NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht ( Timothy Hinrichs*, Nazari Skrupsky+, Radoslaw Bobrowicz+, V.N. Venkatakrishnan+ +: University of Illinois, Chicago * : University of Chicago, Chicago

Background: User Input Validation Web applications need to Validate user supplied input Reject invalid input E xamples: “Credit card number is exactly16 digits” “Expiration date of Jan 2009 is not valid” Validation traditionally done at server: round-trip, load Popular trend: Client-side validation through JavaScript

Client Side Validation using JavaScript onSubmit= validateCard(); validateQuantities(); Validation Pass? send inputs to server reject inputs YesNo

Problem: Client is Untrusted Environment Validation can be bypassed Previously rejected values, sent to server Invalid quantity: -4 Ideally: Re-validate at server-side and reject If not, security risks

Example: Bypassed Validation Security Risks Client validation:  Field: quantity “reject negative values” Server-side code: cost = cost + price * quantity How to automatically find such inputs in a blackbox fashion?  quantity = 1, price = 100 cost = cost  quantity= -1, price = 100 cost = cost - 100

Intuition Automatically generate two sets of inputs  Valid inputsquantity = 1  Invalid inputs quantity = -1  Done through client code analysis If ( quantity ≥ 0 ) submit to application else reject, ask to re-enter How does the server-side code respond  Heuristically determine if server rejects invalid inputs  Server rejects: quantity = -1 quantity = 1 (valid input) quantity= -1 (invalid input)

NoTamper Architecture and Outline Formula Extractor Web Page Input Generator Opportunity Detector External analysis Logical formula for client side validation F client : quantity ≥ 0 Solve constraints Benign inputs e.g., quantity = 0 Hostile inputs e.g., quantity = -1 Compare responses for benign and hostile inputs opportunities exploits hints Outline 1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion

Formula Extraction from Client Code HTML and JavaScript both restrict inputs HTML form controls  Drop down menu: valueIN (value_1, …, value_n)  Radio/Checkboxes:valueIN(value_1,…, value_n)  Hidden attribute:value=constant  Readonly attribute:value=constant  Maxlength attribute:length(value)≤constant Drop down menu: select one of these card == 1234… OR card == 7890… tags attributes Constraint

Formula Extraction from Client Code (cont…) Event driven JavaScript validation State machine  Start: no fields validated, end: all validation passed  Transitions w/ validation functions: f 1, f 2, … f n  Over-approximation: All function executed: f 1 f 2 …f n Execute functions symbolically  conditions when all functions accept inputs Valid: none Invalid: all Valid: all Invalid: none (form submitted) Valid: field1 Invalid: rest fkfk f1f1 f2f2 fnfn fmfm onChange onSubmit

Formula Extraction from Client Code (cont…) Program condition when validation succeeds if (quantity ≥ 0) return true; constraint: quantity ≥ 0 else return false; JavaScript interaction w/ Document Object Model  Reading form fields (e.g., getElementById )  Enable/disable form fields (e.g., disabled property) At the end of symbolic execution F client = (path conditions) AND (constraints of enabled fields)

1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

Input Generation Benign inputs  Pass client side validation  Satisfy F client Example: F client : quantity ≥ 0 Satisfying values determined with type information  Collected while analyzing HTML/JavaScript  quantity: -? [0-9]* quantity = 1 Constraint solving

Input Generation (cont…) Hostile inputs  Bypass client side validation  Satisfy NOT (F client ) Example: NOT ( quantity ≥ 0 ) Supplying required variables  Example:  Field value mandated by JavaScript  Heuristics: special markers like * in the field description quantity = -1 gift-note = “abc” gift-note = “-” NOT (quantity ≥ 0) U NOT (gift-note in [a-z]*)

1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

Opportunity Detection Rejected inputs Accepted inputs Different structures Response for hostile inputs Response for Benign inputs Response for hostile inputs Exploit opportunity Similar structures

Opportunity Detection (contd…) Compare responses to benign and hostile inputs  But noise: user name, address, time, online users, … a1 a2 a3 a1 a2 a3 b1 a2 a3 h1 a2 a3 B1 B2 --- a2 a3 Remove differences H1 B1 --- a2 a3 C1 C2 Difference rank = Edit Distance (C1,C2) Low rank  opportunity

1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

Applications ApplicationLOCConstraints sourceUse SMF97KHTML+JavaScriptForum Ezybiz186KHTML+JavaScriptBusn Mgt OpenDB92KHTML+JavaScriptInventory MyBloggie9KHTML+JavaScriptBlog B2evolution167KHTMLBlog PhpNuke228KHTML+JavaScriptContent Mgt OpenIT114KHTML+JavaScriptSupport LegalCase58KHTMLInventory smi-online.co.uk---HTMLConference wiley.com---HTML+JavaScriptLibrary garena.com---HTMLGaming selfreliance.com---HTMLBanking codemicro.com---HTML+JavaScriptShopping 8 open source 5 live sites

Applications (cont…) Hostile and benign responses separated by an order of magnitude ApplicationFor ms Hostile Inputs Opport unities Confi rmed SMF556 Ezybiz337 OpenDB110 MyBloggie18 B2evolution125 PhpNuke16 OpenIT328 LegalCase213 smi-online.co.uk123 wiley.com115 garena.com14 selfreliance.com15 codemicro.com16 ApplicationFor ms Hostile Inputs Opport unities Confi rmed SMF55642√ Ezybiz33735√ OpenDB1108√ MyBloggie188√ B2evolution12521 PhpNuke165√ OpenIT32827√ LegalCase2139√ smi-online.co.uk1234 wiley.com1154 garena.com144 selfreliance.com151√ codemicro.com161√ Confirmed exploits: 9/13 applications Opportunities: 169 Examined: 50

SelfReliance.com: Online banking Vulnerability: from/to – arbitrary accounts Exploit: Unauthorized money transfers  Transfer money from unrelated accounts  Account number hardly a secret e.g., checks contain them Status: fixed within 24 hours  ESP solution (espsolution.net) s/w provider patched s/w for other clients Client-side constraints: 1.from IN (Accnt1, Accnt2) 2.to IN (Accnt1, Accnt2) Server-side code: transfer money from  to

CodeMicro.com : Shopping Vulnerability: quantities can be negative Exploit: Unlimited shopping rebates  Two items in cart: price1 = 100$, price2 = 500$  quantity1 = -4, quantity2 = 1, total = 100$ (rebate of 400$ on price2) Status: fixed within 24 hours Client-side constraints: 1.quantity1 ≥ 0 2.quantity2 ≥ 0 Server-side code: total = quantity1 * price1 + quantity2 * price2

OpenIT: Support Vulnerability: update arbitrary account Exploit: Privilege escalation  Inject a Cross-site scripting (XSS) payload in admin account  Cookies stolen every time admin logged in. Status: open Client-side constraints: 1.userId == 1(hidden field) Server-side code: Update profile with id 1, with new details Hidden Field

1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

Conclusion Framework to identify parameter tampering opportunities  Used client-side restrictions to aid hostile input generation  Several serious problems in open source / commercial applications  Significant gap: validation that should happen and that does happen Thanks and Questions

Backup

False positives maxlength constraints: 31 Mutated inputs: 12

Split of HTML, JavaScript and Hidden Field Constraints HTMLconstraints: 110/169(65%) JavaScript constraints: 20/169(12%) Hidden fields constraints: 39/169(23%)

Manual intervention Unique variables: 3 (SMF: 2, phpNuke: 1) Session id/cookies: all except phpNuke Required variables: 12 (SMF: 5, phpNuke: 4, B2Evolution: 1, Garena.com: 2) Typically 5 minutes per form Bounded by the number of fields

Limitations Unsound  False positive: application mutates invalid inputs e.g., truncate 12 such instances in our experiments  False positive: similar responses for failure/success Incomplete  JavaScript over-approximation Mutually exclusive events may cause Fclient – false  JavaScript unhandled features document.write/eval  constraints not checked at client Fclient = true

Some related work Input validation  Prevent affect of invalid inputs: Su et al. POPL’06, Bandhakavi et al. CCS’07, Saxena et al.NDSS’09, Van Gundy M et al. Oakland’09, Ter-louw et al. Oakland’09  Find insufficient validation: Livshits et al. Usenix’05, Balzarotti et al. CCS’07, Balzarotti et al. Oakland’08, … Vulnerability analysis  JavaScript analysis based client side attacks: Saxena et al. Oakland’10 Fuzzing/directed testing  Benign/Hostile input generation: Godefroid et al. SIGPLAN’05, Godefroid et al. NDSS’08, Saxena et al. NDSS’10, … Prevention techniques  Sandbox/restrict client code: Grier et al. Oakland’08, Reis et al. EuroSys’09, Wang et al. Usenix’09, Vikram et al. Oakland’09, Chong et al. CCS’09, …