Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project Presentation

Contents Motivation Problem we meet Existing System Our Expert System Comparison Conclusion 2

Motivation In recent years, web hacking is changing more delicate and automatic Spread malignant code, Personal information, Hacking and phishing for monetary profit Small businesses, lack of manpower in information security is became main target of hacker Web vulnerability – SQL Injection, XSS(file upload), Packet modification 3

Motivation Number of vulnerability detection recent 5years (KISA) 4

Motivation Homepage Modification attack for recent 5years (KISA) 5

Motivation Worm, VirusSpam relayPhishing Simple invasion Homepage modification Malignant code 6

Problem we meet Still most of web is Exposed to simple hacking technique Get personal information by packet modification 7

Problem we meet Still most of web is Exposed to simple hacking technique Critical exploit of Payment module - Use weak cryptograph algorithm 8

Problem we meet Still most of web is Exposed to simple hacking technique Critical exploit of Payment module In some web hard server Ex) ity.co.kr/ 9

Problem we meet Still most of web is Exposed to simple hacking technique – Most of web hacking is started with testing the input value Script code(XSS), SQL injection… – Possibility of falsifying packet data Packet is encrypted or not. – Some web application vulnerabilities cannot be solved by IDS, Firewall Practical need _ Web application security – Solution for web application vulnerability(SQL injection, XSS, …) – Information Security Tool for web developer(not for security Expert) – Core function, modifying code in develop phase(bottom up approach) – Overcome public IDS and Firewall 10

Problem we meet Public IDS and Firewall Clients, Hacker Fire wall Web Server Web app Web application *SQL Injection ID:Admin PWD : ‘or 1=1-- *Web Application Firewall(WAF) WAF is do not modifying web application Rule setup is difficult and highly need security experience Heavy load for web server 11

Existing System Relative research – OWASP Top 10 // Web application Standard The OWASP Top Ten provides a powerful awareness document for web application security. – WASC, NSS Group(Fire wall Testing) 10 // Web application Standard – KrCERT/CC, Castle 2009 //Web application Standard, Audit tool Korea Internet Security Center Castle – Home page vulnerability solution, code modification (get/post, file upload, cookie) – Fortify SCA(Source Code Analysis) //Audit tool – Acunetix web vulnerability scanner //Web application Scanner Acunetix web vulnerability scanner is a tool designed to discover security holes in your web applications (SQL injection, cross site scripting, and weak passwords. ) – SecuBat //Web application Scanner – AppScan //Web application Scanner 12

Existing System Existing approach(Acunetix, SecuBat, …) Existing web vulnerability analysis Patching Web Application 13

Our Expert System Expert system – can perform like expert in specific field, especially security expert – Web developer submit his code to the system, and system will detect ‘non-Standard’ or ‘vulnerable’ code. – Security Expert collects vulnerable rules based on OWASP Top 10, and stored in a Database. 14

Our Expert System Our approach 15 OWASP Rule Database & Expert system Guarantee the security in developing phase Input web vulnerable rules in the Database

Our Expert System System design and work flow 16 End User (web developer) : Insert web application code into system. User Interface : Simple interface, developer can choice language, vulnerability. Inference module : Step1. Evaluation whether each vulnerabilities is safe in OWASP Top 10. Step2. Based on results of Step1, give a list of vulnerable code and provide appropriate measure module

Our Expert System OWASP Top 10 1 st Rank Issue : Injection – Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. – The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. 17

Our Expert System How do I prevent from injection? – VERIFY Parameter Input – MINIMIZE authority to access other back-end system – DO NOT USE Dymamic Query Interface, like mysql_query() [ in MySQL ] – DO NOT USE simple escape function Addslashes() [ in PHP ] or str_replace() 18

Our Expert System Injection Analyze in Expert System 19 AnalyzeInjection() { // Knowledge Base(DB) connection ConnectionInfo = DBConnect(server, ID, password, database); // Load the injection vulnerability information in List List rulebase = getInjection(ConnectionInfo); // Extract query QueryString = SearchExecuteQuery(InputText); // Extract parameter inside query Parameters[] = SearchParametersInQuery(QueryString); // Is the parameter or query in safe? foreach( rule in rulebase ) { if(CompareRules(QueryString, Parameters, rule) != 1) AddErrorItem(QueryString, warningmessage, LineNo, QueryPosition); }

Our Expert System Injection Analyze in Expert System 20 Demonstration

Our Expert System OWASP Top 10 2 nd Rank Issue : Cross Site Scripting(XSS) – Attacker sends text-based attack scripts that exploit the interpreter in the browser. – Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. 21

Our Expert System How do I prevent from XSS? – VERIFY Input text – ENCRYPT Output text strongly – DO NOT ADJUST Black-list verification method like “DO NOT WRITE ‘ ’ ” 22

Our Expert System Problem about Get/Post, Weak Encryption – Get method User data is exposed on address window Ex.) epy=Computer Hack can attack just modify the parameter of address – Post method Data is decoded but still intercepted by packet capture tool Ex.) – User Authentication field must be encrypt both get and post method 23

Our Expert System Problem about Get/Post, Weak Encryption – Encryption Page Encryption – Call “https” and apply to web page Plaintext Ciphertext 24

Our Expert System Use strong cipher – Encryption Function(PHP) CRC32 – MHASH_CRC32 MD5 – MHASH_MD5 DES – MCRYPT_DES 3-WAY - MCRYPT_THREEWAY … … – Filtering weak algorithm Ex) SHA-1, BASE64… Modify to 128 bit encryption like AES 25

Comparison 26 SQL Injection XSS User data Encryption Other OWASP top 10 Code Modification Developer Guiding Castle Fortify SCA Acunetix SecuBat Appscan Our System SupportPartially Support Future work

Future Work Analyze the other issues More formal rules – Still, the system run these modules with different process – Developing Rule Maker Module, instead of formal rules OpenSystem – Experts and User join this system free. 27

Conclusions Statistics for attack method of Website & Making success attack scenarios Explore some issues of OWASP Top 10 – Injection, XSS, Cryptographic… Devise ‘Evolutionary System’ – The more people using the system, the bigger the system will be. Compare other vulnerability checking tools – In Code Modification & Guide for developers 28

EYP_Z H^D Thank You