Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.

Slides:

Advertisements

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

Advertisements

M.B.A. II SEMESTER Course No. 208 Paper No. – XVI E-Business Dr.N.C.Dhande Unit II e-business frameworks e-selling process, e-buying, e-procurement, e-payments:

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

FIT3105 Smart card based authentication and identity management Lecture 4.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Overview of the Multos construction process Chad R. Meiners.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

“Electronic Payment System”

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Testing Processes of Web Applications Susan Cohen.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

System/Software Testing

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

A Framework for Automated Web Application Security Evaluation

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.

CMSC 345 Fall 2000 Unit Testing. The testing process.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Case Study: Interspire and PayPal Express. Case: Interspire and PayPal Express Interspire is an eCommerce merchant software Can be integrated with PayPal.

Drupal Commerce Better than Uber Andrew Root: druroot.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.

Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

PAYPAL PRESENTED TO:SIR ADNAN PRESENTED BY:SAIMA ASGHAR

 Shopping Basket  Stages to maintain shopping basket in framework  Viewing Shopping Basket.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.

WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.

M.-E. Bégin¹, S. Da Ronco², G. Diez-Andino Sancho¹, M. Gentilini³, E. Ronchieri ², and M. Selmi² ¹CERN, Switzerland, ² INFN-Padova, Italy, ³INFN-CNAF,

Software Testing.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471

Static Detection of Cross-Site Scripting Vulnerabilities

University E-Commerce: A Balancing Act

Software Engineering (CSI 321)

Node.js Express Web Services

EMV® 3-D Secure - High Level Overview

Security mechanisms and vulnerabilities in .NET

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Analyzing WebView Vulnerabilities in Android Applications

Analysis models and design models

ELECTRONIC PAYMENT SYSTEM.

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

CSC-682 Advanced Computer Security

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

Cross Site Request Forgery (CSRF)

Presentation transcript:

Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 2

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 3

INTRODUCTION  U.S. retail e-commerce sales for the second quarter of 2013 reached $64.8 billion, 18.4% increase  The prevalence of Internet and the rise of smart mobile devices contribute to the rapid growth of e-commerce web applications  logic vulnerability is not the most common type of web vulnerabilities, it often has serious impact and is easily exploitable.  Writing a perfectly secure payment module (dosen’t have logic vulnerabilities) is difficulty 4  Luottokunta (v1.2) (CVE ) -> Luottokunta (v1.3) (latest version)

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 5

ILLUSTRATIVE EXAMPLE Luottokunta(v1.3) patched the vulnerability CVE (v1.2) (R1) Checkout_confirmation.php (R3) Checkout_process.php (R4) Checkout_success.php Intermediate representation (IR) 6

ILLUSTRATIVE EXAMPLE before_process() Second ‘if’ statement’s false branch OrderID, OrderTotal, MerchantID, Secret_key, Currency 7 checkout_process.php

ILLUSTRATIVE EXAMPLE- logic attack 8

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 9

APPROACH - Definitions Def1 ( Merchant ): ◦Merchant is the central role in e-commerce applications. ◦Merchants are responsible for initializing orders, tracking payment status, recording order details, finalizing orders and shipping products (or providing services) to users. Def2 ( Cashier ): ◦Cashiers bridge the gap between merchants and users when they lack mutual trust. ◦Users trust cashiers with their private information, and merchants expect cashiers to correctly charge users. Def3 ( User ): ◦User inputs and actions drive the logic flows of checkout processes. ◦Some users are malicious, therefore merchants need to defend against untrusted user inputs and actions. 10

APPROACH - Definitions Def5 ( Logic State ): ◦Consists of taint annotations and links to other valid nodes of a checkout process. ◦Logic state stores taint annotations for the following payment status components and exposed signed tokens.( OrderID, OrderTotal, MerchantID, Currency, exposed signed tokens( Secret_key ) ) Def6 ( Logic Vulnerabilities in E-commerce Applications ): ◦Exists when for any accepted order ID, the merchant cannot verify that the user has correctly paid the cashier the amount of order total in the expected currency to merchant ID. 11

APPROACH - Definitions Assumption: ◦Third-party cashiers are secure (black boxes). ◦Developers of payment modules are often less security-conscious than those of cashiers, thus payment modules are generally more prone to logic vulnerabilities. Five types of taint annotations: ◦Tainted order ID ◦Tainted order total ◦Tainted merchant ID ◦Tainted currency ◦Exposed signed token 12

APPROACH – Automated Analysis Logic Vulnerability Detection Algorithm: 13

APPROACH – Automated Analysis Logic Vulnerability Detection Algorithm: 14

APPROACH – Automated Analysis Taint Rules: The underlying assumptions of the taint rules are: (1) Requests from users are untrusted. (2) Unsigned cashier requests sent via insecure channels are untrusted. (3) Cashier responses that are relayed by users to merchants via HTTP redirection (status code 302) are also untrusted. Initially: order ID, order total, merchant ID and currency are all tainted. Taint removal rules: Conditional checks, Writes to merchant database, Secure communication channels Taint addition rule: Exposed signed token ex : $_GET[’hash’] == md5($secret.$_GET[’oId’].$_GET[’oTotal’]) 15

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 16

IMPLEMENTATION Developed a symbolic execution framework that integrates taint analysis for PHP written in OCaml. Consults Satisfiability Modulo Theories (SMT) solver Z3. Z3: An Efficient SMT Solver 25, 113 lines of Ocaml code Wrote transfer functions for built-in PHP library functions, which include string functions, database functions, I/O functions, etc. 17

IMPLEMENTATION - Symbolic Execution PHP page can either statically or dynamically include other pages. e.g. Static include require(DIRS_CLASSES.‘cart.php’) Dynamic include require($language.‘.php’) For heap modeling, uses five variable maps: 1)Variable-to-symbolic-value memory map. 2)Instance-to-class-name map. 3)Alias-to-variable map. E e.g. $this 4)Array-parent-to-array-elements map. 5)Object-parent-to-object-properties map. McCarthy rule[13] 18

IMPLEMENTATION - Path Exploration Goal: To explore all possible intra-procedural and inter-procedural edges in the control-flow graph (CFG). Use a worklist-based algorithm and explore CFG edges with a depth-first strategy. Example for Path Exploration. Work list Stores execution states for feasible branches that have not been explored yet. Execution state includes a program counter, a logic state, path condition, memory maps of global and local variables, etc. 19

IMPLEMENTATION - Logic Flows Discard backward flows, error flows or aborted flows. Parser recursively examines each component of a symbolic value to correctly handle non-literals. In most cases, merchants embed URLs in HTTP requests to cashiers. An untrusted request parameter is compared against a trusted payment status component ->analyzer removes taint. e.g. $_POST[’x_amount’] == $order->info[’total’] 20

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 21

EMPIRCAL EVALUATION Performed experiments on osCommerce ◦Long history of 13 year. ◦More than 14,000 registered sites. ◦Contains 987 files with 38,991 lines of PHP code. ◦Supports various third-party cashiers and multiple currencies with different payment modules. 22

EMPIRCAL EVALUATION Payment Modules for Cashiers Evaluated 46 payment modules, 22 of which have distinct CFGs. 46 payment modules are included in osCommerce by default. 44 of them are developed to integrate third-party cashiers. The 44 payment modules that accept online payment have 20 Unique CFGs. 23

EMPIRCAL EVALUATION - Analysis Results Logic Vulnerability Analysis Results. 24

EMPIRCAL EVALUATION - Four categories 1)Untrusted Request variables : 2) Exposed Signed Tokens: 3) Incomplete Payment Verification 4) Missing Payment Verification Authorize.net Credit Card SIM iPayment (Credit Card) Luottokunta (v1.3) PayPoint.net SECPay ChronoPay RBS WorldPay Hosted Sage Pay Form Sofort¨uberweisung Direkt PayPal Standard ChronoPay Luottokunta (v1.2) NOCHEX 2Checkout PSiGate 25

EMPIRCAL EVALUATION – On live Websites 26

EMPIRCAL EVALUATION – Attack on Currency 27

EMPIRCAL EVALUATION – Attack on Order ID 28

EMPIRCAL EVALUATION – Attack on Merchant ID 29

EMPIRCAL EVALUATION - Performance 30

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 31

RELATED WORK Logic vulnerabilities in e-commerce applications: ◦Wang et al. [30] : The first to analyze logic vulnerabilities in Cashier-as-a-Service based web stores ◦InteGuard [33] : Offers dynamic protection of third-party web service 32 Parameter pollution vulnerabilities in web applications: ◦WAPTEC [5] : Takes a white-box approach. ◦NoTamper[4] and PAPAS [2] adopt black-box based approaches.

Outline  INTRODUCTION  ILLUSTRATIVE EXAMPLE  APPROACH  IMPLEMENTATION  EMPIRCAL EVALUATION  RELATED WORK  CONCLUSION 33

CONCLUSION  First static detection of logic vulnerabilities in e-commerce applications ◦Based on an application-independent invariant ◦A scalable symbolic execution framework for PHP applications, incorporating taint tracking of payment status 34  Three responsible proof-of-concept experiments on live websites  Evaluated our tool on 22 unique payment modules and detected 12 logic vulnerabilities (11 are new)