TWEET SHARE PIN SEND 11/02/2017 Giancarlo Pellegrino,"> TWEET SHARE PIN SEND 11/02/2017 Giancarlo Pellegrino,">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs

Published byEaster Floyd Modified over 6 years ago

Similar presentations

Presentation on theme: "Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs"— Presentation transcript:

1 Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
G. Pellegrino, M. Johns, S. Koch, M. Backes, C. Rossow ACM CCS 2017 Nov 2nd, Dallas, USA

2 Giancarlo Pellegrino, gpellegrino@cispa.saarland
U WON’T BELIEVE WHAT DIS CAT IS DOIN’ !!!1! <img src=" width="0px" height="0px"/> TWEET SHARE PIN SEND 11/02/2017 Giancarlo Pellegrino,

3 Cross-Site Request Forgery Attack
Look at this cat video! If credentials are valid, create and send a session cookies POST /login.php […] user=Alice&pwd=secret 200 OK Set-cookie: session=YBLqp32F GET /video.html + If cookie is valid, then update password GET /change_pwd.php?password=pwnd Cookie: session=YBLqp32F 11/02/2017 Giancarlo Pellegrino,

4 The Forgotten Sleeping Giant
Popular vulnerability Among top 10 security risks w/ XSS and SQLi Discovered in popular websites, e.g., Gmail, Netflix, and ING Most of previous efforts spent on countermeasures: Origin header, synchronizer tokens, and browser plugins A little has been done to provide techniques for the detection Existing (semi-)automated techniques focus on input validation and logic flaws Detection of CSRF via manual inspection [Top10_OWASP_ ] 11/02/2017 Giancarlo Pellegrino,

5 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Challenges Detection requires reasoning over relationships between application states, the roles and status of request parameters Challenges: CSRF targets state transitions Attacker reliably create requests incl. parameters and values Not all state transitions are relevant 11/02/2017 Giancarlo Pellegrino,

6 1) CSRF Targets State Transitions
GET /user_data.php Cookie: session=YBLqp32F Show user data GET /change_pwd.php?password=new_secret Cookie: session=YBLqp32F Update password Fire a state transition UPDATE users SET pwd=new_secret […] Determine when a state transition occurs Not all operations change the state of a webapp E.g., View user data vs reset user password Learning state transitions is possible However, existing approach can be inaccurate or operation-specific SELECT * FROM users […] 11/02/2017 Giancarlo Pellegrino,

7 2) Attacker Reliably Creates Requests incl. Params
GET /place_order.php?token=XZR4t6q Cookie: session=YBLqp32F Determine relationships between parameters and transitions E.g., random security token may not be guessed by an attacker Existing techniques do not determine such a relationship E.g., Web scanners match param names against list of predefined names (e.g., “token”) 11/02/2017 Giancarlo Pellegrino,

8 3) Not all State Transitions are Relevant
PageCounter++ Return product description GET /product.php?id=201 Cookie: session=YBLqp32F Fire a state transition 200 OK UPDATE pages SET cnt = cnt + 1 WHERE id=201 Determine the relevance of a state transition State transitions can be the result of operations such as tracing user activities They are state-changing operations but not necessarily security-relevant Easy for humans but hard for machines 11/02/2017 Giancarlo Pellegrino,

9 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Our Solution: Deemon Application-agnostic framework for developers and analysts Infer state transitions + data flow from program executions Property graphs for uniform and reusable model representation Graph traversals to select request candidates for testing Verify replay-ability of HTTP requests 11/02/2017 Giancarlo Pellegrino,

10 Deemon: Trace Generation
Dynamic Trace Generation A F < , , , , > GET < GET , 200, GET , 302 > 200 OK < , , , , > A F Login and change password < , > Virtualized Env. 11/02/2017 Giancarlo Pellegrino,

11 Deemon: Model Construction
Traces and Parse Trees FSM Data flow and types next next trans to A F < , , , , > A q0 q0→q1 q1 caused caused v1= YBLqp32F Types: String, Session unique next next next has < GET , 200, GET , 302 > GET 200 GET 302 GET / hdrs caused propag. accepts YBLqp32F next < , > SQL SQL source v2= YBLqp32F Types: String, Session unique UPDATE tbl claus id=YBLqp sink 11/02/2017 Giancarlo Pellegrino,

12 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Deemon: Traversals r GET url hdrs “Find all CSRF” “Find all requests r such that: 1) r is state-changing 2) r can be created by an attacker 3) the state change is relevant” “∀n: request(n) 1) ∃tr, qi, qf: trans(tr, qi, qf) ∧ accepts(tr, n) 2) ∀ v: variable(v) ∧ has(qf, v) ∧ v.Types ⋂ {“unguessable”} = ∅ 3) relevant(r)” [Query processor] password pwd request(r) r accept trans to qi qi→qf qf ∃tr, qi, qf: trans(tr, qi, qf) ∧ accepts(tr, r) has v1= pwd Types: String qf ∀ v: variable(v) ∧ has(qf, v) ∧ v.Types ⋂ {“unguessable”} = ∅ 11/02/2017 Giancarlo Pellegrino,

13 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Deemon: Testing Graph Traversals Test Execution < , , , , > Requests GET < , , , , > 200 OK Queries ? Virtualized Env. Failed Successful 11/02/2017 Giancarlo Pellegrino,

14 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Evaluation Inputs: 10 Web apps from the Bitnami catalog (avg 600k LoC ) 93 workflows (e.g., change password, username, add/delete user/admin, enable/disable plugin) Attacks: User account takeover in AbanteCart and OpenCart Database corruption in Mautic Web app takeover in Simple Invoices 53 protected (108 tokens) 194 not st-ch 1,022 not relevant 1,380 requests 1,186 st-ch 164 relevant 111 unprotected 190 failed 219 tests 29 succ. 14 distinct CSRFs 11/02/2017 Giancarlo Pellegrino,

15 Results Analysis: Awareness
Complete Awareness: all state-changing operations are protected E.g., Horde, Oxid, and Prestashop Unawareness: none of the relevant state-changing operations are protected I.e., Simple Invoices Partial Awareness Role-based: only admin is protected I.e., OpenCart and AbanteCart Operation-based: adding data items is protected, deleting is not I.e., Mautic 11/02/2017 Giancarlo Pellegrino,

16 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Takeaways Presented Deemon: Dynamic analysis + property graphs New modeling paradigm Deemon detected 14 CSRFs that can be exploited to takeover accounts, websites, and compromise database integrity Discovered alarming behaviors: security-sensitive operations are protected in a selective manner 11/02/2017 Giancarlo Pellegrino,

Download ppt "Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs"

Similar presentations

Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
PHP Security.

PHP Security.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
Penetration Testing James Walden Northern Kentucky University.

Penetration Testing James Walden Northern Kentucky University.
Robust Defenses for Cross-Site Request Forgery CS6V81 - 005 Presented by Saravana M Subramanian.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

Similar presentations

Ads by Google