1 / 30

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications. Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*, Nazari Skrupsky+, Radoslaw Bobrowicz+, V.N. Venkatakrishnan+ +: University of Illinois, Chicago

tehya
Download Presentation

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*, Nazari Skrupsky+, Radoslaw Bobrowicz+, V.N. Venkatakrishnan+ +: University of Illinois, Chicago * : University of Chicago, Chicago

  2. Background: User Input Validation • Web applications need to • Validate user supplied input • Reject invalid input • Examples: • “Credit card number is exactly16 digits” • “Expiration date of Jan 2009 is not valid” • Validation traditionally done at server: round-trip, load • Popular trend: Client-side validation through JavaScript

  3. Client Side Validation using JavaScript onSubmit= validateCard(); validateQuantities(); Validation Pass? Yes No send inputs to server reject inputs

  4. Problem: Client is Untrusted Environment • Validation can be bypassed • Previously rejected values, sent to server • Invalid quantity: -4 • Ideally: Re-validate at server-side and reject • If not, security risks

  5. Example: Bypassed Validation Security Risks • Client validation: • Field: quantity “reject negative values” • Server-side code: cost = cost + price * quantity • How to automatically find such inputs in a blackbox fashion? • quantity = 1, price = 100 • cost = cost + 100 • quantity= -1, price = 100 • cost = cost - 100

  6. Intuition • Automatically generate two sets of inputs • Valid inputs quantity = 1 • Invalid inputs quantity = -1 • Done through client code analysis If ( quantity ≥ 0 ) submit to application else reject, ask to re-enter • How does the server-side code respond • Heuristically determine if server rejects invalid inputs • Server rejects: quantity = -1 quantity = 1 (valid input) quantity= -1 (invalid input)

  7. NoTamper Architecture and Outline hints Formula Extractor Input Generator Opportunity Detector opportunities Web Page External analysis Solve constraints Benign inputs e.g., quantity = 0 Hostile inputs e.g., quantity = -1 exploits Logical formula for client side validation Fclient: quantity ≥ 0 Compare responses for benign and hostile inputs • Outline • Formula extraction from client code • Input generation • Opportunity detection • Evaluation • Conclusion

  8. Formula Extraction from Client Code • HTML and JavaScript both restrict inputs • HTML form controls • Drop down menu: value IN (value_1, …, value_n) • Radio/Checkboxes: value IN (value_1,…, value_n) • Hidden attribute: value = constant • Readonly attribute: value = constant • Maxlength attribute: length(value) ≤ constant Drop down menu: select one of these card == 1234… OR card == 7890… Constraint tags attributes

  9. Formula Extraction from Client Code (cont…) • Event driven JavaScript validation • State machine • Start: no fields validated, end: all validation passed • Transitions w/ validation functions: f1, f2, … fn • Over-approximation: All function executed: f1 f2 …fn • Execute functions symbolically • conditions when all functions accept inputs f2 f1 fn onChange Valid: all Invalid: none (form submitted) onSubmit Valid: none Invalid: all fk fm Valid: field1 Invalid: rest

  10. Formula Extraction from Client Code (cont…) • Program condition when validation succeeds if (quantity ≥ 0) return true; constraint: quantity ≥ 0 else return false; • JavaScript interaction w/ Document Object Model • Reading form fields (e.g., getElementById) • Enable/disable form fields (e.g., disabled property) • At the end of symbolic execution Fclient= (path conditions) AND (constraints of enabled fields)

  11. Outline • Formula extraction from client code • Input generation • Opportunity detection • Evaluation • Conclusion

  12. Input Generation • Benign inputs • Pass client side validation • Satisfy Fclient Example: Fclient: quantity ≥ 0 • Satisfying values determined with type information • Collected while analyzing HTML/JavaScript • quantity: -? [0-9]* Constraint solving quantity = 1

  13. Input Generation (cont…) • Hostile inputs • Bypass client side validation • Satisfy NOT (Fclient) Example: NOT ( quantity ≥ 0 ) • Supplying required variables • Example: • Field value mandated by JavaScript • Heuristics: special markers like * in the field description quantity = -1 • NOT (quantity ≥ 0) U NOT (gift-note in [a-z]*) quantity = -1 gift-note = “abc” gift-note = “-”

  14. Outline • Formula extraction from client code • Input generation • Opportunity detection • Evaluation • Conclusion

  15. Opportunity Detection Rejected inputs Response for hostile inputs Different structures Response for hostile inputs Similar structures Exploit opportunity Accepted inputs Response for Benign inputs

  16. Opportunity Detection (contd…) • Compare responses to benign and hostile inputs • But noise: user name, address, time, online users, … a1 a2 a3 Remove differences B1 --- a2 a3 C1 Difference rank = Edit Distance (C1,C2) b1 a2 a3 B2 h1 a2 a3 H1 --- a2 a3 C2 B1 a1 a2 a3 Low rank  opportunity

  17. Outline • Formula extraction from client code • Input generation • Opportunity detection • Evaluation • Conclusion

  18. Applications 8 open source 5 live sites

  19. Applications (cont…) Hostile and benign responses separated by an order of magnitude Opportunities: 169 Examined: 50 Confirmed exploits: 9/13 applications

  20. SelfReliance.com: Online banking • Vulnerability: from/to – arbitrary accounts • Exploit: Unauthorized money transfers • Transfer money from unrelated accounts • Account number hardly a secret e.g., checks contain them • Status: fixed within 24 hours • ESP solution (espsolution.net) s/w provider patched s/w for other clients • Client-side constraints: • from IN (Accnt1, Accnt2) • to IN (Accnt1, Accnt2) • Server-side code: • transfer money from  to

  21. CodeMicro.com : Shopping • Client-side constraints: • quantity1 ≥ 0 • quantity2 ≥ 0 • Server-side code: • total = quantity1 * price1 + quantity2 * price2 • Vulnerability: quantities can be negative • Exploit: Unlimited shopping rebates • Two items in cart: price1 = 100$, price2 = 500$ • quantity1 = -4, quantity2 = 1, total = 100$ (rebate of 400$ on price2) • Status: fixed within 24 hours

  22. OpenIT: Support • Client-side constraints: • userId == 1 (hidden field) • Server-side code: • Update profile with id 1, with new details • Vulnerability: update arbitrary account • Exploit: Privilege escalation • Inject a Cross-site scripting (XSS) payload in admin account • Cookies stolen every time admin logged in. • Status: open Hidden Field

  23. Outline • Formula extraction from client code • Input generation • Opportunity detection • Evaluation • Conclusion

  24. Conclusion • Framework to identify parameter tampering opportunities • Used client-side restrictions to aid hostile input generation • Several serious problems in open source / commercial applications • Significant gap: validation that should happen and that does happen Thanks and Questions

  25. Backup

  26. False positives • maxlength constraints : 31 • Mutated inputs : 12

  27. Split of HTML, JavaScript and Hidden Field Constraints • HTML constraints : 110/169 (65%) • JavaScript constraints : 20/169 (12%) • Hidden fields constraints : 39/169 (23%)

  28. Manual intervention • Unique variables : 3 • (SMF: 2, phpNuke: 1) • Session id/cookies : all except phpNuke • Required variables : 12 • (SMF: 5, phpNuke: 4, B2Evolution: 1, Garena.com: 2) • Typically 5 minutes per form • Bounded by the number of fields

  29. Limitations • Unsound • False positive: application mutates invalid inputs e.g., truncate • 12 such instances in our experiments • False positive: similar responses for failure/success • Incomplete • JavaScript over-approximation • Mutually exclusive events may cause Fclient – false • JavaScript unhandled features • document.write/eval • constraints not checked at client • Fclient = true

  30. Some related work • Input validation • Prevent affect of invalid inputs: Su et al. POPL’06, Bandhakavi et al. CCS’07, Saxena et al.NDSS’09, Van Gundy M et al. Oakland’09, Ter-louw et al. Oakland’09 • Find insufficient validation: Livshits et al. Usenix’05, Balzarotti et al. CCS’07, Balzarotti et al. Oakland’08, … • Vulnerability analysis • JavaScript analysis based client side attacks: Saxena et al. Oakland’10 • Fuzzing/directed testing • Benign/Hostile input generation: Godefroid et al. SIGPLAN’05, Godefroid et al. NDSS’08, Saxena et al. NDSS’10, … • Prevention techniques • Sandbox/restrict client code: Grier et al. Oakland’08, Reis et al. EuroSys’09, Wang et al. Usenix’09, Vikram et al. Oakland’09, Chong et al. CCS’09, …

More Related