Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs*

Published byStefany Fidalgo Ribeiro Modified over 6 years ago

Similar presentations

Presentation on theme: "Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs*"— Presentation transcript:

1 Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs*
G. Pellegrino, M. Johns, S. Koch, M. Backes, C. Rossow / ITASEC 2018 Feb 7th, Milan, Italy Computer and Communications Security (CCS) Oct 30th – Nov 3rd, Dallas, USA

2 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Who am I? Visiting Assistant Professor at Stanford University, US Independent Research Group Leader at CISPA, Saarland, DE (on temp. leave) Topics Web Security Automated Vulnerability Analysis Deep (Reinforcement) Learning Seeking for a talented Ph.D. student Enjoy digging for vulnerabilities? Contact me! 11/02/2017 Giancarlo Pellegrino,

3 Giancarlo Pellegrino, gpellegrino@cispa.saarland
U WON’T BELIEVE WHAT DIS CAT IS DOIN’ !!!1! <img src=" width="0px" height="0px"/> TWEET SHARE PIN SEND 11/02/2017 Giancarlo Pellegrino,

4 Cross-Site Request Forgery Attack
Look at this cat video! If credentials are valid, create and send a session cookies POST /login.php […] user=Alice&pwd=secret 200 OK Set-cookie: session=YBLqp32F GET /video.html + If cookie is valid, then update password GET /change_pwd.php?password=pwnd Cookie: session=YBLqp32F 11/02/2017 Giancarlo Pellegrino,

5 The Forgotten Sleeping Giant
Popular vulnerability Among top 10 security risks w/ XSS and SQLi Discovered in popular websites, e.g., Gmail, Netflix, and ING Most of previous efforts spent on countermeasures: Origin header, synchronizer tokens, and browser plugins A little has been done to provide techniques for the detection Existing (semi-)automated techniques focus on input validation and logic flaws Detection of CSRF via manual inspection [Top10_OWASP_ ] 11/02/2017 Giancarlo Pellegrino,

6 Why is it hard to detect CSRF?
Detection requires reasoning over relationships between application states, the roles and status of request parameters: D1) CSRF targets state transitions D2) Attacker reliably create requests incl. parameters and values D3) Not all state transitions are relevant Additional challenges (Operational): O1) CSRF in non-trivial workflows O2) Side-effect free testing 11/02/2017 Giancarlo Pellegrino,

7 D1) CSRF Targets State Transitions
GET /user_data.php Cookie: session=YBLqp32F Show user data GET /change_pwd.php?password=new_secret Cookie: session=YBLqp32F Update password Fire a state transition UPDATE users SET pwd=new_secret […] Determine when a state transition occurs Not all operations change the state of a webapp E.g., View user data vs reset user password Learning state transitions is possible However, existing approach can be inaccurate or operation-specific SELECT * FROM users […] 11/02/2017 Giancarlo Pellegrino,

8 D2) Attacker Reliably Creates Requests incl. Params
GET /place_order.php?token=XZR4t6q Cookie: session=YBLqp32F Determine relationships between parameters and transitions E.g., random security token may not be guessed by an attacker Existing techniques do not determine such a relationship E.g., Web scanners match param names against list of predefined names (e.g., “token”) 11/02/2017 Giancarlo Pellegrino,

9 D3) Not all State Transitions are Relevant
PageCounter++ Return product description GET /product.php?id=201 Cookie: session=YBLqp32F Fire a state transition 200 OK UPDATE pages SET cnt = cnt + 1 WHERE id=201 Determine the relevance of a state transition State transitions can be the result of operations such as tracing user activities They are state-changing operations but not necessarily security-relevant Easy for humans but hard for machines 11/02/2017 Giancarlo Pellegrino,

10 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Our Solution: Deemon Property Graph Infer state transitions (D1) Infer data flow with semantic types (D2) Use heuristics for reoccurring transitions (D3) Find n s.t.: request(n) ∧ ∃st, state-changing(st, n) ∧ attacker-controlled(n) ∧ relevant(st) Graph Traversal Query 11/02/2017 Giancarlo Pellegrino,

11 Deemon: Trace Generation
Dynamic Trace Generation A F < , , , , > < GET , 200, GET , 302 > GET 200 OK < , , , , > A F Login and change password < , > Virtualized Env. 11/02/2017 Giancarlo Pellegrino,

12 Deemon: Property Graph Construction
Traces and Parse Trees FSM Data flow and types next next trans to A F < , , , , > A q0 q0→q1 q1 caused caused v1= YBLqp32F Types: String, Session unique next next next has < GET , 200, GET , 302 > GET 200 GET 302 GET / hdrs caused propag. accepts YBLqp32F next < , > SQL SQL source v2= YBLqp32F Types: String, Session unique UPDATE tbl claus id=YBLqp sink 11/02/2017 Giancarlo Pellegrino,

13 Deemon: Traversals for Test Generation
GET url hdrs “Find all CSRF” “Find all requests r such that: 1) r is state-changing 2) r can be created by an attacker 3) the state change is relevant” “∀n: request(n) 1) ∃tr, qi, qf: trans(tr, qi, qf) ∧ accepts(tr, n) 2) ∀ v: variable(v) ∧ has(qf, v) ∧ v.Types ⋂ {“unguessable”} = ∅ 3) relevant(r)” [Query processor] password pwd request(r) r accept trans to qi qi→qf qf ∃tr, qi, qf: trans(tr, qi, qf) ∧ accepts(tr, r) has v1= pwd Types: String, Session unique qf ∀ v: variable(v) ∧ has(qf, v) ∧ v.Types ⋂ {“unguessable”} = ∅ 11/02/2017 Giancarlo Pellegrino,

14 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Deemon: Testing Graph Traversals Test Execution < , , , , > Requests GET < , , , , > 200 OK Queries ? Virtualized Env. Failed Successful 11/02/2017 Giancarlo Pellegrino,

15 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Evaluation Inputs: 10 Web apps from the Bitnami catalog (avg 600k LoC ) 93 workflows (e.g., change password, username, add/delete user/admin, enable/disable plugin) Attacks: User account takeover in AbanteCart and OpenCart Database corruption in Mautic Web app takeover in Simple Invoices 53 protected (108 tokens) 194 not st-ch 1,022 not relevant 1,380 requests 1,186 st-ch 164 relevant 111 unprotected 190 failed 219 tests 29 succ. 14 distinct CSRFs 11/02/2017 Giancarlo Pellegrino,

16 Results Analysis: Awareness
Complete Awareness: all state-changing operations are protected E.g., Horde, Oxid, and Prestashop Unawareness: none of the relevant state-changing operations are protected I.e., Simple Invoices Partial Awareness Role-based: only admin is protected I.e., OpenCart and AbanteCart Operation-based: adding data items is protected, deleting is not I.e., Mautic 11/02/2017 Giancarlo Pellegrino,

17 Giancarlo Pellegrino, gpellegrino@cispa.saarland
Takeaways Presented Deemon: Dynamic analysis + property graphs Deemon detected 14 CSRFs that can be exploited to takeover accounts, websites, and compromise database integrity Discovered alarming behaviors: security-sensitive operations are protected in a selective manner Read all the gory details or play with Deemon: G. Pellegrino et al., Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs, in 24th ACM Conference onf Computer and Communications Security, 2017 (CCS 2017) Source code: 11/02/2017 Giancarlo Pellegrino,

Download ppt "Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs*"

Similar presentations

Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
Robust Defenses for Cross-Site Request Forgery CS6V81 - 005 Presented by Saravana M Subramanian.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

Similar presentations

Ads by Google