Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi.

Published byAnis McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi."— Presentation transcript:

1 Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab

2 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab2

3 Introduction A novel approach for automatically detecting potential server-side vulnerabilities of parameter-tampering in existing web applications. Advanced Defense Lab3

4 Introduction Advanced Defense Lab4

5 Introduction Attack 1: Negative quantities. Resulting in a “discount”. Attack 2: Charging another user’s account. A malicious user can purchase products and charge someone else’s account. Attack 3: Pattern validation bypass. XSS and SQL injection. Advanced Defense Lab5

6 Introduction – Problem Description ∑: the set of alphabet. I = ∑* x ∑* x ∑* x … x ∑* I -> { true, false } Pserver: constraint-checking function on the server. Pclient: constraint-checking function on the client. Pserver(I) = true -> Pclient(I) = true Pserver(I) = true ^ Pclient(I) = false (BUG) Advanced Defense Lab6

7 Introduction – Problem Description Fclient: a logical representation of Pclient. Fserver: a logical representation of Pserver. (hostile) h1,…,hn such that Fclient(hi) = false for each i. (benign) b1,…,bm such that Fclient(bj) = true for each j. (hostile responses from the server) H1,…,Hn (benign responses from the server) B1,…,Bm The more similar a hostile response is to the benign responses, the more likely the hostile input was successful. Advanced Defense Lab7

8 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab8

9 ARCHITECTURE & CHALLENGES Advanced Defense Lab9

10 ARCHITECTURE & CHALLENGES Advanced Defense Lab10

11 ARCHITECTURE & CHALLENGES HTML/JS Analyzer To simulates an environment similar to a JavaScript interpreter in a browser, including the DOM (AJAX not supported). Executes all the init. Code for the web form concretely. Advanced Defense Lab11

12 ARCHITECTURE & CHALLENGES HTML/JS Analyzer Identifying JS validation code When a form is submitted. Each time the user enters or changes data on the form. Analyzing JS validation code Employing a mixed concrete-symbolic execution approach. Symbolic execution provides coverage of all control paths. Concrete execution enables NoTamper to ignore irrelevant code. Resolving DOM references Constructing the pertinent portion of the DOM. Simulating DOM functions that are used to modify the DOM structure. Advanced Defense Lab12

13 ARCHITECTURE & CHALLENGES Input Generator Avoiding spurious rejections Checking that all “required” variables have values of the right type. (Manually overridden) Generating orthogonal hostile inputs Converts Fclient to disjunctive normal form (DNF). Coping with incomplete information Accepting hints (delta) from human that guide the search for hostile and benign inputs. Addressing state changes Providing a optional list of variables required to have unique values. Advanced Defense Lab13

14 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab14

15 Implementation Advanced Defense Lab15

16 IMPLEMENTATION Client Constraint Extraction By collecting all the event handlers (and associated scripts) and generating a single function that invokes all those event handlers. Simulates a small set of core methods getElementById() document.wite() document.innerHTML() Advanced Defense Lab16

17 IMPLEMENTATION Client Constraint Extraction Advanced Defense Lab17

18 IMPLEMENTATION Hostile Input Guidance Initial values Numbers Hidden fields (Session identifier) Types The HTML widget associated with ( ) Initial value Occurrence in arithmetic constraints Required variables Analyzing the HTML (e.g., asterisks next to field labels) Drop-down list Unique variables Advanced Defense Lab18

19 IMPLEMENTATION Input Generation Benign inputs Converts Fclient to DNF Finds one solution per disjunct (or). Hostile inputs !Fclient Advanced Defense Lab19

20 IMPLEMENTATION Constraint Solving HAMPI[13] HAMPI Advanced Defense Lab20

21 IMPLEMENTATION Constraint Solving Advanced Defense Lab21

22 IMPLEMENTATION HTML Response Comparison Advanced Defense Lab22 Compares the server’s response against a response that is known to have been generated by benign (valid) inputs. Edit distance Ratcliff/Obsershelp algorithm. Ratcliff/Obsershelp Remove the noise in B1 and B2 and produce C1. Remove the noise in B1 and Hi and produce C2. Compare C1 and C2 and result in “difference rank”.

23 IMPLEMENTATION Advanced Defense Lab23 HTML analysis On top of the APIs provided by the HTML Parser. JavaScript analysis Using a modified Narcissus JavaScript engine-based symbolic evaluator. Input Generator HAMPI Opportunity Detector Java-based module relayed HTTTP requests to the test server.

24 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab24

25 Evaluation Selected 8 open source applications and 5 live websites. http://opensourcescripts.com Testing Linux Apache web server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM) Ubuntu 9.10 (2.45 Ghz Quad Intel, 2.0 GB RAM) NoTamper Advanced Defense Lab25

26 Evaluation Advanced Defense Lab26

27 Evaluation Advanced Defense Lab27

28 Evaluation Unauthorized money transfers www.selfreliance.com Unlimited shopping rebates www.codemicro.com Fixed within 24 hours Privilege escalation OpenIT By manipulating the userid parameter. Advanced Defense Lab28

29 Evaluation False Positives Pertaining to the maxlength constraints on form inputs that couldn’t be exploited to any serious vulnerability. Rewritten by the server without any observable difference in HTML output. Advanced Defense Lab29

30 Evaluation Advanced Defense Lab30

31 Evaluation Advanced Defense Lab31

32 Evaluation Performance Input Generator Solved 315 formulas in a total of 219 seconds. Giving an average time of 0.7 seconds per input. HTML / JavaScript Run in under a second Opportunity Detector Run in sub-second time for each application. Advanced Defense Lab32

33 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab33

34 Related Work NoTamer’s goals are focusing on discovering vulnerabilities in existing ( legacy ) applications. Advanced Defense Lab34

35 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab35

36 Conclusion NoTamper’s results highlight a significant gap between the server-side parameter validation that should occur and the server- side validation that does occur in today’s web applications. Advanced Defense Lab36

Download ppt "Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi."

Similar presentations

17 HTML, Scripting, and Interactivity Section 17.1 Add an audio file using HTML Create a form using HTML Add text boxes using HTML Add radio buttons and.

17 HTML, Scripting, and Interactivity Section 17.1 Add an audio file using HTML Create a form using HTML Add text boxes using HTML Add radio buttons and.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
CST 200 - JavaScript Validating Form Data with JavaScript.

CST JavaScript Validating Form Data with JavaScript.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
XP Tutorial 14 New Perspectives on HTML, XHTML, and DHTML, Comprehensive 1 Working with Forms and Regular Expressions Validating a Web Form with JavaScript.

XP Tutorial 14 New Perspectives on HTML, XHTML, and DHTML, Comprehensive 1 Working with Forms and Regular Expressions Validating a Web Form with JavaScript.
WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht ( + Timothy Hinrichs*
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht (http://cs.uic.edu/~pbisht)+ Timothy Hinrichs*,

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities In Web Applications Prithvi Bisht ( Timothy Hinrichs*,
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Chapter 5 Java Script And Forms JavaScript, Third Edition.

Chapter 5 Java Script And Forms JavaScript, Third Edition.

Similar presentations

Ads by Google