penetration testing with improved input vector identification william g.j. halfond, shauvik roy...
Post on 19-Dec-2015
217 views
TRANSCRIPT
Penetration Testing with Improved Input Vector Identification
William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso
College of Computing
Georgia Institute of Technology
2
Web Application Overview
DB
Other Systems
Web Server
End Users
HTTP Requests
HTML Pages
Web Application
HTML
Servlets
3
Penetration Testing Overview
DB
Other Systems
White HatTester
!@#$
Secret Data!
Web Application
HTML
Servlets
Penetration Testing Phases
White HatTester
Web Applicatio
nHTML
Servlets
InformationGathering
AttackGeneration
ResponseAnalysisReport
TargetSelection
AnalysisFeedback
Information Attacks
Responses
public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”)10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”)12. String address = req.getParameter(“address”)13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName)14. else15. displayCreateLoginForm()
Example Web Application Code
!
Our Approach
Improvements to penetration testing:1. Information gathering Static interface analysis
2. Attack Generation Generate realistic test-inputs
3. Response Analysis Produce observable side effect of attack
Goal:Improve penetration testing by improving information gathering and response analysis.
7
InterfacesInterfaceAnalysis
[FSE 2007]
1) Information Gathering: Interface Analysis
Phase 1: Identify Input Parameters (IP) names
Phase 2: Compute IP domain information
Phase 3: Group IP into distinct interfaces
Web Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
1) Interface Analysis: Identify IP Names public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”)10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”)12. String address = req.getParameter(“address”)13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName)14. else15. displayCreateLoginForm()
userAction
login
address
login
password
1) Interface Analysis: Compute IP Domains
userAction
login
login
address
userAction:String{“createLogin”, “provideAddress”}
passwordpassword:Stringpassword:Integer
login:String
login:String
address:String
public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”)10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”)12. String address = req.getParameter(“address”)13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName)14. else15. displayCreateLoginForm()
1) Interface Analysis: Group IPs public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (” + loginName + “, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”)10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”)12. String address = req.getParameter(“address”)13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName)14. else15. displayCreateLoginForm()
userAction
login
login
address
userAction:String{“createLogin”, “provideAddress”}
passwordpassword:Stringpassword:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Information Gathering: Summary
Interface Parameter Domain Relevant Values
1
userAction String“createLogin”, “provideAddress”
login String
password Integer
2
userAction String“createLogin”, “provideAddress”
login String
address String
3 userAction String“createLogin”, “provideAddress”
2) Attack Generation
White HatTester
Interface
userAction login password
userAction = ?login = <attack string> password = ?
IP Domain Information
userAction = createLoginlogin = <attack string> password = 1234
3) Response Analysis with WASP
WASP:1. Positive tainting: Identify and mark
developer-trusted strings. Propagate taint markings at runtime
2. Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings
Response Analysis:1. Send attack to web application2. If WASP detects attack
1. Block attack2. Send out-of-band signal
3. Check for signal on client side
public void service(HttpServletRequest req) 1. String action = req.getParameter(“userAction”) 2. if (action.equals(“createLogin”)) { 3. String password = req.getParameter(“password”) 4. String loginName = req.getParameter(“login”) 5. if (isInteger(password)) 6. db.execute(“insert into UserTable ” + “(login, password) values (‘” + loginName + “’, ” + password + “)”) 7. displayAddressForm() 8. else 9. displayErrorPage(“Bad password.”)10. else if (action.equals(“provideAddress”)) 11. String loginName = req.getParameter(“login”)12. String address = req.getParameter(“address”)13. db.execute(“update UserTable set” + “ address =’” + address + “’” + “where loginName=” + loginName)14. else15. displayCreateLoginForm()
3) WASP: Identify Trusted Data
update userTable set address = ‘Home’ where
login = ‘GJ’ ; drop table userTable -- ’
update userTable set address = ‘Home’ where login = ‘GJ’
3) WASP: Syntax Aware Evaluation
Legitimate Query:
Attempted SQL Injection:
Input: login = “GJ”, address = “Home”
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”
16
Empirical Evaluation
Goal: Evaluate the usefulness of our approach as compared to a traditional penetration testing approach.
Research Questions (RQ):1. Runtime of analysis2. Thoroughness of the penetration testing3. Number of vulnerabilities discovered
Implementation: Baseline Approach
• Information Gathering OWASP WebScarab• Widely used code-base• Actively maintained
• Attack Generation SQLMap• Widely used penetration testing tool• Commonly used attack generation heuristics
• Response analysis WASP[FSE 2006]
SQLMap++ SQLMap integrated with OWASP WebScarab Spider
Implementation: Our Approach
• Analyzes bytecode of Java Enterprise Edition (JEE) based web applications
• Interface analysis WAM[FSE 2007]
• Attack generation leverages SQLMap
• Response analysis WASP[FSE 2006]
SDAPTStatic and Dynamic Analysis-based Penetration Testing
Subject Applications
Subject LOC Classes Servlets
Bookstore 19,402 28 27
Checkers 5,415 59 32
Classifieds 10,702 18 18
Daffodil 18,706 119 70
Employee Directory 5,529 11 9
Events 7,164 13 12
Filelister 8,671 41 10
Office Talk 4,670 63 39
Portal 16,089 28 27
RQ1: Runtime
Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Portal1
10
100
1000
10000Analysis Time (s)
SQLMAP++
SDAPT
• SDAPT ranged from 8 to 40 mins
• Positive note: Testing was more thorough
RQ2: Thoroughness
Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Portal0
50
100
150
200
250
Number of Input Vectors SQLMAP++
SDAPT
Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Portal0
10
20
30
40
50
Number of Components SQLMAP++
SDAPT
RQ3: Number of Vulnerabilities
Bookstore Checkers Classifieds Daffodil Empl. Dir. Events Filelister Officetalk Portal0
2
4
6
8
10
12
14
16
18Number of Discovered Vulnerabilities
SQLMAP++
SDAPT
Average increase: 246%
Summary of Results
• Improvements to penetration testing• Information gathering with static analysis• Response analysis with dynamic detection
• Relatively longer analysis time
• More thorough and more vulnerabilities discovered during penetration testing