Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

Published byChad Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011."— Presentation transcript:

1 The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011

2 Outline 19:462 Command injection attacks in web application Formal definition of web application Formal Definition of command injection attack An algorithm to prevent those attacks

3 Attacking the Web Application Web application: ◦ takes input strings from the user and interprets it. ◦ Interacts with back-end database. ◦ Retrieve data and dynamically generates new content. ◦ Presents the output to the user. The threat – Command Injection Attack: ◦ Unexpected input may cause problems. 19:463

4 Web Application Architecture Web browser Application Database User input Database query Application generates query based on user input Result Web page 19:464

5 SQLCIAs - Example String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”; Expected input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2; Result: Returns John’s saved credit card number. 19:465

6 Malicious input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1; SQLCIAs - Example Result: Returns all saved credit card numbers. ( ()) 19:466 String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”;

7 Web Application – Formally A function from n-tuples of input strings to queries strings. It doesn’t check changes in the query structure or gives information about the source of the strings. h “John”, “2” i “SELECT cardnum FROM ccards WHERE name = ‘John’ AND cardtype = 2” 19:467

8 Quick Overview Many web applications are vulnerable and lots of private records can be exposed in 1 attack. Ways to regulate user inputs ◦ Filter out “bad” strings. (‘O’brian’ ?) ◦ Escape quotes. ( 2 OR 1=1 ?) ◦ Limiting input’s length. ◦ Regular expression, etc. The cause of problems is that the input changes the syntactic structure of whole query. 19:468

9 SQLCIAs – Informally 19:469

10 SQLCIAs – Informally SQLCIA – modifies syntactic structure of a query. Our goal is to track user inputs with metadata: m and n so the input is syntactically confined in the augmented query. Modify SQL grammar to include metadata: nonterm ::= m symbol n Attempt to parse augmented query ◦ Fails ) block;Succeeds ) allow. 19:4610

11 Valid Syntactic Forms Given G = { V, , S, P }, choose policy of input we want to allow U µ V [  VSF idea is that the parse tree has a node in U which has an input substring as descendants. b_term ::= b_term AND cond cond ::= val comp val val ::= num | id comp ::= | = … U = { cond } 3 < x 2 OR 1 = 1 19:4611

12 SQLCIAs – Formally Query q is a SQLCIA if ◦ q has a parse tree T q. ◦ For some filter f and some input i : ◦ f ( i ) is a substring in q and is not a VSF in T q. 19:4612

13 Augmented Query Our goal is to track and identify the user input inside the query (in the parse tree). By augmenting the input to m i k n we can determine which substrings of the constructed query come from the input. A query q a is an augmented query if it was generated from augmented input. q a =W ( m i 1 n,…, m i n n ) 19:4613

14 Augmented Grammar Given: G = { V, , S, P } and U µ  [ V An augmented query q a is in L ( G a ) iff ◦ q is in L ( G ), and ◦ for each substring S that separates a pair of matching m, n, if the meta-characters are removed then S is VSF. G a = { V [ { u a | u 2 U },  [ { m, n }, S, P a } u a : fresh non-terminal P a = {v ! rhs a | v ! rhs 2 P } [ {u a ! u | u 2 U } [ {u a ! m u n | u 2 U } 19:4614

15 Augmented Grammar {v ! rhs a | v ! rhs 2 P } construct production rules that all “Right Hand Side” occurrences of u 2 U are replaced with u a Example: U = { b, D } S ::= b CD C ::= c D ::= d | dd S ::= b a CD a b a ::= m b n | b C ::= c D a ::= m D n | D D ::= d | dd P = P a = 19:4615

16 Theorem For all i 1,…, i n, W ( m i 1 n,…, m i n n ) = q a 2 L ( G a ) iff W ( i 1,…, i n ) = q 2 L ( G ) and q is not an SQLCIA. 19:4616

17 Implementation Meta Characters- two random four letters strings, except dictionary words. Total of Most user inputs are dictionary words, passwords with numbers or other then 4 letters, so the probability for using the meta- characters is The policy U is defined in terms of which non terminals in SQL grammar are permitted to be at the root of VSF. 19:4617

18 SQLCheck returns q if q a 2 L (G a ) use randomly generated strings Implementation G U G’ augment SQL grammar Policy Augmented SQL grammar Parser Generator SQLCheck Web Browser Application Database mn m n … bool ::= term a term a ::= term | m term n term ::= fac a fac a ::= fac | m fac n … bool term a term fac fac a mn bool term a term fac fac a mn 19:4618

19 Test Subjects SubjectDescriptionLOCQuery Checks Added Query Sites PHPJSP Employee DirectoryOnline employee directory2,8013,114516 EventsEvent tracking system2,8193,894720 ClassifiedsOnline management system for classifieds 5,5405,8191041 PortalPortal for a club8,7458,8701342 BookstoreOnline bookstore9,2249,6491856 Two languages (PHP & JSP): –Most techniques require a language-specific front-end; ours does not 19:4619

20 Evaluation LanguageSubjectQueriesTiming (ms) Legitimate (Attempted / Allowed) Attacks (Attempted / Prevented) MeanStd Dev PHP Employee Directory660 / 6603937 / 39373.2302.080 Events900 / 9003605 / 36052.6130.961 Classifieds576 / 5763724 / 37242.4781.049 Portal1080 / 10803685 / 36853.7883.233 Bookstore608 / 6083473 / 34732.8061.625 JSP Employee Directory660 / 6603937 / 39373.1860.652 Events900 / 9003605 / 36053.3680.710 Classifieds576 / 5763724 / 37243.1340.548 Portal1080 / 10803685 / 36853.0630.441 Bookstore608 / 6083473 / 34732.8970.257 RTT over internet: ~80-100ms 19:4620

21 Conclusions Formal definition of SQLCIAs and an algorithm to prevent them by syntactically constrain substrings from user input. SqlCheck intercepts all queries and check their syntactic form. Suitable for different languages and web interfaces. 19:4621

22 Future Work Experiment with more real-world online web applications and more sophisticated testing techniques. (input place holder). Apply to XSS, Xpath injection, etc. 19:4622

23 A few thoughts about the article The formal definition of the web application and the SQLCIA referred to the most common and basic properties. The algorithm was simple and elegant. This solution suits for all web apps even in different programming languages. Easy to control the input policy. The evaluation was not tested versus attackers attempting to defeat this particular mechanism. 19:4623

Download ppt "The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011."

Similar presentations

Parsing V: Bottom-up Parsing

Parsing V: Bottom-up Parsing
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.

Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.

B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
Context-Free Grammars Lecture 7

Context-Free Grammars Lecture 7
Fall 2007CS 2251 Miscellaneous Topics Deque Recursion and Grammars.

Fall 2007CS 2251 Miscellaneous Topics Deque Recursion and Grammars.
1 Foundations of Software Design Lecture 23: Finite Automata and Context-Free Grammars Marti Hearst Fall 2002.

1 Foundations of Software Design Lecture 23: Finite Automata and Context-Free Grammars Marti Hearst Fall 2002.
Tutorial 14 Working with Forms and Regular Expressions.

Tutorial 14 Working with Forms and Regular Expressions.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.

 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.

A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.
Www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
1 Introduction to Parsing Lecture 5. 2 Outline Regular languages revisited Parser overview Context-free grammars (CFG’s) Derivations.

1 Introduction to Parsing Lecture 5. 2 Outline Regular languages revisited Parser overview Context-free grammars (CFG’s) Derivations.
Parsing IV Bottom-up Parsing Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved. Students enrolled in Comp 412 at Rice University.

Parsing IV Bottom-up Parsing Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved. Students enrolled in Comp 412 at Rice University.
Tutorial 14 Working with Forms and Regular Expressions.

Tutorial 14 Working with Forms and Regular Expressions.

Similar presentations

Ads by Google