Download presentation
Presentation is loading. Please wait.
Published byChad Morrison Modified over 9 years ago
1
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011
2
Outline 19:462 Command injection attacks in web application Formal definition of web application Formal Definition of command injection attack An algorithm to prevent those attacks
3
Attacking the Web Application Web application: ◦ takes input strings from the user and interprets it. ◦ Interacts with back-end database. ◦ Retrieve data and dynamically generates new content. ◦ Presents the output to the user. The threat – Command Injection Attack: ◦ Unexpected input may cause problems. 19:463
4
Web Application Architecture Web browser Application Database User input Database query Application generates query based on user input Result Web page 19:464
5
SQLCIAs - Example String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”; Expected input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2; Result: Returns John’s saved credit card number. 19:465
6
Malicious input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1; SQLCIAs - Example Result: Returns all saved credit card numbers. ( ()) 19:466 String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”;
7
Web Application – Formally A function from n-tuples of input strings to queries strings. It doesn’t check changes in the query structure or gives information about the source of the strings. h “John”, “2” i “SELECT cardnum FROM ccards WHERE name = ‘John’ AND cardtype = 2” 19:467
8
Quick Overview Many web applications are vulnerable and lots of private records can be exposed in 1 attack. Ways to regulate user inputs ◦ Filter out “bad” strings. (‘O’brian’ ?) ◦ Escape quotes. ( 2 OR 1=1 ?) ◦ Limiting input’s length. ◦ Regular expression, etc. The cause of problems is that the input changes the syntactic structure of whole query. 19:468
9
SQLCIAs – Informally 19:469
10
SQLCIAs – Informally SQLCIA – modifies syntactic structure of a query. Our goal is to track user inputs with metadata: m and n so the input is syntactically confined in the augmented query. Modify SQL grammar to include metadata: nonterm ::= m symbol n Attempt to parse augmented query ◦ Fails ) block;Succeeds ) allow. 19:4610
11
Valid Syntactic Forms Given G = { V, , S, P }, choose policy of input we want to allow U µ V [ VSF idea is that the parse tree has a node in U which has an input substring as descendants. b_term ::= b_term AND cond cond ::= val comp val val ::= num | id comp ::= | = … U = { cond } 3 < x 2 OR 1 = 1 19:4611
12
SQLCIAs – Formally Query q is a SQLCIA if ◦ q has a parse tree T q. ◦ For some filter f and some input i : ◦ f ( i ) is a substring in q and is not a VSF in T q. 19:4612
13
Augmented Query Our goal is to track and identify the user input inside the query (in the parse tree). By augmenting the input to m i k n we can determine which substrings of the constructed query come from the input. A query q a is an augmented query if it was generated from augmented input. q a =W ( m i 1 n,…, m i n n ) 19:4613
14
Augmented Grammar Given: G = { V, , S, P } and U µ [ V An augmented query q a is in L ( G a ) iff ◦ q is in L ( G ), and ◦ for each substring S that separates a pair of matching m, n, if the meta-characters are removed then S is VSF. G a = { V [ { u a | u 2 U }, [ { m, n }, S, P a } u a : fresh non-terminal P a = {v ! rhs a | v ! rhs 2 P } [ {u a ! u | u 2 U } [ {u a ! m u n | u 2 U } 19:4614
15
Augmented Grammar {v ! rhs a | v ! rhs 2 P } construct production rules that all “Right Hand Side” occurrences of u 2 U are replaced with u a Example: U = { b, D } S ::= b CD C ::= c D ::= d | dd S ::= b a CD a b a ::= m b n | b C ::= c D a ::= m D n | D D ::= d | dd P = P a = 19:4615
16
Theorem For all i 1,…, i n, W ( m i 1 n,…, m i n n ) = q a 2 L ( G a ) iff W ( i 1,…, i n ) = q 2 L ( G ) and q is not an SQLCIA. 19:4616
17
Implementation Meta Characters- two random four letters strings, except dictionary words. Total of Most user inputs are dictionary words, passwords with numbers or other then 4 letters, so the probability for using the meta- characters is The policy U is defined in terms of which non terminals in SQL grammar are permitted to be at the root of VSF. 19:4617
18
SQLCheck returns q if q a 2 L (G a ) use randomly generated strings Implementation G U G’ augment SQL grammar Policy Augmented SQL grammar Parser Generator SQLCheck Web Browser Application Database mn m n … bool ::= term a term a ::= term | m term n term ::= fac a fac a ::= fac | m fac n … bool term a term fac fac a mn bool term a term fac fac a mn 19:4618
19
Test Subjects SubjectDescriptionLOCQuery Checks Added Query Sites PHPJSP Employee DirectoryOnline employee directory2,8013,114516 EventsEvent tracking system2,8193,894720 ClassifiedsOnline management system for classifieds 5,5405,8191041 PortalPortal for a club8,7458,8701342 BookstoreOnline bookstore9,2249,6491856 Two languages (PHP & JSP): –Most techniques require a language-specific front-end; ours does not 19:4619
20
Evaluation LanguageSubjectQueriesTiming (ms) Legitimate (Attempted / Allowed) Attacks (Attempted / Prevented) MeanStd Dev PHP Employee Directory660 / 6603937 / 39373.2302.080 Events900 / 9003605 / 36052.6130.961 Classifieds576 / 5763724 / 37242.4781.049 Portal1080 / 10803685 / 36853.7883.233 Bookstore608 / 6083473 / 34732.8061.625 JSP Employee Directory660 / 6603937 / 39373.1860.652 Events900 / 9003605 / 36053.3680.710 Classifieds576 / 5763724 / 37243.1340.548 Portal1080 / 10803685 / 36853.0630.441 Bookstore608 / 6083473 / 34732.8970.257 RTT over internet: ~80-100ms 19:4620
21
Conclusions Formal definition of SQLCIAs and an algorithm to prevent them by syntactically constrain substrings from user input. SqlCheck intercepts all queries and check their syntactic form. Suitable for different languages and web interfaces. 19:4621
22
Future Work Experiment with more real-world online web applications and more sophisticated testing techniques. (input place holder). Apply to XSS, Xpath injection, etc. 19:4622
23
A few thoughts about the article The formal definition of the web application and the SQLCIA referred to the most common and basic properties. The algorithm was simple and elegant. This solution suits for all web apps even in different programming languages. Easy to control the input policy. The evaluation was not tested versus attackers attempting to defeat this particular mechanism. 19:4623
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.