings at runtime • Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings

  14. 3) WASP: Identify Trusted Data public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (‘” + loginName + “’, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm()

  15. 3) WASP: Syntax Aware Evaluation Legitimate Query: Input: login = “GJ”, address = “Home” update userTable set address = ‘Home’ where login = ‘GJ’ Attempted SQL Injection: Input: login = “GJ’ ; drop table userTable -- ”, address = “Home” update userTable set address = ‘Home’ where login = ‘GJ’ ; drop table userTable -- ’

  16. Empirical Evaluation Goal: Evaluate the usefulness of our approach as compared to a traditional penetration testing approach. Research Questions (RQ): • Runtime of analysis • Thoroughness of the penetration testing • Number of vulnerabilities discovered

  17. Implementation: Baseline Approach • Information Gathering  OWASP WebScarab • Widely used code-base • Actively maintained • Attack Generation  SQLMap • Widely used penetration testing tool • Commonly used attack generation heuristics • Response analysis  WASP[FSE 2006]

  18. Implementation: Our Approach • Analyzes bytecode of Java Enterprise Edition (JEE) based web applications • Interface analysis  WAM[FSE 2007] • Attack generation  leverages SQLMap • Response analysis  WASP[FSE 2006]

  19. Subject Applications

  20. RQ1: Runtime • SDAPT ranged from 8 to 40 mins • Positive note: Testing was more thorough

  21. RQ2: Thoroughness

  22. RQ3: Number of Vulnerabilities Average increase: 246%

  23. Summary of Results • Improvements to penetration testing • Information gathering with static analysis • Response analysis with dynamic detection • Relatively longer analysis time • More thorough and more vulnerabilities discovered during penetration testing

More Related