WAPTEC_CCS2011_bisht
advertisement
WAPTEC: Whitebox Analysis of
Web Applications for
Parameter Tampering Exploit Construction
Prithvi Bisht (http://cs.uic.edu/~pbisht) +
Timothy Hinrichs*+, Nazari Skrupsky+,
V.N. Venkatakrishnan+
+: University of Illinois, Chicago
* : University of Chicago, Chicago
Background: User Input Validation
• Web applications need to
• Validate user supplied input
• Reject invalid input
Examples:
• “Credit card number is exactly16 digits”
• “Expiration date of Jan 2009 is not valid”
• Validation traditionally done at server: round-trip, load
• Popular trend: Client-side validation through JavaScript
Client Side Validation using JavaScript
onSubmit=
validateCard();
validateQuantities();
Validation Pass?
Yes
send inputs
to server
No
reject
inputs
Problem: Client is Untrusted Environment
• Validation can be
bypassed
• Previously rejected
values, sent to server
• Invalid quantity: -4
• Ideally: Re-validate
at server-side and
reject
• If not, Parameter
Tampering Attacks
Threat is Real!
Prior work: CCS’10
9 /13 applications vulnerable to parameter tampering
Online banking: Unauthorized money transfers
Online shopping: Unlimited shopping discounts
Identify parameter tampering opportunities
server-side code blackbox
Manually construct exploits
Question: If server side code is available,
automatically construct parameter tampering
exploits?
Whitebox Parameter Tampering Detection
Results Summary: 45 exploits in 6 applications
First analysis that combines JavaScript/HTML, PHP, MySQL
WAPTEC
Client-side code
(JavaScript/HTML)
Server-side code
(PHP, MySQL)
exploits
Intuition
U
•
•
Fclient : inputs accepted by client
┐ Fclient : inputs rejected by client
Venn diagram
•
Fserver : inputs accepted by server
┐Fclient ∩ Fserver
inputs that
client would have rejected
but server accepted!!
Parameter
Tampering
Exploits
Intuition (contd…)
Input
valid?
Client-side code
(JavaScript/HTML)
error
Input
valid?
error
Control Flow
Graph
send
to
server
Accepted inputs reach here
fclient = Program condition
(logical formula)
Server-side code
(PHP/MySQL)
Input
valid?
error
error
Input
valid?
Sensitive
operation
Accepted inputs reach here
fserver = satisfied conditions
(logical formula)
Intuition (contd…)
Input
valid?
1
error
Input
valid?
error
Control
Flow
Graph
generate benign inputs that
reach a sensitive operation
send
to
server
Input
valid?
error
error
Client-side code
(JavaScript/HTML)
fclient ∩ fserver
fclient
fserver
┐fclient
fserver
Server-side code
(PHP/MySQL)
2
Input
valid?
Sensitive
operation
Check if rejected (hostiles)
Inputs can reach the SAME
sensitive operation
┐fclient ∩ fserver
Intuition: quantity example
quantity ≥ 0
Client-side code
(JavaScript/HTML)
1
error
send
to
server
fclient = quantity ≥ 0
quantity = 1
Control
Flow
Graph
fserver = true
cost = quantity * price
mysql_query( insert … cost )
Server-side code
(PHP/MySQL)
2
┐fclient ∩ fserver = (quantity < 0)
Parameter tampering exploits
quantity = -1, -2, ….
WAPTEC Architecture
WAPTEC Architecture
WAPTEC Architecture
WAPTEC Architecture
WAPTEC Architecture
WAPTEC Architecture
WAPTEC Architecture
Outline
1. Intuition
2. Computing fserver
3. Evaluation
4. Summary
Fserver: Inputs that reach sensitive ops
n =
a =
user_input ( ‘name’ );
user_input ( ‘age’ );
if ( n == null )
exit ( “please specify user name” );
n == null
exit
a<0
exit
if ( a < 0 )
exit ( “please specify age ” );
f = mysql_query ( “insert … name = ” . n .
“ … age = ” . d ) ;
fserver
mysql_query
Control Flow Graph
( all conditions on user inputs that must
= be satisfied to reach sensitive
operations )
Computing fserver
Computed dynamically: execute server-side code
concretely with benign inputs
Server-side code
n =
a =
name = bob
age = 55
user_input ( ‘name’ );
user_input ( ‘age’ );
if ( n == null )
exit ( “please specify user name” );
if ( a < 0 )
exit ( “please specify age ” );
Execution trace
n =
a =
user_input ( ‘name’ );
user_input ( ‘age’ );
( n != null )
(a≥0)
f = mysql_query ( “insert…”)
f = mysql_query ( “insert …) ;
fserver
= ( name != “”) ∩ ( age ≥ 0 )
Challenges in computing execution traces
function f1(){
x = 10
f2();
y = x;
}
function f2 () {
x = 20
}
f1_x = 10;
f2_x = 20;
f1_y = f1_x;
x = 10;
x = 20;
y = x;
incorrect !!
Execution trace
Use context
information
PHP 5 Object-oriented Programs
class C {
function m(){
x = 10;
}
}
o1 -> m ()
o2 -> m ()
Uniquely identify
objects
m_x = 10;
id1_m_x = 10;
m_x = 10;
id2_m_x = 10;
Computing fserver (contd…)
Inputs reaching sensitive operations may still be
rejected!!
name = bob
Server-side code
n =
d =
user_input ( ‘name’ );
user_input ( ‘address’ );
if ( n == null )
exit ( “please specify user name” );
f = mysql_query ( “insert …) ;
Reaches SQL sink,
but rejected
because
address is null
if ( f == null )
exit ( “please specify an address” );
Extract constraints
imposed by database
schema
Computing fserver (contd…)
Database schema:
Set of SQL statements for creating tables / views.
Column definitions specify constraints.
Example: Profile table
create table profiles {
…
addrDB …
NOT NULL,
}
addrDB != null
constraints on column names
Column
Definition
Constraint
enum ( a, b, c )
column IN {a, b, c}
NOT NULL
column != null
VARCHAR ( n )
length ( column ) ≤ number
but fserver
is in terms of
How to map?
inputs
Computing fserver (contd…)
Generate symbolic query from the trace
insert into profile … set addrDB = _POST[‘address’]
inserted in column addrDB
constraint on
table column
user input address
addrDB != null
constraint on
user input
address != null
Bridging
namespaces
for database,
PHP
Summary: Computing fserver
n
d
=
=
1
user_input ( ‘name’ );
user_input ( ‘address’ );
Conditions checked
encode restrictions
on inputs
if ( u == “”)
exit ( “please specify user name” );
f = mysql_query ( “insert … naDB = ” . u . “…addrDB = ” . a ) ;
2
if ( f == null )
exit ( “please specify address” );
Database may also
encode restrictions
on inputs
1
fserver
= fcode
2
+
fdb
Outline
1. Intuition
2. Computing Fserver
3. Evaluation
4. Summary
Evaluation: Results
Application
Size
(LOC)
WAPTEC
Confirmed
Exploits
Confirmed
Exploits
CCS’2010
DcpPortal
145K
32
13
SPHPBlog
27K
1
1
Lanshop
15K
3
3
MyBloggie
9K
6
1
45 parameter
tampering
exploits
23 false positives
SnipeGallery 9K
2
2
PHPNews
1
1
6K
24 false negatives
DcpPortal: Create Imposter Accounts
Client-side constraints:
1. length ( name ) ≤ 32 )
Server-side code:
a. Check DB for duplicate name
(does not restrict length)
b. Insert name in DB
(truncates name to 32 char)
Vulnerability: duplicate check does not enforce length restriction
Exploit: Create imposter account
name = alice
a
32 characters
Imposter account name “alice”
33rd character
DcpPortal: Create Admin Account
Server-side code:
privilege = non-admin;
if ( _COOKIE[‘make_install_prn’] == 1 )
privilege = admin;
Create account with privilege;
Vulnerability: attacker can set cookie make_install_prn
Exploit: Negative tampering - create admin account
No mention of make_install_prn in Fclient
Fserver contains (make_install_prn != 1)
Some related work
Multi-tier analysis of web application
Legacy code: MiMosa: Balzarotti et al. CCS 2007, Chong et al. SIGMOD 2007
Principled development of applications: Links, Google Web Toolkit,
Corcoran et al. SIGMOD 2009
Specification inference
Test input generation
Saxena et al. SP 2010, Halfond et al. ISSTA 2009, Kiezun et al. ICSE 2009,
Emmi et al. ISSTA 2007, Godefroid et al. NDSS 2008….
Input validation
AutoISES Tan et al. Security 2008, Engler et al. SOSP 2001, Felmetsger et al.
Security 2010, Srivastava et al. PLDI 2011
Su et al. POPL 2006, Balduzzi et al. NDSS 2011, Jayaraman et al. DBSec 2010
Sanitization
Balzarotti et al. SP 2008…
Summary
Parameter tampering vulnerabilities: widespread
First analysis that combined analysis of
HTML/JavaScript, PHP, database imposed
constraints.
Possible to infer specification of intended behavior
from source code and use it in vulnerability detection.
Thanks and Questions
Backup
WAPTEC Architecture
Refining Search for a Success Sink
Fclient = (i > 0)
Server requires (i > 0 ∩ i < 11)
First attempt benign: i = 11
Sink not reached Fserver = NOT (i > 0 ∩ i < 11)
Refine client-side spec: Fclient ∩ NOT Fserver
Intuition: Fserver for failed runs contains condition that
was not satisfied
Second attempt: (i > 0) ∩ NOT ( NOT ( i > 0 ∩ i < 11))
i = 1 .. 10 (accepted by the server-side code)
WAPTEC Architecture
