An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis

Web Application Architecture Web browser Application Database User input Database query Application generates query based on user input Result set Web page

Command Injection Attacks String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”; Expected input: SELECT * FROM users WHERE username = ‘John’ AND password = ‘JohnsPass’; Result: John logs in

Command Injection Attacks Malicious input: SELECT * FROM users WHERE username = ‘’ AND password = ‘’ OR ‘’ = ‘’; Result: Malicious user logs in as first user identified in the database. Frequently, the administrator! String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;

Motivation ~60% of web applications are vulnerable Found vulnerable sites easily in web search Many ways to regulate user inputs Limit length of input Filter out “bad” strings Escape quotes, etc. Are the regulations sufficient? Goal: Check whether any “dangerous” queries, not user inputs, exist

Example: change admin password Attacker registers online: Username: admin’-- Password: password INSERT INTO users VALUES(‘admin’’--’, ‘password’)

Attacker changes password: Username: admin’-- OldPass: password NewPass: backdoor Example: change admin password

Application checks correctness of old password: sql = “SELECT * FROM users WHERE username = ‘admin’’--’ AND password = ‘password’”; rso.open( sql, cn ); if (rso.EOF) {...} Example: change admin password

Admin’s password gets changed: sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’ Example: change admin password

Overview of Analysis Framework Abstract Model of Generated Programs Structure Discovery Access Control Ex: “customer” deletes inventory data Tautologies Ex: malicious user bypasses authentication Application code query =… Table lists Conditional expressions Select statement

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”;

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles from dropdown menu year min dat

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles from dropdown menu from textbox year min dat inp

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles year min dat inp Filtered with  {“delete”, “xp\_”, “=”, “from”, “or”}

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles year min dat inp SELECT * FROM stock WHERE 982 = id AND year = 2004 AND min = 15 Filtered with  {“delete”, “xp\_”, “=”, “from”, “or”}

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles min dat 14 15) inp SELECT * FROM stock WHERE NOT(1 = id AND min = 14 AND min = 15) Filtered with  {“delete”, “xp\_”, “=”, “from”, “or”}

String Analysis (previous work) )=zid=(xminANDNOT stock WHERE FROMSELECT* = miny ε SELECT * FROM stock WHERE NOT(1 = id AND min = 14 AND min = 15)

Structure Discovery (previous work) )=zid=(xminANDNOT WHERE = miny ε stockFROMSELECT* Boolean expression

Tautology checking )=zmin WHERE id=(xANDNOT = miny ε stockFROMSELECT* NOT ( x = id and min = y and min = z ) Theorem: We discover a tautology over linear arithmetic iff the FSA accepts one.

Overview of Tautology Checking Main idea: Generate finite number of validity queries from FSA Challenges: Loops/cycles Arithmetic Boolean

Tautology Checking: Arithmetic Loops  W,X,Y,Z : 1 = W+X Æ X+W+Y = Y+Z Æ Z = 1 a,b,ca,b,c W × ( a ) + X × ( b ) + Y × ( c ) ≥ Z × ( b+c ) +c+cb ≥ a +c+c b in = 1 W X Y Z out = 1 { W, Y, Z ← 1; X ← 0} b+c ≥ b+c

Tautology Checking: Boolean Loops a bb OR a bb a bb a bb a bb n+2 = 4

UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’ Earlier Example Revisited -- =‘password WHERE SETUPDATEusers’ =username w ‘ ’ x’

sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; Earlier Example Revisited This code may also generate a query with a tautology UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

Earlier Example Revisited =‘password WHERE SETUPDATEusers’ =username w ‘’x=‘’zOR‘’y UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

Conclusions Analysis Framework: Generate and analyze FSA model of all possible queries Semantic analysis of generated programs Not only types but values Implementation in progress Questions?

Why n+2?