WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht ( + Timothy Hinrichs* +, Nazari Skrupsky +, V.N. Venkatakrishnan + +: University of Illinois, Chicago * : University of Chicago, Chicago
Background: User Input Validation Web applications need to Validate user supplied input Reject invalid input E xamples: “Credit card number is exactly16 digits” “Expiration date of Jan 2009 is not valid” Validation traditionally done at server: round-trip, load Popular trend: Client-side validation through JavaScript
Client Side Validation using JavaScript onSubmit= validateCard(); validateQuantities(); Validation Pass? send inputs to server reject inputs YesNo
Problem: Client is Untrusted Environment Validation can be bypassed Previously rejected values, sent to server Invalid quantity: -4 Ideally: Re-validate at server-side and reject If not, Parameter Tampering Attacks
Prior work: CCS’10 9 /13 applications vulnerable to parameter tampering Online banking: Unauthorized money transfers Online shopping: Unlimited shopping discounts Identify parameter tampering opportunities server-side code blackbox Manually construct exploits Question: If server side code is available, automatically construct parameter tampering exploits? Threat is Real!
Results Summary: 45 exploits in 6 applications First analysis that combines JavaScript/HTML, PHP, MySQL Client-side code (JavaScript/HTML) exploits WAPTEC Server-side code (PHP, MySQL) Whitebox Parameter Tampering Detection
Intuition F client : inputs accepted by client ┐ F client : inputs rejected by client F server : inputs accepted by server inputs that client would have rejected but server accepted!! Venn diagram U Parameter Tampering Exploits ┐F client ∩ F server
Intuition (contd…) error Input valid? send to server Input valid? error Client-side code (JavaScript/HTML) Accepted inputs reach here f client = Program condition (logical formula) Server-side code (PHP/MySQL) error Input valid? Sensitive operation f server = satisfied conditions (logical formula) Control Flow Graph error Input valid? Accepted inputs reach here
Intuition (contd…) error Input valid? send to server Input valid? error Client-side code (JavaScript/HTML) Server-side code (PHP/MySQL) error Input valid? Sensitive operation Control Flow Graph error Input valid? generate benign inputs that reach a sensitive operation Check if rejected (hostiles) Inputs can reach the SAME sensitive operation f client f server ┐f client f server 12 f client ∩ f server ┐f client ∩ f server
Intuition: quantity example error quantity ≥ 0 send to server Client-side code (JavaScript/HTML) Server-side code (PHP/MySQL) cost = quantity * price mysql_query( insert … cost ) Control Flow Graph quantity = 1 ┐f client ∩ f server = (quantity < 0) 12 f client = quantity ≥ 0 f server = true Parameter tampering exploits quantity = -1, -2, ….
WAPTEC Architecture
1.Intuition 2.Computing f server 3. Evaluation 4. Summary Outline
n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert … name = ”. n. “ … age = ”. d ) ; F server : Inputs that reach sensitive ops f server = ( all conditions on user inputs that must be satisfied to reach sensitive operations ) n == null mysql_query a < 0 exit Control Flow Graph exit
n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); if ( n == null ) exit ( “please specify user name” ); if ( a < 0 ) exit ( “please specify age ” ); f = mysql_query ( “insert …) ; Computing f server Computed dynamically: execute server-side code concretely with benign inputs name = bob age = 55 n = user_input ( ‘name’ ); a = user_input ( ‘age’ ); Server-side codeExecution trace f server = ( name != “”) ∩ ( age ≥ 0 ) ( n != null ) ( a ≥ 0 ) f = mysql_query ( “insert…”)
Challenges in computing execution traces x = 10; x = 20; y = x; incorrect !! function f1(){ x = 10 f2(); y = x; } function f2 () { x = 20 } Execution trace PHP 5 Object-oriented Programs Use context information f1_x = 10; f2_x = 20; f1_y = f1_x; class C { function m(){ x = 10; } o 1 -> m () o 2 -> m () m_x = 10; id1_m_x = 10; id2_m_x = 10; Uniquely identify objects
n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( n == null ) exit ( “please specify user name” ); f = mysql_query ( “insert …) ; if ( f == null ) exit ( “please specify an address” ); Computing f server (contd…) Inputs reaching sensitive operations may still be rejected!! name = bob Server-side code Reaches SQL sink, but rejected because address is null Extract constraints imposed by database schema
create table profiles { … addrDB … NOT NULL, } Computing f server (contd…) Database schema: Set of SQL statements for creating tables / views. Column definitions specify constraints. Example: Profile table addrDB != null Column Definition Constraint enum ( a, b, c )column IN {a, b, c} NOT NULLcolumn != null VARCHAR ( n )length ( column ) ≤ number constraints on column names but f server is in terms of inputs How to map?
Computing f server (contd…) Generate symbolic query from the trace addrDB != null constraint on table column insert into profile … set addrDB = _POST[‘address’] user input addressinserted in column addrDB constraint on user input address != null Bridging namespaces for database, PHP
n = user_input ( ‘name’ ); d = user_input ( ‘address’ ); if ( u == “”) exit ( “please specify user name” ); f = mysql_query ( “insert … naDB = ”. u. “…addrDB = ”. a ) ; if ( f == null ) exit ( “please specify address” ); Summary: Computing f server 1 Conditions checked encode restrictions on inputs 2 Database may also encode restrictions on inputs 12 f server = +f code f db
1.Intuition 2.Computing F server 3.Evaluation 4.Summary Outline
Evaluation: Results ApplicationSize (LOC) WAPTEC Confirmed Exploits DcpPortal145K 32 SPHPBlog27K 1 Lanshop15K 3 MyBloggie9K 6 SnipeGallery9K 2 PHPNews6K 1 45 parameter tampering exploits Confirmed Exploits CCS’ false positives 24 false negatives
DcpPortal: Create Imposter Accounts Vulnerability: duplicate check does not enforce length restriction Exploit: Create imposter account name = Imposter account name “alice” Client-side constraints: 1.length ( name ) ≤ 32 ) Server-side code: a. Check DB for duplicate name (does not restrict length) b. Insert name in DB (truncates name to 32 char) alice 32 characters33 rd character a
DcpPortal: Create Admin Account Vulnerability: attacker can set cookie make_install_prn Exploit: Negative tampering - create admin account No mention of make_install_prn in F client F server contains (make_install_prn != 1) Server-side code: privilege = non-admin; if ( _COOKIE[‘make_install_prn’] == 1 ) privilege = admin; Create account with privilege;
Some related work Multi-tier analysis of web application Legacy code: MiMosa: Balzarotti et al. CCS 2007, Chong et al. SIGMOD 2007 Principled development of applications: Links, Google Web Toolkit, Corcoran et al. SIGMOD 2009 Specification inference AutoISES Tan et al. Security 2008, Engler et al. SOSP 2001, Felmetsger et al. Security 2010, Srivastava et al. PLDI 2011 Test input generation Saxena et al. SP 2010, Halfond et al. ISSTA 2009, Kiezun et al. ICSE 2009, Emmi et al. ISSTA 2007, Godefroid et al. NDSS 2008…. Input validation Su et al. POPL 2006, Balduzzi et al. NDSS 2011, Jayaraman et al. DBSec 2010 Sanitization Balzarotti et al. SP 2008…
Summary Parameter tampering vulnerabilities: widespread First analysis that combined analysis of HTML/JavaScript, PHP, database imposed constraints. Possible to infer specification of intended behavior from source code and use it in vulnerability detection. Thanks and Questions
Backup
WAPTEC Architecture
Refining Search for a Success Sink F client = (i > 0) Server requires (i > 0 ∩ i < 11) First attempt benign: i = 11 Sink not reached F server = NOT (i > 0 ∩ i < 11) Refine client-side spec: F client ∩ NOT F server Intuition: F server for failed runs contains condition that was not satisfied Second attempt: (i > 0) ∩ NOT ( NOT ( i > 0 ∩ i < 11)) i = (accepted by the server-side code)
WAPTEC Architecture