Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

Similar presentations


Presentation on theme: "The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011."— Presentation transcript:

1 The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011

2 Outline 19:462 Command injection attacks in web application Formal definition of web application Formal Definition of command injection attack An algorithm to prevent those attacks

3 Attacking the Web Application Web application: ◦ takes input strings from the user and interprets it. ◦ Interacts with back-end database. ◦ Retrieve data and dynamically generates new content. ◦ Presents the output to the user. The threat – Command Injection Attack: ◦ Unexpected input may cause problems. 19:463

4 Web Application Architecture Web browser Application Database User input Database query Application generates query based on user input Result Web page 19:464

5 SQLCIAs - Example String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”; Expected input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2; Result: Returns John’s saved credit card number. 19:465

6 Malicious input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1; SQLCIAs - Example Result: Returns all saved credit card numbers. ( ()) 19:466 String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”;

7 Web Application – Formally A function from n-tuples of input strings to queries strings. It doesn’t check changes in the query structure or gives information about the source of the strings. h “John”, “2” i “SELECT cardnum FROM ccards WHERE name = ‘John’ AND cardtype = 2” 19:467

8 Quick Overview Many web applications are vulnerable and lots of private records can be exposed in 1 attack. Ways to regulate user inputs ◦ Filter out “bad” strings. (‘O’brian’ ?) ◦ Escape quotes. ( 2 OR 1=1 ?) ◦ Limiting input’s length. ◦ Regular expression, etc. The cause of problems is that the input changes the syntactic structure of whole query. 19:468

9 SQLCIAs – Informally 19:469

10 SQLCIAs – Informally SQLCIA – modifies syntactic structure of a query. Our goal is to track user inputs with metadata: m and n so the input is syntactically confined in the augmented query. Modify SQL grammar to include metadata: nonterm ::= m symbol n Attempt to parse augmented query ◦ Fails ) block;Succeeds ) allow. 19:4610

11 Valid Syntactic Forms Given G = { V, , S, P }, choose policy of input we want to allow U µ V [  VSF idea is that the parse tree has a node in U which has an input substring as descendants. b_term ::= b_term AND cond cond ::= val comp val val ::= num | id comp ::= | = … U = { cond } 3 < x 2 OR 1 = 1 19:4611

12 SQLCIAs – Formally Query q is a SQLCIA if ◦ q has a parse tree T q. ◦ For some filter f and some input i : ◦ f ( i ) is a substring in q and is not a VSF in T q. 19:4612

13 Augmented Query Our goal is to track and identify the user input inside the query (in the parse tree). By augmenting the input to m i k n we can determine which substrings of the constructed query come from the input. A query q a is an augmented query if it was generated from augmented input. q a =W ( m i 1 n,…, m i n n ) 19:4613

14 Augmented Grammar Given: G = { V, , S, P } and U µ  [ V An augmented query q a is in L ( G a ) iff ◦ q is in L ( G ), and ◦ for each substring S that separates a pair of matching m, n, if the meta-characters are removed then S is VSF. G a = { V [ { u a | u 2 U },  [ { m, n }, S, P a } u a : fresh non-terminal P a = {v ! rhs a | v ! rhs 2 P } [ {u a ! u | u 2 U } [ {u a ! m u n | u 2 U } 19:4614

15 Augmented Grammar {v ! rhs a | v ! rhs 2 P } construct production rules that all “Right Hand Side” occurrences of u 2 U are replaced with u a Example: U = { b, D } S ::= b CD C ::= c D ::= d | dd S ::= b a CD a b a ::= m b n | b C ::= c D a ::= m D n | D D ::= d | dd P = P a = 19:4615

16 Theorem For all i 1,…, i n, W ( m i 1 n,…, m i n n ) = q a 2 L ( G a ) iff W ( i 1,…, i n ) = q 2 L ( G ) and q is not an SQLCIA. 19:4616

17 Implementation Meta Characters- two random four letters strings, except dictionary words. Total of Most user inputs are dictionary words, passwords with numbers or other then 4 letters, so the probability for using the meta- characters is The policy U is defined in terms of which non terminals in SQL grammar are permitted to be at the root of VSF. 19:4617

18 SQLCheck returns q if q a 2 L (G a ) use randomly generated strings Implementation G U G’ augment SQL grammar Policy Augmented SQL grammar Parser Generator SQLCheck Web Browser Application Database mn m n … bool ::= term a term a ::= term | m term n term ::= fac a fac a ::= fac | m fac n … bool term a term fac fac a mn bool term a term fac fac a mn 19:4618

19 Test Subjects SubjectDescriptionLOCQuery Checks Added Query Sites PHPJSP Employee DirectoryOnline employee directory2,8013,114516 EventsEvent tracking system2,8193,894720 ClassifiedsOnline management system for classifieds 5,5405,8191041 PortalPortal for a club8,7458,8701342 BookstoreOnline bookstore9,2249,6491856 Two languages (PHP & JSP): –Most techniques require a language-specific front-end; ours does not 19:4619

20 Evaluation LanguageSubjectQueriesTiming (ms) Legitimate (Attempted / Allowed) Attacks (Attempted / Prevented) MeanStd Dev PHP Employee Directory660 / 6603937 / 39373.2302.080 Events900 / 9003605 / 36052.6130.961 Classifieds576 / 5763724 / 37242.4781.049 Portal1080 / 10803685 / 36853.7883.233 Bookstore608 / 6083473 / 34732.8061.625 JSP Employee Directory660 / 6603937 / 39373.1860.652 Events900 / 9003605 / 36053.3680.710 Classifieds576 / 5763724 / 37243.1340.548 Portal1080 / 10803685 / 36853.0630.441 Bookstore608 / 6083473 / 34732.8970.257 RTT over internet: ~80-100ms 19:4620

21 Conclusions Formal definition of SQLCIAs and an algorithm to prevent them by syntactically constrain substrings from user input. SqlCheck intercepts all queries and check their syntactic form. Suitable for different languages and web interfaces. 19:4621

22 Future Work Experiment with more real-world online web applications and more sophisticated testing techniques. (input place holder). Apply to XSS, Xpath injection, etc. 19:4622

23 A few thoughts about the article The formal definition of the web application and the SQLCIA referred to the most common and basic properties. The algorithm was simple and elegant. This solution suits for all web apps even in different programming languages. Easy to control the input policy. The evaluation was not tested versus attackers attempting to defeat this particular mechanism. 19:4623


Download ppt "The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011."

Similar presentations


Ads by Google