Presentation is loading. Please wait.

Presentation is loading. Please wait.

ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis.

Published bySydnee Bracey Modified over 9 years ago

Similar presentations

Presentation on theme: "ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis."— Presentation transcript:

1 ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis Columbia University (US) Evangelos P. Markatos FORTH-ICS (GREECE) ACNS 2012

2 Web Applications ARC, ACNS 2012Elias Athanasopoulos, Columbia University2 Web Server Web Browser HTTP Request GET login?username=joe HTTP Request GET login?username=joe HTTP Response HTTP OK

3 URLs in HTTP  URL: login?username=joe  Action: login  Parameters: username ARC, ACNS 2012Elias Athanasopoulos, Columbia University3 HTTP Request GET login?username=joe HTTP Request GET login?username=joe

4 Example: Web e-mail ARC, ACNS 2012Elias Athanasopoulos, Columbia University4 Login Read e-mail Delete e-mail Delete mailbox Logout login?username=joe action?type=read&id=42 action?type=delete&id=42 action?type=del_box&id=inbox logout?username=joe

5 Are all URLs valid? ARC, ACNS 2012Elias Athanasopoulos, Columbia University5 login?username=joe&type=delete&id=42 action?type=read&id=42&id=2 action?type=delete&id=2&id=42 action?type=del_box logout?username=joe&type=del_mbox&id=inbox

6 HTTP Parameter Pollution (HPP)  How is this URL interpreted?  Parsing goes from left to right (6 wins)  Parsing goes from right to left (42 wins)  Parsing direction does not matter (6 and 42, or 42 and 6 are concatenated) ARC, ACNS 2012Elias Athanasopoulos, Columbia University6 action?type=read&id=6&id=42 action?type=read&id=6

7 ARC, ACNS 2012Elias Athanasopoulos, Columbia University7

8 URL Space ARC, ACNS 2012Elias Athanasopoulos, Columbia University8 All possible URLs URLs that define Web Application’s Logic Attacker URLs

9 HPP Impact About 1,499 of 5,000 highly ranked in Alexa.com web sites are considered vulnerable to HPP exploitation  Automated discovery of parameter pollution vulnerabilities in web applications. Balduzzi et al., NDSS 2011. ARC, ACNS 2012Elias Athanasopoulos, Columbia University9

10 ARC, ACNS 2012Elias Athanasopoulos, Columbia University10

11 Goal ARC, ACNS 2012Elias Athanasopoulos, Columbia University11 All possible URLs URLs that define Web Application’s Logic Attacker URLs We need to serve these We need to block these

12 URL Schema  A URL schema has the form of: action?par1=&par2=...&parN= ARC, ACNS 2012Elias Athanasopoulos, Columbia University12 login=?username=joelogin?username=

13 Architecture  Training phase  Deployment phase ARC, ACNS 2012Elias Athanasopoulos, Columbia University13 Web application Passive Monitoring Collection of Legitimate URL schemas Web application ARC Client HTTP Request

14 Training Phase  Large frameworks (such as phpBB) are developed and tested by a large community  Big applications (like Facebook) test new features in a close environment ARC, ACNS 2012Elias Athanasopoulos, Columbia University14

15 ARC at run-time ARC, ACNS 2012Elias Athanasopoulos, Columbia University15 Web application ARC URL Schemas action?par1=&par2=&…&parN= HTTP Request Valid Schema Exists No Schema Reject Request

16 Implementation  ARC is a web application proxy implemented in Google’s Go  ARC uses Go structures for hash tables and lists, Go channels for multithreading ARC, ACNS 2012Elias Athanasopoulos, Columbia University16

17 Data Structures ARC, ACNS 2012Elias Athanasopoulos, Columbia University17 action type=id= action?type=forward&id=42&to=mark to=

18 ARC, ACNS 2012Elias Athanasopoulos, Columbia University18

19 Synthetic Traces Web AppURLsMin Par.Max Par.Density Small1,0005120.01 Medium10,0007150.001 Heavy100,00012200.001 ARC, ACNS 2012Elias Athanasopoulos, Columbia University19 Density: ratio of unique actions over all possible URL schemas.

20 Trace Selection ARC, ACNS 2012Elias Athanasopoulos, Columbia University20

21 Multithreading  We have implemented two version of ARC  Single Channel  4-Channel ARC, ACNS 2012Elias Athanasopoulos, Columbia University21

22 Request Resolution ARC, ACNS 2012Elias Athanasopoulos, Columbia University22 Requests are resolved in less than 10 microseconds.

23 Throughput ARC, ACNS 2012Elias Athanasopoulos, Columbia University23 Requests can be processed in a rate of hundreds of thousand URLS per second

24 Takeaways  ARC can protect HPP vulnerable applications by keeping a white list of accepted URL schemas  ARC is fast and can be transparently applied to legacy web applications ARC, ACNS 2012Elias Athanasopoulos, Columbia University24

25 ARC, ACNS 2012Elias Athanasopoulos, Columbia University25

26 HTTP Parameter Pollution (HPP)  New attack targeting web applications  HTTP parameters injection  Manipulation of web application’s control flow  Drive a web application according to attacker’s needs ARC, ACNS 2012Elias Athanasopoulos, Columbia University26

27 HPP in a slide  Web applications are driven through HTTP requests and responses, which encapsulate resource descriptors: URLs  URLs are composed by an action and a list of parameters  http://site/login?user=joe&country=SG  The list of parameters can be polluted with extra parameters ARC, ACNS 2012Elias Athanasopoulos, Columbia University27

28 URL example  This URL is associated with a script purchase, which is called with input argument item_id which has the value 42 http://www.e-store.com/purchase?item_id=42 ARC, ACNS 2012Elias Athanasopoulos, Columbia University28 Action: purchase Parameter: item_id=42

29 Attack Scenario: e-store  Two families of URLs: (1) show?category=1 (2) purchase?category=1&item_id=1 ARC, ACNS 2012Elias Athanasopoulos, Columbia University29

30 Normal Operation ARC, ACNS 2012Elias Athanasopoulos, Columbia University30 show?category=1 purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N category=1 + + purchase?item_id=1&category=1 purchase?item_id=2&category=1 … purchase?item_id=N&category=1 purchase?item_id=1&category=1 purchase?item_id=2&category=1 … purchase?item_id=N&category=1

31 Bob attacks  Bob lures Alice to click on links, like: show?category=1%26item_id=42  Channels: IM, fake web pages, e-mail, etc. ARC, ACNS 2012Elias Athanasopoulos, Columbia University31

32 HPP in Action ARC, ACNS 2012Elias Athanasopoulos, Columbia University32 show?category= 1%26item_id=42 purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N purchase?item_id=1 purchase?item_id=2 … purchase?item_id=N category=1 %26item_id=42 + + purchase?item_id=1&category=1&item_id=42 purchase?item_id=2&category=1&item_id=42 … purchase?item_id=N&category=1&item_id=42 purchase?item_id=1&category=1&item_id=42 purchase?item_id=2&category=1&item_id=42 … purchase?item_id=N&category=1&item_id=42

33 Normal Operation vs HPP ARC, ACNS 2012Elias Athanasopoulos, Columbia University33 purchase?item_id=1&category=1&item_id=42 purchase?item_id=1&category=1

34 ARC, ACNS 2012Elias Athanasopoulos, Columbia University34

Download ppt "ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
PHP on Windows Improvements in PHP-Microsoft Interoperability PHP World Kongress Munich, Germany November 9, 2010.

PHP on Windows Improvements in PHP-Microsoft Interoperability PHP World Kongress Munich, Germany November 9, 2010.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.

Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.
CSC 450/550 Part 6: The Application Layer Example: The World Wide Web.

CSC 450/550 Part 6: The Application Layer Example: The World Wide Web.
CSE 190: Internet E-Commerce Lecture 16: Performance.

CSE 190: Internet E-Commerce Lecture 16: Performance.
DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.

DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.

Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
WEB ANALYTICS Prof Sunil Wattal. Business questions How are people finding your website? What pages are the customers most interested in? Is your website.

WEB ANALYTICS Prof Sunil Wattal. Business questions How are people finding your website? What pages are the customers most interested in? Is your website.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google