Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Vulnerabilities in Web Code with concolic execution

Published byAnissa Ross Modified over 6 years ago

Similar presentations

Presentation on theme: "Detecting Vulnerabilities in Web Code with concolic execution"— Presentation transcript:

1 Detecting Vulnerabilities in Web Code with concolic execution
Suman Jana *slides are adapted from Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst

2 Automatic Creation of SQL Injection and Cross-Site Scripting Attacks
SQLI attacks Automatic Creation of SQL Injection and Cross-Site Scripting Attacks PHP Source Code Reflected XSS attacks Stored XSS attacks Briefly describe diagram and VERY HIGH-LEVEL overview of our tool - INPUT and OUTPUT Ardilla by Kiezun et al. [ ICSE 2009 ]

3 Overview Problem: Approach: Results: Automatically generate inputs
Finding security vulnerabilities (SQLI and XSS) in Web applications Approach: Automatically generate inputs Dynamically track taint Mutate inputs to produce exploits Results: 60 unique new vulnerabilities in 5 PHP applications first to create 2nd-order XSS, no false positives Don’t read the slide - mention that it’s an OFFLINE DYNAMIC ANALYSIS Also mention how this will only be a preview of the paper, don’t have room to discuss some of our contributions in-depth

4 PHP Web applications $_GET[] <HTML> … <script>
PHP application $_POST[] Describe in terms of INPUTS and OUTPUTS GET and POST are mappings Data HTML PHP on webserver SQL URL Database Web browser

5 Example: Message board (add mode)
if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); function addMessageForTopic() { $my_msg = $_GET['msg']; $my_topicID = $_GET['topicID']; $my_poster = $_GET['poster']; $sqlstmt = ” INSERT INTO messages VALUES('$my_msg’ , '$my_topicID') "; $result = mysql_query($sqlstmt); echo "Thanks for posting, $my_poster”; } $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = “Bob” Thanks for posting, Bob

6 Example: Message board (display mode)
if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: " . $row['msg']; } } $_GET[]: mode = “display” topicID = Message: hi there

7 SQL injection attack if ($_GET['mode'] == "add") addMessageForTopic();
mode = “display” topicID = 1' OR '1'='1 if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: " . $row['msg']; } } SELECT msg FROM messages WHERE topicID='1' OR '1'='1'

8 Thanks for posting, uh oh
Reflected XSS attack if ($_GET['mode'] == "add") addMessageForTopic(); $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = “uh oh<script>alert(‘XSS’)</script>” function addMessageForTopic() { $my_poster = $_GET['poster']; […] echo "Thanks for posting, $my_poster"; } Talk about the need for social engineering - somebody could trick you into clicking on a malicious link with script code in GET, and then your cookies or session info to attacker Thanks for posting, uh oh

9 Stored XSS attack $_GET[]: mode = “add”
msg = “uh oh<script>alert(‘XSS’)</script>” topicID = 42 poster = “Attacker” addMessageForTopic() PHP application Database Mention that victims are INNOCENT and that MANY victims can be harmed by one malicious db entry Attacker’s input

10 Stored XSS attack Message: uh oh $_GET[]: mode = “add”
msg = “uh oh<script>alert(‘XSS’)</script>” topicID = 42 poster = “Attacker” addMessageForTopic() PHP application Database Mention that victims are INNOCENT and that MANY victims can be harmed by one malicious db entry Attacker’s input displayAllMessagesForTopic() echo() $_GET[]: mode = “display” topicID = 42 Message: uh oh Victim’s input

11 Database with taint-tracking Attack Generator/Checker
Architecture Input Generator inputs PHP Source Code Database with taint-tracking Taint Propagator taint sets Describe each component - why and how Attack Generator/Checker Ardilla Malicious inputs

12 Input generation Input Generator inputs PHP Source Code Goal: Create a set of concrete inputs (_$GET[] & _$POST[]) based on concolic execution Could theoretically use any input generator - we just need to take a program and generate a bunch of inputs, could even be manual test suite

13 Input generation: concolic execution
if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); PHP Source Code Input Generator inputs $_GET[]: mode = “1” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “add” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1”

14 Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1”

15 Taint propagation inputs PHP Source Code Database with taint tracking Taint Propagator taint sets Goal: Determine which input variables affect each potentially dangerous value inputs Technique: Execute and track data-flow from input variables to sensitive sinks Sensitive sinks: mysql_query(), echo(), print()

16 Taint propagation: data-flow
inputs inputs PHP Source Code Database with taint tracking Taint Propagator Each value has a taint set, which contains input variables whose values flow into it taint sets function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Mention that we only care about taint sets for values that flow into SENSITIVE SINKS! Taint propagation Assignments: $my_poster = $_GET[“poster”] String concatenation: $full_n = $first_n . $last_n PHP built-in functions: $z = foo($x, $y) Database operations (for stored XSS) Sensitive sink Taint set

17 Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = “SELECT msg FROM messages WHERE topicID=‘$my_topicID’ “; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Mention that the XSS attacks are similar and are described more in the paper Sensitive sink Taint set

18 Attack generation and checking
PHP Source Code Goal: Generate attacks for each sensitive sink inputs taint sets Attack Generator/Checker Malicious inputs Technique: Mutate inputs into candidate attacks Replace tainted input variables with shady strings developed by security professionals: e.g., “1’ or ‘1’=‘1”, “<script>code</script>” Alternative: Use a string constraint solver

19 Attack generation and checking
Given a program, an input i, and taint sets for each var that reaches any sensitive sink: res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) Attack generation ‘reaches’ means that it’s in the TAINT SET of the value that enters a sensitive sink if mutated_res DIFFERS FROM res: report mutated_input as attack Attack checking

20 Attack generation: mutating inputs
res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack $_GET[]: mode = “display” topicID = 1' OR '1'='1 $_GET[]: mode = “display” topicID = 1

21 Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string Mention that the XSS attacks are similar and are described more in the paper $_GET[]: mode = “display” topicID = 1' OR '1'='1 $_GET[]: mode = “display” topicID = 1

22 Attack checking: diffing outputs
res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack What is a significant difference? For SQLI: compare SQL parse tree structure For XSS: compare HTML for additional script-inducing elements (<script>) Avoids false positives from input sanitizing and filtering

23 Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string 4. Check by mutating input and comparing SQL parse trees: innocuous: SELECT msg FROM messages WHERE topicID=‘1’ mutated: SELECT msg FROM messages WHERE topicID=‘1’ OR ‘1’=‘1’ 5. Report an attack since SQL parse tree structure differs Mention that the XSS attacks are similar and are described more in the paper

24 SourceForge Downloads Reached sensitive sinks
Experimental results Name Type LOC SourceForge Downloads SchoolMate School administration 8,181 6,765 WebChess Online chess 4,722 38,457 FaqForge Document creator 1,712 15,355 EVE activity tracker Game player tracker 915 1,143 geccBBlite Bulletin board 326 366 Vulnerability Kind Sensitive sinks Reached sensitive sinks Unique attacks SQLI 366 91 23 1st-order XSS 274 97 29 2nd-order XSS 66 8 In theory, FPs could arise due to those not being truly exploitable attacks Main limitation: concolic input generator Line coverage < 50% Inability to simulate user sessions and cookies Total: 60 Main limitation: input generator

25 Comparison with other approaches
Defensive coding: + : can completely solve problem if done properly - : must re-write existing code Static analysis: + : can potentially prove absence of errors - : false positives, does not produce concrete attacks Dynamic monitoring: + : can prevent all attacks - : runtime overhead, false positives affect app. behavior Random fuzzing: + : easy to use, produces concrete attacks - : creates mostly invalid inputs - Defensive coding means to use special libraries - We feel that our tool hits a sweet-spot that wasn’t previously covered

26 Summary Automatically create SQLI and XSS attacks Technique
Dynamically track taint through both program and database Input mutation and output comparison Implementation and evaluation Found 60 new vulnerabilities, no false positives

Download ppt "Detecting Vulnerabilities in Web Code with concolic execution"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google