Expert System Approach

on Web Vulnerability Analysis20103272 / Jong Heon, PARK20103616 / Hyun Woo, CHO

CS548 Advanced Information Security Term Project Presentation

Contents

• Motivation• Problem we meet• Existing System• Our Expert System• Comparison• Conclusion

2

Motivation

• In recent years, web hacking is changing more delicate and automatic

• Spread malignant code, Personal information, Hacking and phishing for monetary profit

• Small businesses, lack of manpower in informa-tion security is became main target of hacker

• Web vulnerability – SQL Injection, XSS(file up-load), Packet modification

3

Motivation

Number of vulnerability detection recent 5years (K-ISA)

4

Motivation

Homepage Modification attack for recent 5years (K-ISA)

5

Motivation

Worm, Virus Spam relay Phishing

Simple invasion Homepage modification Ma-lignant code

6

Problem we meet

• Still most of web is Exposed to simple hacking technique

Get personal information by packet modification

7

Problem we meet

• Still most of web is Exposed to simple hacking technique

Critical exploit of Payment module-Use weak crypto-graph algorithm

8

Problem we meet

• Still most of web is Exposed to simple hacking technique

Critical exploit of Payment mod-uleIn some web hard serverEx) http://www.filecity.-co.kr/

9

Problem we meet

• Still most of web is Exposed to simple hacking technique– Most of web hacking is started with testing the input value

• Script code(XSS), SQL injection…

– Possibility of falsifying packet data• Packet is encrypted or not.

– Some web application vulnerabilities cannot be solved by IDS, Firewall

• Practical need _ Web application security– Solution for web application vulnerability(SQL injection, XSS, …)– Information Security Tool for web developer(not for security Ex-

pert)– Core function, modifying code in develop phase(bottom up ap-

proach)– Overcome public IDS and Firewall

10

Problem we meet

• Public IDS and Firewall

Clients, HackerFire wall Web Server

Web app

Web app

Web app

Web app

Web app

Web appli-cation

*SQL InjectionID:AdminPWD : ‘or 1=1--

*Web Applica-tion Firewall(WAF)

• WAF is do not modifying web applica-tion

• Rule setup is difficult and highly need security experience

• Heavy load for web server

11

Existing System

• Relative research– OWASP Top 10 // Web application Standard

• The OWASP Top Ten provides a powerful awareness document for web application secu-rity.

– WASC, NSS Group(Fire wall Testing) 10 // Web application Stan-dard

– KrCERT/CC, Castle 2009 //Web application Standard, Audit tool• Korea Internet Security Center• Castle – Home page vulnerability solution, code modification (get/post, file upload, cookie)

– Fortify SCA(Source Code Analysis) //Audit tool

– Acunetix web vulnerability scanner //Web application Scanner• Acunetix web vulnerability scanner is a tool designed to discover security holes in your web applications • (SQL injection, cross site scripting, and weak passwords. )

– SecuBat //Web application Scanner

– AppScan //Web application Scanner12

Existing System

• Existing approach(Acunetix, SecuBat, …)

Existing web vulnerability analy-sis

Patching Web Appli-cation

13

Our Expert System

• Expert system– can perform like expert in specific field,

especially security expert

–Web developer submit his code to the sys-tem, and system will detect ‘non-Standard’ or ‘vulnerable’ code.

– Security Expert collects vulnerable rules based on OWASP Top 10, and stored in a Data-base.

14

Our Expert System

• Our approach

15

OWASP Rule Database & Expert system Guarantee the secu-

rity in developing phase

Input web vulnerable rules in the Database

Our Expert System

• System design and work flow

16

• End User (web developer) : Insert web application code into system.

• User Interface : Simple in-terface, developer can choice language, vulnerabil-ity.

• Inference module : Step1. Evaluation whether each vulnerabilities is safe in OWASP Top 10.Step2. Based on results of Step1, give a list of vulnerable code and provide appropriate measure

mod-ule

Our Expert System

• OWASP Top 10 1st Rank Issue : Injection– Injection flaws, such as SQL, OS, and LDAP injec-

tion, occur when untrusted data is sent to an in-terpreter as part of a command or query.

– The attacker’s hostile data can trick the inter-preter into executing unintended commands or accessing unauthorized data.

17

Our Expert System

• How do I prevent from injection?– VERIFY Parameter Input– MINIMIZE authority to access other back-end sys-

tem– DO NOT USE Dymamic Query Interface,

like mysql_query() [ in MySQL ]

– DO NOT USE simple escape function Addslashes() [ in PHP ] or str_replace()

18

Our Expert System

• Injection Analyze in Expert System

19

AnalyzeInjection(){ // Knowledge Base(DB) connection ConnectionInfo = DBConnect(server, ID, password, database); // Load the injection vulnerability information in List List rulebase = getInjection(ConnectionInfo); // Extract query QueryString = SearchExecuteQuery(InputText); // Extract parameter inside query Parameters[] = SearchParametersInQuery(QueryString); // Is the parameter or query in safe? foreach( rule in rulebase ) { if(CompareRules(QueryString, Parameters, rule) != 1) AddErrorItem(QueryString, warningmessage, LineNo, QueryPosi-tion); } }

Our Expert System

• Injection Analyze in Expert System

20

Demonstration

Our Expert System

• OWASP Top 10 2nd Rank Issue : Cross Site Scripting(XSS)– Attacker sends text-based attack scripts that exploit

the interpreter in the browser. – Attackers can execute scripts in a victim’s browser to

hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser us-ing malware, etc.

21

Our Expert System

• How do I prevent from XSS?– VERIFY Input text– ENCRYPT Output text strongly– DO NOT ADJUST Black-list verification method

like “DO NOT WRITE ‘<’or ‘>’ ”

22

Our Expert System

• Problem about Get/Post, Weak Encryption– Get method

• User data is exposed on address window• Ex.)http://localhost/chs/book/Request.jsp?

Name=Michael&Depy=Computer• Hack can attack just modify the parameter of address

– Post method• Data is decoded but still intercepted by packet capture

tool• Ex.)http://localhost/object_asp/post_meth_view.asp

– User Authentication field must be encrypt both get and post method

23

Our Expert System

• Problem about Get/Post, Weak Encryp-tion– Encryption• Page Encryption

– Call “https” and apply to web page

Plaintext

Cipher-text

24

Our Expert System

• Use strong cipher– Encryption Function(PHP)• CRC32 – MHASH_CRC32• MD5 – MHASH_MD5• DES – MCRYPT_DES• 3-WAY - MCRYPT_THREEWAY …• …

– Filtering weak algorithm• Ex) SHA-1, BASE64… • Modify to 128 bit encryption like AES

25

Comparison

26

SQL In-jection XSS

User data En-cryption

Other OWASP top 10

Code Mod-ification

Devel-oper

Guiding

Castle

Fortify SCA

Acunetix

SecuBat

Appscan

Our Sys-tem

Support Partially Support Future work

Future Work

• Analyze the other issues• More formal rules– Still, the system run these modules with different

process– Developing Rule Maker Module, instead of formal

rules

• OpenSystem– Experts and User join this system free.

27

Conclusions

• Statistics for attack method of Website &Making success attack scenarios

• Explore some issues of OWASP Top 10– Injection, XSS, Cryptographic…

• Devise ‘Evolutionary System’– The more people using the system,

the bigger the system will be.

• Compare other vulnerability checking tools– In Code Modification & Guide for developers

28

EYP_Z H^D� �Thank You