Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Published byRichard Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,"— Presentation transcript:

1 Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo, Karthick Jayaraman, Michael D. Ernst International Conference on Software Engineering May 20, 2009 PHP Source Code

2 Overview Problem: Finding security vulnerabilities (SQLI and XSS) in Web applications Approach: 1.Automatically generate inputs 2.Dynamically track taint 3.Mutate inputs to produce exploits Results: 60 unique new vulnerabilities in 5 PHP applications, first to create 2nd-order XSS, no false positives

3 PHP Web applications Web browser PHP on webserver Database PHP application $_GET[] $_POST[] http://www.example.com/register.php?name=Bob&age=25 … … URL HTMLData SQL

4 Example: Message board (add mode) if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”); function addMessageForTopic() { $my_msg = $_GET['msg']; $my_topicID = $_GET['topicID']; $my_poster = $_GET['poster']; $sqlstmt = ” INSERT INTO messages VALUES('$my_msg’, '$my_topicID') "; $result = mysql_query($sqlstmt); echo "Thanks for posting, $my_poster"; } $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = “Bob” Thanks for posting, Bob

5 Example: Message board (display mode) if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”); function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: ". $row['msg']; }} $_GET[]: mode = “display” topicID = 42 Message: hi there

6 SQL injection attack function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: ". $row['msg']; }} $_GET[]: mode = “display” topicID = 1' OR '1'='1 SELECT msg FROM messages WHERE topicID='1' OR '1'='1' if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”);

7 First-order XSS attack if ($_GET['mode'] == "add") addMessageForTopic(); $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = MALICIOUS function addMessageForTopic() { $my_poster = $_GET['poster']; […] echo "Thanks for posting, $my_poster"; } Example MALICIOUS input: “uh oh alert(‘XSS’) ” Thanks for posting, uh oh

8 Second-order XSS attack addMessageForTopic() PHP application Database Attacker’s input Example MALICIOUS input: “uh oh alert(‘XSS’) ” $_GET[]: mode = “add” msg = MALICIOUS topicID = 42 poster = “Villain”

9 Second-order XSS attack addMessageForTopic() PHP application Database Attacker’s input Victim’s input $_GET[]: mode = “display” topicID = 42 displayAllMessagesForTopic() Message: uh oh echo() Example MALICIOUS input: “uh oh alert(‘XSS’) ” $_GET[]: mode = “add” msg = MALICIOUS topicID = 42 poster = “Villain”

10 Architecture Input Generator Input Generator Attack Generator/Chec ker inputs taint sets Concrete + Symbolic Database Malicious inputs Ardilla Taint Propagator PHP Source Code

11 Input generation Input Generator Input Generator inputs Goal: Create a set of concrete inputs (_$GET[] & _$POST[]) We use Apollo generator (Artzi et al. ’08), based on concolic execution PHP Source Code

12 Input generation: concolic execution Input Generator Input Generator $_GET[]: mode = “add” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “1” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1” if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTop ic(); else die(“Error: invalid mode”); PHP Source Code inputs

13 Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1” function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt);

14 Taint propagation Concrete + Symbolic Database inputs Goal: Determine which input variables affect each potentially dangerous value Sensitive sinks: mysql_query(), echo(), print() Technique: Execute and track data-flow from input variables to sensitive sinks inputs PHP Source Code taint sets Taint Propagator

15 Taint propagation: data-flow Taint Propagator Concrete + Symbolic Database taint sets inputs Each value has a taint set, which contains input variables whose values flow into it inputs function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Taint propagation Assignments: $my_poster = $_GET[“poster”] String concatenation: $full_n = $first_n. $last_n PHP built-in functions: $z = foo($x, $y) Database operations (for 2nd-order XSS) PHP Source Code Taint set Sensitive sink

16 Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Taint set Sensitive sink

17 Attack generation and checking Attack Generator/C hecker Malicious inputs taint sets Goal: Generate attacks for each sensitive sink Technique: Mutate inputs into candidate attacks Replace tainted input variables with shady strings developed by security professionals: e.g., “1’ or ‘1’=‘1”, “ code ” PHP Source Code Alternative: String constraint solver (Kiezun et al. ’09) inputs

18 Attack generation and checking Given a program, an input i, and taint sets Attack Generator/C hecker Malicious inputs taint setsinputs if mutated_res DIFFERS FROM res: report mutated_input as attack for each var that reaches any sensitive sink: res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) PHP Source Code Attack generation Attack checking

19 Attack generation: mutating inputs $_GET[]: mode = “display” topicID = 1 $_GET[]: mode = “display” topicID = 1' OR '1'='1 res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack

20 Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string $_GET[]: mode = “display” topicID = 1 $_GET[]: mode = “display” topicID = 1' OR '1'='1

21 Attack checking: diffing outputs res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack What is a significant difference? For SQLI: compare SQL parse tree structure For XSS: compare HTML for additional script- inducing elements ( ) Avoids false positives from input sanitizing and filtering

22 Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string 4. Check by mutating input and comparing SQL parse trees: innocuous: SELECT msg FROM messages WHERE topicID=‘1’ mutated: SELECT msg FROM messages WHERE topicID=‘1’ OR ‘1’=‘1’ 5. Report an attack since SQL parse tree structure differs

23 Experimental results Vulnerability Kind Sensitive sinks Reached sensitive sinks Unique attacks SQLI 3669123 1 st -order XSS 2749729 2 nd -order XSS 27466 8 Total: 60 NameTypeLOCSourceForge Downloads SchoolMateSchool administration8,181 6,765 WebChessOnline chess4,72238,457 FaqForgeDocument creator1,71215,355 EVE activity trackerGame player tracker 915 1,143 geccBBliteBulletin board 326 366 Main limitation: input generator

24 Comparison with previous work Defensive coding: + : can completely solve problem if done properly - : must re-write existing code Static analysis: + : can potentially prove absence of errors - : false positives, does not produce concrete attacks Dynamic monitoring: + : can prevent all attacks - : runtime overhead, false positives affect app. behavior Random fuzzing: + : easy to use, produces concrete attacks - : creates mostly invalid inputs

25 Automatic Creation of SQL Injection and Cross-Site Scripting Attacks Contributions –Automatically create SQLI and XSS attacks –First technique for 2 nd -order XSS Technique –Dynamically track taint through both program and database –Input mutation and output comparison Implementation and evaluation –Found 60 new vulnerabilities, no false positives

Download ppt "Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.

PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.

PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Similar presentations

Ads by Google