Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs

Slides:



Advertisements
Similar presentations
Cross-site Request Forgery (CSRF) Attacks
Advertisements

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
PHP Security.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Approaches to Application Security – DSM
Penetration Testing James Walden Northern Kentucky University.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Attacking Applications: SQL Injection & Buffer Overflows.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
Securing Angular Apps Brian Noyes
Automatic and Precise Client-Side Protection against CSRF Attacks.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
A Mobile Library Management System Advisor: Dr. Shen Student: Ananta Gampaa November 8 th,2005.
Web Applications on the battlefield Alain Abou Tass.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Database and Cloud Security
Module: Software Engineering of Web Applications
Web Application Bug Hunting
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
Modeling User Interactions for (Fun and) Profit Preventing Request Forgery Attacks in Web Applications Karthick Jayaraman, Grzegorz Lewandowski, Paul G.
World Wide Web policy.
API Security Auditing Be Aware,Be Safe
Theodore Lawson CSCE548 Student Presentation, Topic #2
Ofer Shezaf, CTO, Breach Security
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
Cross-Site Request Forgeries: Exploitation and Prevention
Web Security A Programmers Perspective
Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs*
Riding Someone Else’s Wave with CSRF
CSC 495/583 Topics of Software Security Intro to Web Security
Cross-Site Request Forgery (CSRF) Attack Lab
Web Security Advanced Network Security Peter Reiher August, 2014
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Exploring DOM-Based Cross Site Attacks
Cross Site Request Forgery (CSRF)
Presentation transcript:

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino, M. Johns, S. Koch, M. Backes, C. Rossow gpellegrino@cispa.saarland ACM CCS 2017 Nov 2nd, Dallas, USA

Giancarlo Pellegrino, gpellegrino@cispa.saarland U WON’T BELIEVE WHAT DIS CAT IS DOIN’ !!!1! <img src="http://store.com/change_pwd.php?password=pwnd" width="0px" height="0px"/> TWEET SHARE PIN SEND EMAIL 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Cross-Site Request Forgery Attack Look at this cat video! If credentials are valid, create and send a session cookies POST /login.php […] user=Alice&pwd=secret 200 OK Set-cookie: session=YBLqp32F GET /video.html + If cookie is valid, then update password GET /change_pwd.php?password=pwnd Cookie: session=YBLqp32F 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

The Forgotten Sleeping Giant Popular vulnerability Among top 10 security risks w/ XSS and SQLi Discovered in popular websites, e.g., Gmail, Netflix, and ING Most of previous efforts spent on countermeasures: Origin header, synchronizer tokens, and browser plugins A little has been done to provide techniques for the detection Existing (semi-)automated techniques focus on input validation and logic flaws Detection of CSRF via manual inspection [Top10_OWASP_2007-2013] 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Giancarlo Pellegrino, gpellegrino@cispa.saarland Challenges Detection requires reasoning over relationships between application states, the roles and status of request parameters Challenges: CSRF targets state transitions Attacker reliably create requests incl. parameters and values Not all state transitions are relevant 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

1) CSRF Targets State Transitions GET /user_data.php Cookie: session=YBLqp32F Show user data GET /change_pwd.php?password=new_secret Cookie: session=YBLqp32F Update password Fire a state transition UPDATE users SET pwd=new_secret […] Determine when a state transition occurs Not all operations change the state of a webapp E.g., View user data vs reset user password Learning state transitions is possible However, existing approach can be inaccurate or operation-specific SELECT * FROM users […] 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

2) Attacker Reliably Creates Requests incl. Params GET /place_order.php?token=XZR4t6q Cookie: session=YBLqp32F Determine relationships between parameters and transitions E.g., random security token may not be guessed by an attacker Existing techniques do not determine such a relationship E.g., Web scanners match param names against list of predefined names (e.g., “token”) 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

3) Not all State Transitions are Relevant PageCounter++ Return product description GET /product.php?id=201 Cookie: session=YBLqp32F Fire a state transition 200 OK UPDATE pages SET cnt = cnt + 1 WHERE id=201 Determine the relevance of a state transition State transitions can be the result of operations such as tracing user activities They are state-changing operations but not necessarily security-relevant Easy for humans but hard for machines 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Giancarlo Pellegrino, gpellegrino@cispa.saarland Our Solution: Deemon Application-agnostic framework for developers and analysts Infer state transitions + data flow from program executions Property graphs for uniform and reusable model representation Graph traversals to select request candidates for testing Verify replay-ability of HTTP requests 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Deemon: Trace Generation Dynamic Trace Generation A F < , , , , > GET < GET , 200, GET , 302 > 200 OK < , , , , > A F Login and change password < , > Virtualized Env. 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Deemon: Model Construction Traces and Parse Trees FSM Data flow and types next next trans to A F < , , , , > A q0 q0→q1 q1 caused caused v1= YBLqp32F Types: String, Session unique next next next has < GET , 200, GET , 302 > GET 200 GET 302 GET / hdrs caused propag. accepts YBLqp32F … next < , > SQL SQL source v2= YBLqp32F Types: String, Session unique UPDATE tbl claus id=YBLqp … sink 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Giancarlo Pellegrino, gpellegrino@cispa.saarland Deemon: Traversals r GET url hdrs “Find all CSRF” ⇓ “Find all requests r such that: 1) r is state-changing 2) r can be created by an attacker 3) the state change is relevant” “∀n: request(n) 1) ∃tr, qi, qf: trans(tr, qi, qf) ∧ accepts(tr, n) 2) ∀ v: variable(v) ∧ has(qf, v) ∧ v.Types ⋂ {“unguessable”} = ∅ 3) relevant(r)” [Query processor] password pwd request(r) r accept trans to qi qi→qf qf ∃tr, qi, qf: trans(tr, qi, qf) ∧ accepts(tr, r) has v1= pwd Types: String qf ∀ v: variable(v) ∧ has(qf, v) ∧ v.Types ⋂ {“unguessable”} = ∅ 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Giancarlo Pellegrino, gpellegrino@cispa.saarland Deemon: Testing Graph Traversals Test Execution < , , , , > Requests GET < , , , , > 200 OK Queries ? Virtualized Env. Failed Successful 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Giancarlo Pellegrino, gpellegrino@cispa.saarland Evaluation Inputs: 10 Web apps from the Bitnami catalog (avg 600k LoC ) 93 workflows (e.g., change password, username, add/delete user/admin, enable/disable plugin) Attacks: User account takeover in AbanteCart and OpenCart Database corruption in Mautic Web app takeover in Simple Invoices 53 protected (108 tokens) 194 not st-ch 1,022 not relevant 1,380 requests 1,186 st-ch 164 relevant 111 unprotected 190 failed 219 tests 29 succ. 14 distinct CSRFs 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Results Analysis: Awareness Complete Awareness: all state-changing operations are protected E.g., Horde, Oxid, and Prestashop Unawareness: none of the relevant state-changing operations are protected I.e., Simple Invoices Partial Awareness Role-based: only admin is protected I.e., OpenCart and AbanteCart Operation-based: adding data items is protected, deleting is not I.e., Mautic 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Giancarlo Pellegrino, gpellegrino@cispa.saarland Takeaways Presented Deemon: Dynamic analysis + property graphs New modeling paradigm Deemon detected 14 CSRFs that can be exploited to takeover accounts, websites, and compromise database integrity Discovered alarming behaviors: security-sensitive operations are protected in a selective manner 11/02/2017 Giancarlo Pellegrino, gpellegrino@cispa.saarland

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.