automated and effective testing of web services for xml injection attacks
TRANSCRIPT
.lusoftware verification & validationVVS
Automated and Effective Testing of Web Services for XML Injection Attacks
Sadeeq Jan, Cu D. Nguyen, Lionel Briand Interdisciplinary Centre for Security, Reliability and Trust (SnT)
University of Luxembourg
ISSTA’16 The International Symposium on Software Testing and Analysis Saarland University, Saarbrücken, Germany. July 18-20, 2016
XML Injection
2
• Bypassing authentication • Privilege escalation • Information disclosure • Generating errors/system crash
Impact
Definition Injecting malicious content into XML files/messages tomanipulate/compromise the logic of an application/ service
3
XML Injection Example
Create new account
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>
</user>
<user> <username>admin</username> <password>s4n3p81</password> <role>Administrator</role> <mail>[email protected]</mail>
</user> ….. ...... <user>
<username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>
</user>
XML Database
XML Injection Example "(Privilege Escalation)
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>[email protected]</mail>
</user>
Web Form
Generated XML Message abc</mail><role>Administrator<role>
<mail>[email protected]
4
.........
......... <complexType name="UserType"> <all> <element name="username" type="tns:StringUserType" maxOccurs="1" minOccurs="1" /> <element name="password" type="tns:StringPassType" maxOccurs="1" minOccurs="1"/> <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> <element name="mail" type="tns:EmailType" maxOccurs="1" minOccurs="1" /> </all> </complexType> ......... .........
5
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>[email protected]</mail>
</user>
Well-formed but not valid
XML Schema
violates cardinality =1 constraint of ‘role’ element in XML Schema
<element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/>
XML Injection in presence of constraints
<user> <username>Tom</username> <password>m1U9q10</password> <!--
</password> <role>user</role> <mail>
--> <role>Administrator</role> <mail>[email protected]</mail>
</user>
Web Form Generated XML Message
Well-formed and valid
--><role>Administrator<role><mail>[email protected]
m1U9q10</password><!--
6
XML Injection in presence of constraints
• Generate invalid XML files/messages • Result in large number of false positives • No dedicated testing tool for XML Injection attacks
Limitations of State-Of-The-Art Tools
7
• A novel automated testing approach and tool (SOLMI) • Generates valid but malicious XML files/messages • Covers wide range of XML Injection attacks
• Evaluation of the approach on an industrial financial system
Contributions of This Work
8
9
• Type 1: Deforming • Type 2: Random closing tags • Type 3: Replicating • Type 4: Replacing
Taxonomy of XML Injection Attacks
<user> <username>Tom</username> <password>m1U<9q10</password> <role>user</role> <mail>[email protected]</mail>
</user>
Mutated XML
10
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>
</user>
Original XML
Type 1: Deforming
Using XML special characters (e.g., <, &, ‘) to crash the service
Example:
<user> <username>Tom</username> <password></test></password> <role>user</role> <mail>[email protected]</mail>
</user>
Mutated XML
11
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>
</user>
Original XML
Example:
Type 2: Random Closing Tags
Using XML closing tags to reveal the hidden XML structure (e.g. </test>)
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>[email protected]</mail>
</user>
Mutated XML
12
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>
</user>
Original XML
Example:
Type 3: Replicating
Replicating existing XML elements with malicious content
<user> <username>Tom</username> <password>m1U9q10</password> <!--
</password> <role>user</role> <mail>
--> <role>Administrator</role> <mail>[email protected]</mail>
</user>
Mutated XML (XML is well-formed, valid, yet
malicious) 13
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>
</user>
Original XML
Example:
Type 4: Replacing
Replicating + ensuring that the resulting XML is well formed and valid
Proposed Approach
14
SOLMI Approach
15
Generalizable approach: Injection Grammar can be replaced for testing other types of vulnerabilities
SUT
XML Validator
(e.g. Gateway/Firewall)
Schema Constraints
Security Policies
XML
T1
T2
Tn
Mutation
XML Messages (Tests)
Type 1 - 2Web
Services
XML
XML
XMLConstraint Solving
Injection Grammar
Type 3 - 4
Mutation Operators Attack Mut. Operator Description
Type 1 Deforming
MO_der_meta Inserts an XML meta-character into the selected element of the input XML message
MO_der_att Removes a quote from the value of a selected attribute of an element
Type 2 Random
closing tags MO_clo Adds </test> into the content of a selected XML
element of the message
Type 3 Replicating MO_replica
Replicates an XML element, injects it with a new content and place it at the location right after the selected element
Type 4 Replacing MO_replace
Replicates an XML element, obtains a new content, comments out the selected element, and injects the new one at its location
16
Injection Grammar
17
Generate attack strings for elements in XML (e.g. SQL Injection attack strings based on the grammar)
SQL Injection Grammar *
* D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1–10, April 2015.
18
Test Generation Process (for Type 3-4)
Select Element
Tests Gen. Completed?
End
No
Yes
Extract constraints from the XML Schema
Solve Constraints, generate attack string using Constraint Solver
Mutate Element with the attack string
XML Element
Schema Constraints Attack String Ti
Transform constraints to the Solver’s input language
Injection Grammar
Start
XML
Schema
19
Test Generation Process (for Type 3-4)
Select Element
Tests Gen. Completed?
End
No
Yes
Extract constraints from the XML Schema
Solve Constraints, generate attack string using Constraint Solver
Mutate Element with the attack string
XML Element
Schema Constraints Attack String Ti
Transform constraints to the Solver’s input language
Injection Grammar
Start
XML
Schema
20
Test Generation Process (for Type 3-4)
Select Element
Tests Gen. Completed?
End
No
Yes
Extract constraints from the XML Schema
Solve Constraints, generate attack string using Constraint Solver
Mutate Element with the attack string
XML Element
Schema Constraints Attack String Ti
Transform constraints to the Solver’s input language
Injection Grammar
Start
XML
Schema
21
Test Generation Process (for Type 3-4)
Select Element
Tests Gen. Completed?
End
No
Yes
Extract constraints from the XML Schema
Solve Constraints, generate attack string using Constraint Solver
Mutate Element with the attack string
XML Element
Schema Constraints Attack String Ti
Transform constraints to the Solver’s input language
Injection Grammar
Start
XML
Schema
22
Test Generation Process (for Type 3-4)
Select Element
Tests Gen. Completed?
End
No
Yes
Extract constraints from the XML Schema
Solve Constraints, generate attack string using Constraint Solver
Mutate Element with the attack string
XML Element
Schema Constraints Attack String Ti
Transform constraints to the Solver’s input language
Injection Grammar
Start
XML
Schema
23
Test Generation Process (for Type 3-4)
Select Element
Tests Gen. Completed?
End
No
Yes
Extract constraints from the XML Schema
Solve Constraints, generate attack string using Constraint Solver
Mutate Element with the attack string
XML Element
Schema Constraints Attack String Ti
Transform constraints to the Solver’s input language
Injection Grammar
Start
XML
Schema
24
Test Generation Process (for Type 3-4)
Select Element
Tests Gen. Completed?
End
No
Yes
Extract constraints from the XML Schema
Solve Constraints, generate attack string using Constraint Solver
Mutate Element with the attack string
XML Element
Schema Constraints Attack String Ti
Transform constraints to the Solver’s input language
Injection Grammar
Start
XML
Schema
<transaction> <UserName>Mike123</UserName> <BankCode>0111</BankCode> <RequestId>R19228381</RequestId> <CardNumber>1234567891234<CardNumber>
</transaction>
…..... <xs:element name=“RequestId” type="cw:stringLen1_11"/> </xs:simpleType> <xs:simpleType name="stringLen1_11"> <xs:minLength value=”4"/> <xs:maxLength value=”11"/> <pattern value="[a-zA-Z0-9\s]*"/> </xs:restriction> </xs:simpleType> ….....
XML File Transform Constraint to Solver’s input language
Schema Constraint for element ‘RequestId’
Generated Content for the XML element (Attack Payload) OR True
Examples of malicious content rejected by the solver: - OR 1=1 à violates the regular expression - Drop table RequestIDs à violates maximum
length constraints
Injection Grammar
Mutation (type 4)
<transaction> <UserName>Mika123</UserName> <BankCode>0111</BankCode> <!– </BankCode> <RequestId>R19228381</RequestId> <CardNumber> --> <RequestId>OR True</RequestId> <CardNumber>1234567891234<CardNumber>
</transaction>
Resulting XML Message (Test of Type 4)
Concrete Example of Test Generation "(for Type 4)
Extract associated constraints for selected element
25
String Constraint Solver
Evaluation & Results
26
Objectives & Tools for evaluation Objectives • To evaluate the effectiveness and cost (time) of our
proposed approach • To compare our proposed approach with the state-
of-the-art tools
Tools • ReadyAPI • SOLMI
27
Subject Application
28
XML Gateway (Axway XML Gateway) that protects 44 Web Services of a credit card processing company
Web Service 1
Web Service 2
Web Service N
XML Schemas XML Threat
Policy
Backend
Service Interface 1
Service Interface
Service Interface N
XML GatewayInternet
Service Interface 1
Service Interface
Service Interface N
XML Gateway
29
Architecture of SOLMI Constraint Solver
Hampi
XML Processor
Schema Processor
Injection Grammar (SQL)
Test Generator
Mutation Strategies
Test CasesSUT
Test Executor
Monitor/Oracle
Transformer
Results
30
MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s)
ReadyAPI Malformed XML 4430 2.37 < 1 min
SOLMI
MO-meta 1772 0 0.64
MO-close 443 0 0.35
MO_der_att NA NA NA
MO-replica 3236 0 2929.99 (49 mins)
MO-replace 3236 78.86 2998.97 (50 mins)
Results
31
MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s)
ReadyAPI Malformed XML 4430 2.37 < 1 min
SOLMI
MO-meta 1772 0 0.64
MO-close 443 0 0.35
MO_der_att NA NA NA
MO-replica 3236 0 2929.99 (49 mins)
MO-replace 3236 78.86 2998.97 (50 mins)
Results
32
MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s)
ReadyAPI Malformed XML 4430 2.37 < 1 min
SOLMI
MO-meta 1772 0 0.64
MO-close 443 0 0.35
MO_der_att NA NA NA
MO-replica 3236 0 2929.99 (49 mins)
MO-replace 3236 78.86 2998.97 (50 mins)
Results
33
MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s)
ReadyAPI Malformed XML 4430 2.37 < 1 min
SOLMI
MO-meta 1772 0 0.64
MO-close 443 0 0.35
MO_der_att NA NA NA
MO-replica 3236 0 2929.99 (49 mins)
MO-replace 3236 78.86 2998.97 (50 mins)
Results
34
MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s)
ReadyAPI Malformed XML 4430 2.37 < 1 min
SOLMI
MO-meta 1772 0 0.64
MO-close 443 0 0.35
MO_der_att NA NA NA
MO-replica 3236 0 2929.99 (49 mins)
MO-replace 3236 78.86 2998.97 (50 mins)
Results
35
MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s)
ReadyAPI Malformed XML 4430 2.37 < 1 min
SOLMI
MO-meta 1772 0 0.64
MO-close 443 0 0.35
MO_der_att NA NA NA
MO-replica 3236 0 2929.99 (49 mins)
MO-replace 3236 78.86 2998.97 (50 mins)
36
• Test strategy that randomly injects XML meta-characters or closing tags (state-of-the-art tools) are unlikely to be effective
• SOLMI approach is highly effective and the test generation time is practically reasonable
• SOLMI is generalizable to other types of attacks
Conclusion
Summary
37