Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.

Published byKevin Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis."— Presentation transcript:

1 An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis

2 Web Application Architecture Web browser Application Database User input Database query Application generates query based on user input Result set Web page

3 Command Injection Attacks String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”; Expected input: SELECT * FROM users WHERE username = ‘John’ AND password = ‘JohnsPass’; Result: John logs in

4 Command Injection Attacks Malicious input: SELECT * FROM users WHERE username = ‘’ AND password = ‘’ OR ‘’ = ‘’; Result: Malicious user logs in as first user identified in the database. Frequently, the administrator! String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;

5 Motivation ~60% of web applications are vulnerable Found vulnerable sites easily in web search Many ways to regulate user inputs Limit length of input Filter out “bad” strings Escape quotes, etc. Are the regulations sufficient? Goal: Check whether any “dangerous” queries, not user inputs, exist

6 Example: change admin password Attacker registers online: Username: admin’-- Password: password INSERT INTO users VALUES(‘admin’’--’, ‘password’)

7 Attacker changes password: Username: admin’-- OldPass: password NewPass: backdoor Example: change admin password

8 Application checks correctness of old password: sql = “SELECT * FROM users WHERE username = ‘admin’’--’ AND password = ‘password’”; rso.open( sql, cn ); if (rso.EOF) {...} Example: change admin password

9 Admin’s password gets changed: sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’ Example: change admin password

10 Overview of Analysis Framework Abstract Model of Generated Programs Structure Discovery Access Control Ex: “customer” deletes inventory data Tautologies Ex: malicious user bypasses authentication Application code query =… Table lists Conditional expressions Select statement

11 String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles String query = “SELECT * FROM stock WHERE ” + strID + “ = id”;

12 String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles from dropdown menu year min dat

13 String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles from dropdown menu from textbox year min dat 2004 15 inp

14 String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles year min dat 2004 15 inp Filtered with  {“delete”, “xp\_”, “=”, “from”, “or”}

15 String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles year min dat 2004 15 inp SELECT * FROM stock WHERE 982 = id AND year = 2004 AND min = 15 Filtered with  {“delete”, “xp\_”, “=”, “from”, “or”}

16 String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++) query = query + “ AND ” + dat[i] + “ = “ + inp[i]; Example with cycles min dat 14 15) inp SELECT * FROM stock WHERE NOT(1 = id AND min = 14 AND min = 15) Filtered with  {“delete”, “xp\_”, “=”, “from”, “or”}

17 String Analysis (previous work) )=zid=(xminANDNOT stock WHERE FROMSELECT* = miny ε SELECT * FROM stock WHERE NOT(1 = id AND min = 14 AND min = 15)

18 Structure Discovery (previous work) )=zid=(xminANDNOT WHERE = miny ε stockFROMSELECT* Boolean expression

19 Tautology checking )=zmin WHERE id=(xANDNOT = miny ε stockFROMSELECT* NOT ( x = id and min = y and min = z ) Theorem: We discover a tautology over linear arithmetic iff the FSA accepts one.

20 Overview of Tautology Checking Main idea: Generate finite number of validity queries from FSA Challenges: Loops/cycles Arithmetic Boolean

21 Tautology Checking: Arithmetic Loops  W,X,Y,Z : 1 = W+X Æ X+W+Y = Y+Z Æ Z = 1 a,b,ca,b,c W × ( a ) + X × ( b ) + Y × ( c ) ≥ Z × ( b+c ) +c+cb ≥ a +c+c b in = 1 W X Y Z out = 1 { W, Y, Z ← 1; X ← 0} b+c ≥ b+c

22 Tautology Checking: Boolean Loops a bb OR a bb a bb a bb a bb n+2 = 4

23 UPDATE users SET password = ‘backdoor’ WHERE username = ‘admin’--’ Earlier Example Revisited -- =‘password WHERE SETUPDATEusers’ =username w ‘ ’ x’

24 sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”; Earlier Example Revisited This code may also generate a query with a tautology UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

25 Earlier Example Revisited =‘password WHERE SETUPDATEusers’ =username w ‘’x=‘’zOR‘’y UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

26 Conclusions Analysis Framework: Generate and analyze FSA model of all possible queries Semantic analysis of generated programs Not only types but values Implementation in progress Questions?

27

28 Why n+2?

Download ppt "An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis."

Similar presentations

Understand Database Security Concepts

Understand Database Security Concepts
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.

DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
STOCKDOC Advanced Stock Management System

STOCKDOC Advanced Stock Management System
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Similar presentations

Ads by Google