an analysis framework for security in web applications gary wassermann and zhendong su university of...

An Analysis Framework for Security in Web Applications

Gary Wassermann and Zhendong Su

University of California, Davis

Web Application Architecture

Web browser

Application

Database

User input Database query

Application generates query based on user input

Result setWeb page

Command Injection Attacks

String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;

Expected input: SELECT * FROM users

WHERE username = ‘John’ AND password = ‘JohnsPass’;

Result: John logs in

Command Injection Attacks

Malicious input: SELECT * FROM users

WHERE username = ‘’ AND password = ‘’ OR ‘’ = ‘’;

Result: Malicious user logs in as first user identified in the database. Frequently, the administrator!

String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;

Motivation

~60% of web applications are vulnerable

Found vulnerable sites easily in web search

Many ways to regulate user inputs

Limit length of input

Filter out “bad” strings

Escape quotes, etc.

Are the regulations sufficient?

Goal: Check whether any “dangerous” queries, not user inputs, exist

Example: change admin password

Attacker registers online:

Username: admin’--

Password: password

INSERT INTO users VALUES(‘admin’’--’, ‘password’)

Attacker changes password:

Username: admin’--

OldPass: password

NewPass: backdoor

Example: change admin password

Application checks correctness of old password:

sql = “SELECT * FROM users WHERE username = ‘admin’’--’ AND password = ‘password’”;

rso.open( sql, cn );

if (rso.EOF) {...}

Example: change admin password

Admin’s password gets changed:

sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”;

UPDATE users SET password = ‘backdoor’WHERE username = ‘admin’--’

Example: change admin password

Overview of Analysis Framework

Abstract Model of Generated Programs

Structure Discovery

Access Control

Ex: “customer” deletes inventory data

Tautologies

Ex: malicious user bypasses authentication

Application code

query =… Table lists

Conditional expressions

Select statement

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)

query = query + “ AND ” + dat[i] + “ = “ + inp[i];

Example with cyclesString query = “SELECT * FROM stock WHERE ” + strID + “ = id”;

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)

query = query + “ AND ” + dat[i] + “ = “ + inp[i];

Example with cycles

from dropdown menu

year

min

dat

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)

query = query + “ AND ” + dat[i] + “ = “ + inp[i];

Example with cycles

from dropdown menu

from textbox

year

min

dat

2004

15

inp

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)

query = query + “ AND ” + dat[i] + “ = “ + inp[i];

Example with cycles

year

min

dat

2004

15

inpFiltered with {“delete”, “xp\_”, “=”, “from”, “or”}

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)

query = query + “ AND ” + dat[i] + “ = “ + inp[i];

Example with cycles

year

min

dat

2004

15

inp

SELECT * FROM stock WHERE

982 = id AND year = 2004 AND min = 15

Filtered with {“delete”, “xp\_”, “=”, “from”, “or”}

String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)

query = query + “ AND ” + dat[i] + “ = “ + inp[i];

Example with cycles

min

min

dat

14

15)

inp

SELECT * FROM stock WHERE

NOT(1 = id AND min = 14 AND min = 15)

Filtered with {“delete”, “xp\_”, “=”, “from”, “or”}

String Analysis (previous work)

)= zid=( x minANDNOT

stock

WHERE

FROMSELECT *

=minyε

SELECT * FROM stock WHERE

NOT(1 = id AND min = 14 AND min = 15)

Structure Discovery (previous work)

)= zid=( x minANDNOT

WHERE

=minyε

stockFROMSELECT *

Boolean expression

Tautology checking

)= zmin

WHERE

id=( x ANDNOT

=minyε

stockFROMSELECT *

NOT ( x = id and min = y and min = z )

Theorem: We discover a tautology over linear arithmetic iff the FSA accepts one.

Overview of Tautology Checking

Main idea: Generate finite number of validity queries from FSA

Challenges: Loops/cycles

Arithmetic

Boolean

Tautology Checking: Arithmetic Loops

W,X,Y,Z :

1 = W+X Æ X+W+Y = Y+Z Æ Z = 1

a,b,c

W×(a) + X×(b) + Y×(c) ≥ Z×(b+c)

+cb≥a

+c

bin = 1

W

X

Y

Z out = 1

{W,Y,Z ← 1; X ← 0}

b+c ≥ b+c

Tautology Checking: Boolean Loops

a

bb

OR

a

bb

a

bb

a

bb

a

bbOR OR OR

n+2 = 4

UPDATE users SET password = ‘backdoor’WHERE username = ‘admin’--’

Earlier Example Revisited

--

= ‘password

WHERE

SETUPDATE users ’

=username

w

‘’x ’

sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘”

+ rso(“username”) + “’”;

Earlier Example Revisited

This code may also generate a query with a tautology

UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

Earlier Example Revisited

= ‘password

WHERE

SETUPDATE users ’

=username

w

‘ ’x = ‘ ’zOR ‘ ’y

UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;

Conclusions

Analysis Framework: Generate and analyze FSA model of all possible queries

Semantic analysis of generated programs

Not only types but values

Implementation in progress

Questions?

Why n+2?