Cybersecurity Testing and Analysis for Web Applications William GJ Halfond
advertisement
Cybersecurity Testing and Analysis for Web Applications William GJ Halfond Center for Systems and Software Engineering University of Southern California Research Area Software Engineering Quality Assurance • Security • Testing • Analysis 2 Importance of Web Applications BankYahoo’s ofFacebook America projected services has over revenue over 120 23 million in million 2008active =visitors $7.2 users. billion. a month. 3 Problems in Web Applications 10000 1000 100 10 1 2002 2003 2004 Web-based 2005 2006 2007 2008 Traditional Average Amazon.com: Downtime data cost breach: 60sec = $3.6 $6.6 = $30,000 million million Reported software vulnerabilities 4 Current Approaches 1. Web crawlers and scanners 2. Scenario-based testing 5 Web Crawlers 6 Problems with Web Crawling 7 Scenario-Based Testing General Process: 1. Define use cases 2. Check each use case + Realistic – Incomplete – Tests known behaviors 8 Research Overview Goal Improve quality of web applications 1. Develop new techniques 2. Adaptation of existing techniques Method Develop and apply program analysis techniques to web applications in order to analyze and understand their structure and runtime behavior. Benefits • Accurate and complete • Automatable 9 Key Differences Observation: Many software quality assurance techniques are not directly applicable to web applications. Complications: • Interface definitions • Control flow • Generated object programs • Data flow Problem: Traditional abstractions look very different in web applications. 10 Developed Techniques 1. Accepted Interface Analysis Improve test coverage Discover vulnerabilities 2. Component Output Identification Static verification of correctness 3. Control-Flow Analysis Verify runtime behaviors 11 Traditional Interface 2) Grouping of parameters public void write(File outfile, String buffer, int length) 3) Domain information 1) Parameter names 12 Web Application Interfaces void service( Request req ) 1. String dbQuery = "select * from db where " 2. String search = req.getParameter( "search" ) 3. String dbQuery += "name like '" + search + "' and " 4. String searchType = req.getParameter( "sPref" ) 5. if (searchType.equals( "zip" )) 6. int zip = Integer.parseInt(req.getParameter( “zip” ) 7. dbQuery+= "zip=" + zip 8. else if (searchType.equals( "type" )) 9. String type = req.getParameter( "business" ) 10. dbQuery+= "type=" +type 11. else 1. 12. String state = req.getParameter( "state" ) 2. 13. dbQuery+= "state=" +state 14. ResultSet results = execute(dbQuery) 3. 15. print(results) Parameter names Grouping of parameters Domain information 13 Interface Information Interface 1 2 3 Name DomainType Constraints search String - sPref String sPref=“zip” zip Integer - search String - sPref String sPref ≠“zip” sPref = “type” business String - search String - sPref String sPref ≠“zip” sPref ≠ “type” state String 14 Testing Improvements WAMDF Spider % Stmt. Coverage 80 60 40 20 0 Statement coverage increase: 30% % Branch Coverage 80 60 40 20 0 Branch coverage increase: 48% 200 150 # Command 100 Forms 50 0 Command form increase: 94% 15 Penetration Testing Web Application !@#$ DB HTML Secret Data! White Hat Tester Servlets Other Systems 16 Penetration Testing Results WAMDF Spider 18 16 14 # SQL Injection Vulns. 12 10 Vulnerability detection increase: 365% 8 6 4 2 0 70 60 50 # XSS Vulns. 40 30 Vulnerability detection increase: 282% 20 10 0 17 Traditional Invocation Verification public void write(File outfile, String buffer, int length) write(file, string, int) write(file, string, string) 18 Web Application Invocations 19 Component Output Analysis Web Application HTML Analysis to Identify Invocations Interface Invocations Servlet Servlets 20 Invocation Verification Web Application searchpage.jsp dosearch.jsp X 21 Verification Results 22 High-level Analysis Web Application shoppingCart.jsp login.jsp memberInfo.jsp End Users Attacker 23 Areas of Future Work in Analysis Control Flow • Protocol Analysis • Object Program Semantics Object Programs Data Flow Def JavaScript Servlet SQL D HTML UseU U U D Use UUse U U 24 Summary • Research focused on quality assurance for web applications • Promising results in basic areas • Future work in higher-level analysis 25
