Presentation is loading. Please wait.

Presentation is loading. Please wait.

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*,

Published byKellie Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*,"— Presentation transcript:

1 NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*, Nazari Skrupsky+, Radoslaw Bobrowicz+, V.N. Venkatakrishnan+ +: University of Illinois, Chicago * : University of Chicago, Chicago

2 Background: User Input Validation Web applications need to Validate user supplied input Reject invalid input E xamples: “Credit card number is exactly16 digits” “Expiration date of Jan 2009 is not valid” Validation traditionally done at server: round-trip, load Popular trend: Client-side validation through JavaScript

3 Client Side Validation using JavaScript onSubmit= validateCard(); validateQuantities(); Validation Pass? send inputs to server reject inputs YesNo

4 Problem: Client is Untrusted Environment Validation can be bypassed Previously rejected values, sent to server Invalid quantity: -4 Ideally: Re-validate at server-side and reject If not, security risks

5 Example: Bypassed Validation Security Risks Client validation:  Field: quantity “reject negative values” Server-side code: cost = cost + price * quantity How to automatically find such inputs in a blackbox fashion?  quantity = 1, price = 100 cost = cost + 100  quantity= -1, price = 100 cost = cost - 100

6 Intuition Automatically generate two sets of inputs  Valid inputsquantity = 1  Invalid inputs quantity = -1  Done through client code analysis If ( quantity ≥ 0 ) submit to application else reject, ask to re-enter How does the server-side code respond  Heuristically determine if server rejects invalid inputs  Server rejects: quantity = -1 quantity = 1 (valid input) quantity= -1 (invalid input)

7 NoTamper Architecture and Outline Formula Extractor Web Page Input Generator Opportunity Detector External analysis Logical formula for client side validation F client : quantity ≥ 0 Solve constraints Benign inputs e.g., quantity = 0 Hostile inputs e.g., quantity = -1 Compare responses for benign and hostile inputs opportunities exploits hints Outline 1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion

8 Formula Extraction from Client Code HTML and JavaScript both restrict inputs HTML form controls  Drop down menu: valueIN (value_1, …, value_n)  Radio/Checkboxes:valueIN(value_1,…, value_n)  Hidden attribute:value=constant  Readonly attribute:value=constant  Maxlength attribute:length(value)≤constant Drop down menu: select one of these card == 1234… OR card == 7890… tags attributes Constraint

9 Formula Extraction from Client Code (cont…) Event driven JavaScript validation State machine  Start: no fields validated, end: all validation passed  Transitions w/ validation functions: f 1, f 2, … f n  Over-approximation: All function executed: f 1 f 2 …f n Execute functions symbolically  conditions when all functions accept inputs Valid: none Invalid: all Valid: all Invalid: none (form submitted) Valid: field1 Invalid: rest fkfk f1f1 f2f2 fnfn fmfm onChange onSubmit

10 Formula Extraction from Client Code (cont…) Program condition when validation succeeds if (quantity ≥ 0) return true; constraint: quantity ≥ 0 else return false; JavaScript interaction w/ Document Object Model  Reading form fields (e.g., getElementById )  Enable/disable form fields (e.g., disabled property) At the end of symbolic execution F client = (path conditions) AND (constraints of enabled fields)

11 1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

12 Input Generation Benign inputs  Pass client side validation  Satisfy F client Example: F client : quantity ≥ 0 Satisfying values determined with type information  Collected while analyzing HTML/JavaScript  quantity: -? [0-9]* quantity = 1 Constraint solving

13 Input Generation (cont…) Hostile inputs  Bypass client side validation  Satisfy NOT (F client ) Example: NOT ( quantity ≥ 0 ) Supplying required variables  Example:  Field value mandated by JavaScript  Heuristics: special markers like * in the field description quantity = -1 gift-note = “abc” gift-note = “-” NOT (quantity ≥ 0) U NOT (gift-note in [a-z]*)

14 1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

15 Opportunity Detection Rejected inputs Accepted inputs Different structures Response for hostile inputs Response for Benign inputs Response for hostile inputs Exploit opportunity Similar structures

16 Opportunity Detection (contd…) Compare responses to benign and hostile inputs  But noise: user name, address, time, online users, … a1 a2 a3 a1 a2 a3 b1 a2 a3 h1 a2 a3 B1 B2 --- a2 a3 Remove differences H1 B1 --- a2 a3 C1 C2 Difference rank = Edit Distance (C1,C2) Low rank  opportunity

17 1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

18 Applications ApplicationLOCConstraints sourceUse SMF97KHTML+JavaScriptForum Ezybiz186KHTML+JavaScriptBusn Mgt OpenDB92KHTML+JavaScriptInventory MyBloggie9KHTML+JavaScriptBlog B2evolution167KHTMLBlog PhpNuke228KHTML+JavaScriptContent Mgt OpenIT114KHTML+JavaScriptSupport LegalCase58KHTMLInventory smi-online.co.uk---HTMLConference wiley.com---HTML+JavaScriptLibrary garena.com---HTMLGaming selfreliance.com---HTMLBanking codemicro.com---HTML+JavaScriptShopping 8 open source 5 live sites

19 Applications (cont…) Hostile and benign responses separated by an order of magnitude ApplicationFor ms Hostile Inputs Opport unities Confi rmed SMF556 Ezybiz337 OpenDB110 MyBloggie18 B2evolution125 PhpNuke16 OpenIT328 LegalCase213 smi-online.co.uk123 wiley.com115 garena.com14 selfreliance.com15 codemicro.com16 ApplicationFor ms Hostile Inputs Opport unities Confi rmed SMF55642√ Ezybiz33735√ OpenDB1108√ MyBloggie188√ B2evolution12521 PhpNuke165√ OpenIT32827√ LegalCase2139√ smi-online.co.uk1234 wiley.com1154 garena.com144 selfreliance.com151√ codemicro.com161√ Confirmed exploits: 9/13 applications Opportunities: 169 Examined: 50

20 SelfReliance.com: Online banking Vulnerability: from/to – arbitrary accounts Exploit: Unauthorized money transfers  Transfer money from unrelated accounts  Account number hardly a secret e.g., checks contain them Status: fixed within 24 hours  ESP solution (espsolution.net) s/w provider patched s/w for other clients Client-side constraints: 1.from IN (Accnt1, Accnt2) 2.to IN (Accnt1, Accnt2) Server-side code: transfer money from  to

21 CodeMicro.com : Shopping Vulnerability: quantities can be negative Exploit: Unlimited shopping rebates  Two items in cart: price1 = 100$, price2 = 500$  quantity1 = -4, quantity2 = 1, total = 100$ (rebate of 400$ on price2) Status: fixed within 24 hours Client-side constraints: 1.quantity1 ≥ 0 2.quantity2 ≥ 0 Server-side code: total = quantity1 * price1 + quantity2 * price2

22 OpenIT: Support Vulnerability: update arbitrary account Exploit: Privilege escalation  Inject a Cross-site scripting (XSS) payload in admin account  Cookies stolen every time admin logged in. Status: open Client-side constraints: 1.userId == 1(hidden field) Server-side code: Update profile with id 1, with new details Hidden Field

23 1.Formula extraction from client code 2.Input generation 3.Opportunity detection 4.Evaluation 5.Conclusion Outline

24 Conclusion Framework to identify parameter tampering opportunities  Used client-side restrictions to aid hostile input generation  Several serious problems in open source / commercial applications  Significant gap: validation that should happen and that does happen Thanks and Questions

25 Backup

26 False positives maxlength constraints: 31 Mutated inputs: 12

27 Split of HTML, JavaScript and Hidden Field Constraints HTMLconstraints: 110/169(65%) JavaScript constraints: 20/169(12%) Hidden fields constraints: 39/169(23%)

28 Manual intervention Unique variables: 3 (SMF: 2, phpNuke: 1) Session id/cookies: all except phpNuke Required variables: 12 (SMF: 5, phpNuke: 4, B2Evolution: 1, Garena.com: 2) Typically 5 minutes per form Bounded by the number of fields

29 Limitations Unsound  False positive: application mutates invalid inputs e.g., truncate 12 such instances in our experiments  False positive: similar responses for failure/success Incomplete  JavaScript over-approximation Mutually exclusive events may cause Fclient – false  JavaScript unhandled features document.write/eval  constraints not checked at client Fclient = true

30 Some related work Input validation  Prevent affect of invalid inputs: Su et al. POPL’06, Bandhakavi et al. CCS’07, Saxena et al.NDSS’09, Van Gundy M et al. Oakland’09, Ter-louw et al. Oakland’09  Find insufficient validation: Livshits et al. Usenix’05, Balzarotti et al. CCS’07, Balzarotti et al. Oakland’08, … Vulnerability analysis  JavaScript analysis based client side attacks: Saxena et al. Oakland’10 Fuzzing/directed testing  Benign/Hostile input generation: Godefroid et al. SIGPLAN’05, Godefroid et al. NDSS’08, Saxena et al. NDSS’10, … Prevention techniques  Sandbox/restrict client code: Grier et al. Oakland’08, Reis et al. EuroSys’09, Wang et al. Usenix’09, Vikram et al. Oakland’09, Chong et al. CCS’09, …

Download ppt "NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*,"

Similar presentations

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.

JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
JavaScript Forms Form Validation Cookies CGI Programs.

JavaScript Forms Form Validation Cookies CGI Programs.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Security Issues in Web Applications Vitaly Shmatikov CS 6431.

Security Issues in Web Applications Vitaly Shmatikov CS 6431.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
CST 200 - JavaScript Validating Form Data with JavaScript.

CST JavaScript Validating Form Data with JavaScript.
4-Sep-15 HTML Forms Mrs. Goins Web Design Class. Parts of a Web Form A Form is an area that can contain Form Control/Elements. Each piece of information.

4-Sep-15 HTML Forms Mrs. Goins Web Design Class. Parts of a Web Form A Form is an area that can contain Form Control/Elements. Each piece of information.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht ( + Timothy Hinrichs*

Similar presentations

Ads by Google