Download
1 / 28
280 likes | 397 Views
An Analysis Framework for Security in Web Applications. Gary Wassermann and Zhendong Su University of California, Davis. Web Application Architecture. Application generates query based on user input. User input. Database query. Web page. Result set. Application. Database. Web browser.
E N D
An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis
Web Application Architecture Application generates query based on user input User input Database query Web page Result set Application Database Web browser
Command Injection Attacks String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”; Expected input: SELECT * FROM users WHERE username = ‘John’ AND password = ‘JohnsPass’; Result: John logs in
Command Injection Attacks String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”; Malicious input: SELECT * FROM users WHERE username = ‘’ AND password = ‘’ OR ‘’ = ‘’; Result: Malicious user logs in as first user identified in the database. Frequently, the administrator!
Motivation • ~60% of web applications are vulnerable • Found vulnerable sites easily in web search • Many ways to regulate user inputs • Limit length of input • Filter out “bad” strings • Escape quotes, etc. • Are the regulations sufficient? • Goal: Check whether any “dangerous” queries, not user inputs, exist
Example: change admin password Attacker registers online: Username: admin’-- Password: password INSERT INTO users VALUES(‘admin’’--’, ‘password’)
Example: change admin password Attacker changes password: Username: admin’-- OldPass: password NewPass: backdoor
Example: change admin password Application checks correctness of old password: sql = “SELECT * FROM users WHERE username = ‘admin’’--’ AND password = ‘password’”; rso.open( sql, cn ); if (rso.EOF) {...}
Example: change admin password Admin’s password gets changed: sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’
Overview of Analysis Framework • Abstract Model of Generated Programs • Structure Discovery • Access Control • Ex: “customer” deletes inventory data • Tautologies • Ex: malicious user bypasses authentication Select statement Application code query =… Table lists Conditional expressions
Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; String query = “SELECT * FROM stock WHERE ” + strID + “ = id”;
Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “AND” + dat[i] + “=“ + inp[i]; dat year min from dropdown menu
Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “AND” + dat[i] + “=“ + inp[i]; dat inp year min 2004 15 from dropdown menu from textbox
Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ +inp[i]; dat inp Filtered with {“delete”, “xp\_”, “=”, “from”, “or”} year min 2004 15
Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; dat inp Filtered with {“delete”, “xp\_”, “=”, “from”, “or”} year min 2004 15 SELECT * FROM stock WHERE 982= id ANDyear=2004ANDmin=15
Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; dat inp Filtered with {“delete”, “xp\_”, “=”, “from”, “or”} min min 14 15) SELECT * FROM stock WHERE NOT(1= id ANDmin=14ANDmin=15)
String Analysis (previous work) SELECT * FROM stock WHERE NOT(1= id ANDmin=14ANDmin=15) SELECT * FROM stock WHERE NOT ( x = id AND min = z ) y min ε =
SELECT * FROM stock WHERE NOT ( x = id AND min = z ) y min ε = Structure Discovery (previous work) Boolean expression
Tautology checking SELECT * FROM stock WHERE NOT ( x = id AND min = z ) y min ε = NOT ( x = id and min = y and min = z ) Theorem: We discover a tautology over linear arithmetic iff the FSA accepts one.
Overview of Tautology Checking • Main idea: Generate finite number of validity queries from FSA • Challenges: Loops/cycles • Arithmetic • Boolean
Tautology Checking: Arithmetic Loops +c W,X,Y,Z : 1 = W+XÆ X+W+Y = Y+ZÆ Z = 1 a,b,c W×(a) +X×(b) +Y×(c) ≥ Z×(b+c) a W Y ≥ b +c in = 1 b out = 1 Z X {W,Y,Z ← 1; X ← 0} b+c ≥ b+c
b b b b b b b b a a a a Tautology Checking: Boolean Loops OR b b a OR OR OR n+2 = 4
UPDATE users SET password = ‘ w ’ WHERE username = ‘ x ’ ’ -- Earlier Example Revisited UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’
Earlier Example Revisited sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; This code may also generate a query with a tautology UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;
UPDATE users SET password = ‘ w ’ WHERE username = ‘ x ’ OR ‘ y ’ = ‘ z ’ Earlier Example Revisited UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;
Conclusions • Analysis Framework: Generate and analyze FSA model of all possible queries • Semantic analysis of generated programs • Not only types but values • Implementation in progress • Questions?
