Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia."— Presentation transcript:

1 Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia Institute of Technology

2 2 Web Application Overview DB Other Systems Web Server End Users HTTP Requests HTML Pages Web Application HTML Servlets

3 3 Penetration Testing Overview DB Other Systems White Hat Tester !@#$ Secret Data! Web Application HTML Servlets

4 Penetration Testing Phases White Hat Tester Web Application HTML Servlets Information Gathering Attack Generation Response Analysis Report Target Selection Analysis Feedback Information Attacks Responses

5 public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() Example Web Application Code !

6 Our Approach Improvements to penetration testing: 1.Information gathering  Static interface analysis 2.Attack Generation  Generate realistic test-inputs 3.Response Analysis  Produce observable side effect of attack Goal: Improve penetration testing by improving information gathering and response analysis.

7 Interfaces Interface Analysis [FSE 2007] 1) Information Gathering: Interface Analysis 7 Phase 1: Identify Input Parameters (IP) names Phase 2: Compute IP domain information Phase 3: Group IP into distinct interfaces Web Application HTML Servlets Compute IP Domains Group IPs Identify IP Names

8 1) Interface Analysis: Identify IP Names public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() userActionlogin address login password

9 1) Interface Analysis: Compute IP Domains userActionlogin address userAction:String {“createLogin”, “provideAddress”} password password:String password:Integer login:String address:String public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm()

10 1) Interface Analysis: Group IPs public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() userActionlogin address userAction:String {“createLogin”, “provideAddress”} password password:String password:Integer login:String address:String 1 14 10 2 15 11 12 13 4 3 5 7 6 9 8

11 1) Information Gathering: Summary InterfaceParameterDomainRelevant Values 1 userActionString “createLogin”, “provideAddress” loginString passwordInteger 2 userActionString “createLogin”, “provideAddress” loginString addressString 3userActionString “createLogin”, “provideAddress”

12 2) Attack Generation White Hat Tester Interface userAction login password userAction = ? login = password = ? IP Domain Information userAction = createLogin login = password = 1234

13 3) Response Analysis with WASP WASP: 1.Positive tainting: Identify and mark developer-trusted strings. Propagate taint markings at runtime 2.Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings Response Analysis: 1.Send attack to web application 2.If WASP detects attack 1.Block attack 2.Send out-of-band signal 3.Check for signal on client side

14 public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (‘” + loginName + “’, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”) 10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”) 12. String address = req.getParameter(“address”) 13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName) 14. else 15. displayCreateLoginForm() 3) WASP: Identify Trusted Data

15 update userTable set address = ‘Home’ where login = ‘GJ’ ; drop table userTable -- ’ update userTable set address = ‘Home’ where login = ‘GJ’ 3) WASP: Syntax Aware Evaluation Legitimate Query: Attempted SQL Injection: Input: login = “GJ”, address = “Home” Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”

16 Empirical Evaluation Goal: Evaluate the usefulness of our approach as compared to a traditional penetration testing approach. Research Questions (RQ): 1. Runtime of analysis 2. Thoroughness of the penetration testing 3. Number of vulnerabilities discovered 16

17 Implementation: Baseline Approach Information Gathering  OWASP WebScarab Widely used code-base Actively maintained Attack Generation  SQLMap Widely used penetration testing tool Commonly used attack generation heuristics Response analysis  WASP [FSE 2006] SQLMap++ SQLMap integrated with OWASP WebScarab Spider

18 Implementation: Our Approach Analyzes bytecode of Java Enterprise Edition (JEE) based web applications Interface analysis  WAM [FSE 2007] Attack generation  leverages SQLMap Response analysis  WASP [FSE 2006] SDAPT Static and Dynamic Analysis-based Penetration Testing

19 Subject Applications SubjectLOCClassesServlets Bookstore19,4022827 Checkers5,4155932 Classifieds10,70218 Daffodil18,70611970 Employee Directory5,529119 Events7,1641312 Filelister8,6714110 Office Talk4,6706339 Portal16,0892827

20 RQ1: Runtime SDAPT ranged from 8 to 40 mins Positive note: Testing was more thorough

21 RQ2: Thoroughness

22 RQ3: Number of Vulnerabilities Average increase: 246%

23 Summary of Results Improvements to penetration testing Information gathering with static analysis Response analysis with dynamic detection Relatively longer analysis time More thorough and more vulnerabilities discovered during penetration testing

Download ppt "Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia."

Similar presentations

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University.

Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University.
Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute.

Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute.
Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology.

Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology.
Web applications using JavaServer Faces (JSF) A brief introduction 1JavaServer Faces (JSF)

Web applications using JavaServer Faces (JSF) A brief introduction 1JavaServer Faces (JSF)
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.

INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Multiple Tiers in Action

Multiple Tiers in Action
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
14 1 Chapter 14 Database Connectivity and Web Development Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

14 1 Chapter 14 Database Connectivity and Web Development Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Introduction to Java web programming Dr Jim Briggs JWP intro1.

Introduction to Java web programming Dr Jim Briggs JWP intro1.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Similar presentations

Ads by Google