240 likes | 412 Views
Penetration Testing with Improved Input Vector Identification. William G.J. Halfond, Shauvik Roy Choudhary , and Alessandro Orso College of Computing Georgia Institute of Technology. DB. Web Application. HTML. End Users. Web Server. Servlets. Other Systems.
E N D
Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia Institute of Technology
DB Web Application HTML End Users Web Server Servlets Other Systems Web Application Overview HTTP Requests HTML Pages
DB Web Application HTML White Hat Tester Servlets Other Systems Penetration Testing Overview !@#$ Secret Data!
Web Application HTML White Hat Tester Servlets Penetration Testing Phases Information Gathering Attack Generation Attacks Information Target Selection Analysis Feedback Response Analysis Responses Report
Example Web Application Code public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() !
Our Approach • Goal: • Improve penetration testing by improving information gathering and response analysis. Improvements to penetration testing: • Information gathering Static interface analysis • Attack Generation Generate realistic test-inputs • Response Analysis Produce observable side effect of attack
Phase 1: Identify Input Parameters (IP) names Phase 2: Compute IP domain information Phase 3: Group IP into distinct interfaces 1) Information Gathering: Interface Analysis Interface Analysis [FSE 2007] Web Application Identify IP Names Interfaces HTML Compute IP Domains Servlets Group IPs
1) Interface Analysis: Identify IP Names userAction login password public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() login address
1) Interface Analysis: Compute IP Domains userAction:String {“createLogin”, “provideAddress”} userAction login password public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() password:String password:Integer login login:String login:String address:String address
1) Interface Analysis: Group IPs 1 userAction:String {“createLogin”, “provideAddress”} 2 userAction login password public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() password:String password:Integer login 3 10 login:String 14 11 4 15 12 5 login:String address:String address 6 13 8 9 7
White Hat Tester 2) Attack Generation Interface userAction login password userAction = ? login = <attack string> password = ? userAction = createLogin login = <attack string> password = 1234 IP Domain Information
3) Response Analysis with WASP • Response Analysis: • Send attack to web application • If WASP detects attack • Block attack • Send out-of-band signal • Check for signal on client side • WASP: • Positive tainting: Identify and mark developer-trusted strings. Propagate taint markings at runtime • Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings
3) WASP: Identify Trusted Data public void service(HttpServletRequestreq) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if(isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (‘” + loginName + “’, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm()
3) WASP: Syntax Aware Evaluation Legitimate Query: Input: login = “GJ”, address = “Home” update userTable set address = ‘Home’ where login = ‘GJ’ Attempted SQL Injection: Input: login = “GJ’ ; drop table userTable -- ”, address = “Home” update userTable set address = ‘Home’ where login = ‘GJ’ ; drop table userTable -- ’
Empirical Evaluation Goal: Evaluate the usefulness of our approach as compared to a traditional penetration testing approach. Research Questions (RQ): • Runtime of analysis • Thoroughness of the penetration testing • Number of vulnerabilities discovered
Implementation: Baseline Approach • Information Gathering OWASP WebScarab • Widely used code-base • Actively maintained • Attack Generation SQLMap • Widely used penetration testing tool • Commonly used attack generation heuristics • Response analysis WASP[FSE 2006]
Implementation: Our Approach • Analyzes bytecode of Java Enterprise Edition (JEE) based web applications • Interface analysis WAM[FSE 2007] • Attack generation leverages SQLMap • Response analysis WASP[FSE 2006]
RQ1: Runtime • SDAPT ranged from 8 to 40 mins • Positive note: Testing was more thorough
RQ3: Number of Vulnerabilities Average increase: 246%
Summary of Results • Improvements to penetration testing • Information gathering with static analysis • Response analysis with dynamic detection • Relatively longer analysis time • More thorough and more vulnerabilities discovered during penetration testing