Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Prevent Cross-Site Scripting (XSS) attack
SQL INJECTION COUNTERMEASURES &
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
NMED 3850 A Advanced Online Design January 26, 2010 V. Mahadevan.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.
HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
Fall 2004CSI University of Ottawa Introduction to PHP Basic principles and syntax.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Slide 1 Vitaly Shmatikov CS 380S Static Detection of Web Application Vulnerabilities.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
jFuzz – Java based Whitebox Fuzzing
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Creating Databases for Web applications Server side vs client side PHP basics Homework: Get your own versions of sending working: both html and Flash!
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Web Application Security
CSCE 548 Student Presentation Ryan Labrador
Detecting Vulnerabilities in Web Code with concolic execution
Presentation by: Naga Sri Charan Pendyala
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
Static Detection of Cross-Site Scripting Vulnerabilities
Theodore Lawson CSCE548 Student Presentation, Topic #2
SQL Injection Attacks Many web servers have backing databases
Secure Software Development: Theory and Practice
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
CS5123 Software Validation and Quality Assurance
Presentation transcript:

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo, Karthick Jayaraman, Michael D. Ernst International Conference on Software Engineering May 20, 2009 PHP Source Code

Overview Problem: Finding security vulnerabilities (SQLI and XSS) in Web applications Approach: 1.Automatically generate inputs 2.Dynamically track taint 3.Mutate inputs to produce exploits Results: 60 unique new vulnerabilities in 5 PHP applications, first to create 2nd-order XSS, no false positives

PHP Web applications Web browser PHP on webserver Database PHP application $_GET[] $_POST[] … … URL HTMLData SQL

Example: Message board (add mode) if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”); function addMessageForTopic() { $my_msg = $_GET['msg']; $my_topicID = $_GET['topicID']; $my_poster = $_GET['poster']; $sqlstmt = ” INSERT INTO messages VALUES('$my_msg’, '$my_topicID') "; $result = mysql_query($sqlstmt); echo "Thanks for posting, $my_poster"; } $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = “Bob” Thanks for posting, Bob

Example: Message board (display mode) if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”); function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: ". $row['msg']; }} $_GET[]: mode = “display” topicID = 42 Message: hi there

SQL injection attack function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: ". $row['msg']; }} $_GET[]: mode = “display” topicID = 1' OR '1'='1 SELECT msg FROM messages WHERE topicID='1' OR '1'='1' if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”);

First-order XSS attack if ($_GET['mode'] == "add") addMessageForTopic(); $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = MALICIOUS function addMessageForTopic() { $my_poster = $_GET['poster']; […] echo "Thanks for posting, $my_poster"; } Example MALICIOUS input: “uh oh alert(‘XSS’) ” Thanks for posting, uh oh

Second-order XSS attack addMessageForTopic() PHP application Database Attacker’s input Example MALICIOUS input: “uh oh alert(‘XSS’) ” $_GET[]: mode = “add” msg = MALICIOUS topicID = 42 poster = “Villain”

Second-order XSS attack addMessageForTopic() PHP application Database Attacker’s input Victim’s input $_GET[]: mode = “display” topicID = 42 displayAllMessagesForTopic() Message: uh oh echo() Example MALICIOUS input: “uh oh alert(‘XSS’) ” $_GET[]: mode = “add” msg = MALICIOUS topicID = 42 poster = “Villain”

Architecture Input Generator Input Generator Attack Generator/Chec ker inputs taint sets Concrete + Symbolic Database Malicious inputs Ardilla Taint Propagator PHP Source Code

Input generation Input Generator Input Generator inputs Goal: Create a set of concrete inputs (_$GET[] & _$POST[]) We use Apollo generator (Artzi et al. ’08), based on concolic execution PHP Source Code

Input generation: concolic execution Input Generator Input Generator $_GET[]: mode = “add” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “1” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1” if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”); PHP Source Code inputs

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1” function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt);

Taint propagation Concrete + Symbolic Database inputs Goal: Determine which input variables affect each potentially dangerous value Sensitive sinks: mysql_query(), echo(), print() Technique: Execute and track data-flow from input variables to sensitive sinks inputs PHP Source Code taint sets Taint Propagator

Taint propagation: data-flow Taint Propagator Concrete + Symbolic Database taint sets inputs Each value has a taint set, which contains input variables whose values flow into it inputs function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Taint propagation Assignments: $my_poster = $_GET[“poster”] String concatenation: $full_n = $first_n. $last_n PHP built-in functions: $z = foo($x, $y) Database operations (for 2nd-order XSS) PHP Source Code Taint set Sensitive sink

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Taint set Sensitive sink

Attack generation and checking Attack Generator/C hecker Malicious inputs taint sets Goal: Generate attacks for each sensitive sink Technique: Mutate inputs into candidate attacks Replace tainted input variables with shady strings developed by security professionals: e.g., “1’ or ‘1’=‘1”, “ code ” PHP Source Code Alternative: String constraint solver (Kiezun et al. ’09) inputs

Attack generation and checking Given a program, an input i, and taint sets Attack Generator/C hecker Malicious inputs taint setsinputs if mutated_res DIFFERS FROM res: report mutated_input as attack for each var that reaches any sensitive sink: res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) PHP Source Code Attack generation Attack checking

Attack generation: mutating inputs $_GET[]: mode = “display” topicID = 1 $_GET[]: mode = “display” topicID = 1' OR '1'='1 res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string $_GET[]: mode = “display” topicID = 1 $_GET[]: mode = “display” topicID = 1' OR '1'='1

Attack checking: diffing outputs res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack What is a significant difference? For SQLI: compare SQL parse tree structure For XSS: compare HTML for additional script- inducing elements ( ) Avoids false positives from input sanitizing and filtering

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string 4. Check by mutating input and comparing SQL parse trees: innocuous: SELECT msg FROM messages WHERE topicID=‘1’ mutated: SELECT msg FROM messages WHERE topicID=‘1’ OR ‘1’=‘1’ 5. Report an attack since SQL parse tree structure differs

Experimental results Vulnerability Kind Sensitive sinks Reached sensitive sinks Unique attacks SQLI st -order XSS nd -order XSS Total: 60 NameTypeLOCSourceForge Downloads SchoolMateSchool administration8,181 6,765 WebChessOnline chess4,72238,457 FaqForgeDocument creator1,71215,355 EVE activity trackerGame player tracker 915 1,143 geccBBliteBulletin board Main limitation: input generator

Comparison with previous work Defensive coding: + : can completely solve problem if done properly - : must re-write existing code Static analysis: + : can potentially prove absence of errors - : false positives, does not produce concrete attacks Dynamic monitoring: + : can prevent all attacks - : runtime overhead, false positives affect app. behavior Random fuzzing: + : easy to use, produces concrete attacks - : creates mostly invalid inputs

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks Contributions –Automatically create SQLI and XSS attacks –First technique for 2 nd -order XSS Technique –Dynamically track taint through both program and database –Input mutation and output comparison Implementation and evaluation –Found 60 new vulnerabilities, no false positives

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.