Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi.

Slides:

Advertisements

Similar presentations

17 HTML, Scripting, and Interactivity Section 17.1 Add an audio file using HTML Create a form using HTML Add text boxes using HTML Add radio buttons and.

Advertisements

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

CST JavaScript Validating Form Data with JavaScript.

Introduction to Application Penetration Testing

XP Tutorial 14 New Perspectives on HTML, XHTML, and DHTML, Comprehensive 1 Working with Forms and Regular Expressions Validating a Web Form with JavaScript.

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht ( + Timothy Hinrichs*

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht ( Timothy Hinrichs*,

Prevent Cross-Site Scripting (XSS) attack

Chapter 5 Java Script And Forms JavaScript, Third Edition.

Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

SQL INJECTION COUNTERMEASURES &

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

JavaScript II ECT 270 Robin Burke. Outline JavaScript review Processing Syntax Events and event handling Form validation.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Lecture # 6 Forms, Widgets and Event Handling. Today Questions: From notes/reading/life? Share Personal Web Page (if not too personal) 1.Introduce: How.

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.

JavaScript – Quiz #9 Lecture Code:

JavaScript, Fourth Edition Chapter 5 Validating Form Data with JavaScript.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Text INTRODUCTION TO ASP.NET. InterComm Campaign Guidelines CONFIDENTIAL Simply Server side language Simplified page development model Modular, well-factored,

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Database and Cloud Security

Module: Software Engineering of Web Applications

An Introduction to Web Application Security

Presentation by: Naga Sri Charan Pendyala

Module: Software Engineering of Web Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:

Chapter 7: Identifying Advanced Attacks

World Wide Web policy.

Section 17.1 Section 17.2 Add an audio file using HTML

Marking Scheme for Semantic-aware Web Application Security

Website Development Basics with PHP MySQL

Cross-Site Request Forgeries: Exploitation and Prevention

PHP: Security issues FdSc Module 109 Server side scripting and

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Lecture 2 - SQL Injection

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab2

Introduction A novel approach for automatically detecting potential server-side vulnerabilities of parameter-tampering in existing web applications. Advanced Defense Lab3

Introduction Advanced Defense Lab4

Introduction Attack 1: Negative quantities. Resulting in a “discount”. Attack 2: Charging another user’s account. A malicious user can purchase products and charge someone else’s account. Attack 3: Pattern validation bypass. XSS and SQL injection. Advanced Defense Lab5

Introduction – Problem Description ∑: the set of alphabet. I = ∑* x ∑* x ∑* x … x ∑* I -> { true, false } Pserver: constraint-checking function on the server. Pclient: constraint-checking function on the client. Pserver(I) = true -> Pclient(I) = true Pserver(I) = true ^ Pclient(I) = false (BUG) Advanced Defense Lab6

Introduction – Problem Description Fclient: a logical representation of Pclient. Fserver: a logical representation of Pserver. (hostile) h1,…,hn such that Fclient(hi) = false for each i. (benign) b1,…,bm such that Fclient(bj) = true for each j. (hostile responses from the server) H1,…,Hn (benign responses from the server) B1,…,Bm The more similar a hostile response is to the benign responses, the more likely the hostile input was successful. Advanced Defense Lab7

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab8

ARCHITECTURE & CHALLENGES Advanced Defense Lab9

ARCHITECTURE & CHALLENGES Advanced Defense Lab10

ARCHITECTURE & CHALLENGES HTML/JS Analyzer To simulates an environment similar to a JavaScript interpreter in a browser, including the DOM (AJAX not supported). Executes all the init. Code for the web form concretely. Advanced Defense Lab11

ARCHITECTURE & CHALLENGES HTML/JS Analyzer Identifying JS validation code When a form is submitted. Each time the user enters or changes data on the form. Analyzing JS validation code Employing a mixed concrete-symbolic execution approach. Symbolic execution provides coverage of all control paths. Concrete execution enables NoTamper to ignore irrelevant code. Resolving DOM references Constructing the pertinent portion of the DOM. Simulating DOM functions that are used to modify the DOM structure. Advanced Defense Lab12

ARCHITECTURE & CHALLENGES Input Generator Avoiding spurious rejections Checking that all “required” variables have values of the right type. (Manually overridden) Generating orthogonal hostile inputs Converts Fclient to disjunctive normal form (DNF). Coping with incomplete information Accepting hints (delta) from human that guide the search for hostile and benign inputs. Addressing state changes Providing a optional list of variables required to have unique values. Advanced Defense Lab13

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab14

Implementation Advanced Defense Lab15

IMPLEMENTATION Client Constraint Extraction By collecting all the event handlers (and associated scripts) and generating a single function that invokes all those event handlers. Simulates a small set of core methods getElementById() document.wite() document.innerHTML() Advanced Defense Lab16

IMPLEMENTATION Client Constraint Extraction Advanced Defense Lab17

IMPLEMENTATION Hostile Input Guidance Initial values Numbers Hidden fields (Session identifier) Types The HTML widget associated with ( ) Initial value Occurrence in arithmetic constraints Required variables Analyzing the HTML (e.g., asterisks next to field labels) Drop-down list Unique variables Advanced Defense Lab18

IMPLEMENTATION Input Generation Benign inputs Converts Fclient to DNF Finds one solution per disjunct (or). Hostile inputs !Fclient Advanced Defense Lab19

IMPLEMENTATION Constraint Solving HAMPI[13] HAMPI Advanced Defense Lab20

IMPLEMENTATION Constraint Solving Advanced Defense Lab21

IMPLEMENTATION HTML Response Comparison Advanced Defense Lab22 Compares the server’s response against a response that is known to have been generated by benign (valid) inputs. Edit distance Ratcliff/Obsershelp algorithm. Ratcliff/Obsershelp Remove the noise in B1 and B2 and produce C1. Remove the noise in B1 and Hi and produce C2. Compare C1 and C2 and result in “difference rank”.

IMPLEMENTATION Advanced Defense Lab23 HTML analysis On top of the APIs provided by the HTML Parser. JavaScript analysis Using a modified Narcissus JavaScript engine-based symbolic evaluator. Input Generator HAMPI Opportunity Detector Java-based module relayed HTTTP requests to the test server.

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab24

Evaluation Selected 8 open source applications and 5 live websites. Testing Linux Apache web server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM) Ubuntu 9.10 (2.45 Ghz Quad Intel, 2.0 GB RAM) NoTamper Advanced Defense Lab25

Evaluation Advanced Defense Lab26

Evaluation Advanced Defense Lab27

Evaluation Unauthorized money transfers Unlimited shopping rebates Fixed within 24 hours Privilege escalation OpenIT By manipulating the userid parameter. Advanced Defense Lab28

Evaluation False Positives Pertaining to the maxlength constraints on form inputs that couldn’t be exploited to any serious vulnerability. Rewritten by the server without any observable difference in HTML output. Advanced Defense Lab29

Evaluation Advanced Defense Lab30

Evaluation Advanced Defense Lab31

Evaluation Performance Input Generator Solved 315 formulas in a total of 219 seconds. Giving an average time of 0.7 seconds per input. HTML / JavaScript Run in under a second Opportunity Detector Run in sub-second time for each application. Advanced Defense Lab32

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab33

Related Work NoTamer’s goals are focusing on discovering vulnerabilities in existing ( legacy ) applications. Advanced Defense Lab34

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab35

Conclusion NoTamper’s results highlight a significant gap between the server-side parameter validation that should occur and the server- side validation that does occur in today’s web applications. Advanced Defense Lab36