automated and effective testing of web services for xml injection attacks

.lusoftware verification & validationVVS

Automated and Effective Testing of Web Services for XML Injection Attacks

Sadeeq Jan, Cu D. Nguyen, Lionel Briand Interdisciplinary Centre for Security, Reliability and Trust (SnT)

University of Luxembourg

ISSTA’16 The International Symposium on Software Testing and Analysis Saarland University, Saarbrücken, Germany. July 18-20, 2016

XML Injection

2

•  Bypassing authentication •  Privilege escalation •  Information disclosure •  Generating errors/system crash

Impact

Definition Injecting malicious content into XML files/messages tomanipulate/compromise the logic of an application/ service

3

XML Injection Example

Create new account

<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>

</user>

<user> <username>admin</username> <password>s4n3p81</password> <role>Administrator</role> <mail>[email protected]</mail>

</user> ….. ...... <user>

<username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail>

</user>

XML Database

XML Injection Example "(Privilege Escalation)

<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>[email protected]</mail>

</user>

Web Form

Generated XML Message abc</mail><role>Administrator<role>

<mail>[email protected]

4

.........

......... <complexType name="UserType"> <all> <element name="username" type="tns:StringUserType" maxOccurs="1" minOccurs="1" /> <element name="password" type="tns:StringPassType" maxOccurs="1" minOccurs="1"/> <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> <element name="mail" type="tns:EmailType" maxOccurs="1" minOccurs="1" /> </all> </complexType> ......... .........

5


</user>

Well-formed but not valid

XML Schema

violates cardinality =1 constraint of ‘role’ element in XML Schema

<element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/>

XML Injection in presence of constraints

<user> <username>Tom</username> <password>m1U9q10</password>  <role>Administrator</role> <mail>[email protected]</mail>

</user>

Web Form Generated XML Message

Well-formed and valid

--><role>Administrator<role><mail>[email protected]

m1U9q10</password><!--

6

XML Injection in presence of constraints

•  Generate invalid XML files/messages •  Result in large number of false positives •  No dedicated testing tool for XML Injection attacks

Limitations of State-Of-The-Art Tools

7

•  A novel automated testing approach and tool (SOLMI) •  Generates valid but malicious XML files/messages •  Covers wide range of XML Injection attacks

•  Evaluation of the approach on an industrial financial system

Contributions of This Work

8

9

•  Type 1: Deforming •  Type 2: Random closing tags •  Type 3: Replicating •  Type 4: Replacing

Taxonomy of XML Injection Attacks

<user> <username>Tom</username> <password>m1U<9q10</password> <role>user</role> <mail>[email protected]</mail>

</user>

Mutated XML

10


</user>

Original XML

Type 1: Deforming

Using XML special characters (e.g., <, &, ‘) to crash the service

Example:

<user> <username>Tom</username> <password></test></password> <role>user</role> <mail>[email protected]</mail>

</user>

Mutated XML

11


</user>

Original XML

Example:

Type 2: Random Closing Tags

Using XML closing tags to reveal the hidden XML structure (e.g. </test>)


</user>

Mutated XML

12


</user>

Original XML

Example:

Type 3: Replicating

Replicating existing XML elements with malicious content

<user> <username>Tom</username> <password>m1U9q10</password>  <role>Administrator</role> <mail>[email protected]</mail>

</user>

Mutated XML (XML is well-formed, valid, yet

malicious) 13


</user>

Original XML

Example:

Type 4: Replacing

Replicating + ensuring that the resulting XML is well formed and valid

Proposed Approach

14

SOLMI Approach

15

Generalizable approach: Injection Grammar can be replaced for testing other types of vulnerabilities

SUT

XML Validator

(e.g. Gateway/Firewall)

Schema Constraints

Security Policies

XML

T1

T2

Tn

Mutation

XML Messages (Tests)

Type 1 - 2Web

Services

XML

XML

XMLConstraint Solving

Injection Grammar

Type 3 - 4

Mutation Operators Attack Mut. Operator Description

Type 1 Deforming

MO_der_meta Inserts an XML meta-character into the selected element of the input XML message

MO_der_att Removes a quote from the value of a selected attribute of an element

Type 2 Random

closing tags MO_clo Adds </test> into the content of a selected XML

element of the message

Type 3 Replicating MO_replica

Replicates an XML element, injects it with a new content and place it at the location right after the selected element

Type 4 Replacing MO_replace

Replicates an XML element, obtains a new content, comments out the selected element, and injects the new one at its location

16

Injection Grammar

17

Generate attack strings for elements in XML (e.g. SQL Injection attack strings based on the grammar)

SQL Injection Grammar *

* D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1–10, April 2015.

18

Test Generation Process (for Type 3-4)

Select Element

Tests Gen. Completed?

End

No

Yes

Extract constraints from the XML Schema

Solve Constraints, generate attack string using Constraint Solver

Mutate Element with the attack string

XML Element

Schema Constraints Attack String Ti

Transform constraints to the Solver’s input language

Injection Grammar

Start

XML

Schema

19


Select Element


End

No

Yes




XML Element



Injection Grammar

Start

XML

Schema

20


Select Element


End

No

Yes




XML Element



Injection Grammar

Start

XML

Schema

21


Select Element


End

No

Yes




XML Element



Injection Grammar

Start

XML

Schema

22


Select Element


End

No

Yes




XML Element



Injection Grammar

Start

XML

Schema

23


Select Element


End

No

Yes




XML Element



Injection Grammar

Start

XML

Schema

24


Select Element


End

No

Yes




XML Element



Injection Grammar

Start

XML

Schema

<transaction> <UserName>Mike123</UserName> <BankCode>0111</BankCode> <RequestId>R19228381</RequestId> <CardNumber>1234567891234<CardNumber>

</transaction>

…..... <xs:element name=“RequestId” type="cw:stringLen1_11"/> </xs:simpleType> <xs:simpleType name="stringLen1_11"> <xs:minLength value=”4"/> <xs:maxLength value=”11"/> <pattern value="[a-zA-Z0-9\s]*"/> </xs:restriction> </xs:simpleType> ….....

XML File Transform Constraint to Solver’s input language

Schema Constraint for element ‘RequestId’

Generated Content for the XML element (Attack Payload) OR True

Examples of malicious content rejected by the solver: -  OR 1=1 à violates the regular expression -  Drop table RequestIDs à violates maximum

length constraints

Injection Grammar

Mutation (type 4)

<transaction> <UserName>Mika123</UserName> <BankCode>0111</BankCode> <!– </BankCode> <RequestId>R19228381</RequestId> <CardNumber> --> <RequestId>OR True</RequestId> <CardNumber>1234567891234<CardNumber>

</transaction>

Resulting XML Message (Test of Type 4)

Concrete Example of Test Generation "(for Type 4)

Extract associated constraints for selected element

25

String Constraint Solver

Evaluation & Results

26

Objectives & Tools for evaluation Objectives •  To evaluate the effectiveness and cost (time) of our

proposed approach •  To compare our proposed approach with the state-

of-the-art tools

Tools •  ReadyAPI •  SOLMI

27

Subject Application

28

XML Gateway (Axway XML Gateway) that protects 44 Web Services of a credit card processing company

Web Service 1

Web Service 2

Web Service N

XML Schemas XML Threat

Policy

Backend

Service Interface 1

Service Interface

Service Interface N

XML GatewayInternet

Service Interface 1

Service Interface

Service Interface N

XML Gateway

29

Architecture of SOLMI Constraint Solver

Hampi

XML Processor

Schema Processor

Injection Grammar (SQL)

Test Generator

Mutation Strategies

Test CasesSUT

Test Executor

Monitor/Oracle

Transformer

Results

30

MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s)

ReadyAPI Malformed XML 4430 2.37 < 1 min

SOLMI

MO-meta 1772 0 0.64

MO-close 443 0 0.35

MO_der_att NA NA NA

MO-replica 3236 0 2929.99 (49 mins)

MO-replace 3236 78.86 2998.97 (50 mins)

Results

31



SOLMI

MO-meta 1772 0 0.64

MO-close 443 0 0.35

MO_der_att NA NA NA

MO-replica 3236 0 2929.99 (49 mins)

MO-replace 3236 78.86 2998.97 (50 mins)

Results

32



SOLMI

MO-meta 1772 0 0.64

MO-close 443 0 0.35

MO_der_att NA NA NA

MO-replica 3236 0 2929.99 (49 mins)

MO-replace 3236 78.86 2998.97 (50 mins)

Results

33



SOLMI

MO-meta 1772 0 0.64

MO-close 443 0 0.35

MO_der_att NA NA NA

MO-replica 3236 0 2929.99 (49 mins)

MO-replace 3236 78.86 2998.97 (50 mins)

Results

34



SOLMI

MO-meta 1772 0 0.64

MO-close 443 0 0.35

MO_der_att NA NA NA

MO-replica 3236 0 2929.99 (49 mins)

MO-replace 3236 78.86 2998.97 (50 mins)

Results

35



SOLMI

MO-meta 1772 0 0.64

MO-close 443 0 0.35

MO_der_att NA NA NA

MO-replica 3236 0 2929.99 (49 mins)

MO-replace 3236 78.86 2998.97 (50 mins)

36

•  Test strategy that randomly injects XML meta-characters or closing tags (state-of-the-art tools) are unlikely to be effective

•  SOLMI approach is highly effective and the test generation time is practically reasonable

•  SOLMI is generalizable to other types of attacks

Conclusion

Summary

37