Penetration Testing with Improved Input Vector Identification by pptfiles

VIEWS: 1 PAGES: 23

									Penetration Testing with
 Improved Input Vector
     Identification

 William G.J. Halfond, Shauvik Roy
 Choudhary, and Alessandro Orso
        College of Computing
  Georgia Institute of Technology
            Web Application Overview


                                  Web
                               Application
                                             DB
               HTTP Requests

                                 HTML
                HTML Pages
End Users                        Servlets
                               Web
                               Server
                                             Other
                                             Systems




                                               2
      Penetration Testing Overview


                              Web
                           Application
                                         DB
               !@#$

                             HTML
            Secret Data!
White Hat                   Servlets
  Tester
                                         Other
                                         Systems




                                           3
            Penetration Testing Phases

                 Information                 Attack
                 Gathering     Information   Generation   Attacks

                                                                       Web
             Target                                                 Application
             Selection
                                       Analysis                       HTML
                                      Feedback
White Hat                                                            Servlets
  Tester
                                             Response     Responses
                  Report                     Analysis
    Example Web Application Code
        public void service(HttpServletRequest req)
        1. String action = req.getParameter(“userAction”)
        2. if (action.equals(“createLogin”))
        3.    String password = req.getParameter(“password”)
        4.    String loginName = req.getParameter(“login”)
        5.    if (isInteger(password))
        6.       db.execute(“insert into UserTable ”
                              + “(login, password) values (”
                              + loginName + “, ” + password + “)”)
        7.       displayAddressForm()


!
        8.   else
        9.       displayErrorPage(“Bad password.”)
       10. else if (action.equals(“provideAddress”))
       11.    String loginName = req.getParameter(“login”)
       12.    String address = req.getParameter(“address”)
       13.    db.execute(“update UserTable set”
                            + “ address =’” + address + “’”
                            + “where loginName=” + loginName)
       14. else
       15.    displayCreateLoginForm()
               Our Approach

Goal:
  Improve penetration testing by improving
  information gathering and response analysis.

Improvements to penetration testing:
  1. Information gathering  Static interface analysis
  2. Attack Generation  Generate realistic test-inputs
  3. Response Analysis  Produce observable side
     effect of attack
1) Information Gathering: Interface Analysis

    Web            Identify IP Names
 Application

                      Interface
  HTML            Compute IP Domains
                      Analysis          Interfaces
                        [FSE 2007]


  Servlets            Group IPs



 Phase 1: Identify Input Parameters (IP) names
 Phase 2: Compute IP domain information
 Phase 3: Group IP into distinct interfaces
                                              7
  1) Interface Analysis: Identify IP Names
               public void service(HttpServletRequest req)
userAction     1. String action = req.getParameter(“userAction”)
               2. if (action.equals(“createLogin”)) {
               3.    String password = req.getParameter(“password”)
password       4.    String loginName = req.getParameter(“login”)
               5.    if (isInteger(password))
login          6.       db.execute(“insert into UserTable ”
                                     + “(login, password) values (”
                                     + loginName + “, ” + password + “)”)
               7.       displayAddressForm()
               8.   else
               9.       displayErrorPage(“Bad password.”)
              10. else if (action.equals(“provideAddress”))
login         11.    String loginName = req.getParameter(“login”)
              12.    String address = req.getParameter(“address”)
address
              13.    db.execute(“update UserTable set”
                                   + “ address =’” + address + “’”
                                   + “where loginName=” + loginName)
              14. else
              15.    displayCreateLoginForm()
1) Interface Analysis: Compute IP Domains
userAction:String    public void service(HttpServletRequest req)
{“createLogin”,
userAction           1. String action = req.getParameter(“userAction”)
“provideAddress”}    2. if (action.equals(“createLogin”))
                     3.    String password = req.getParameter(“password”)
password:String
password
password:Integer     4.    String loginName = req.getParameter(“login”)
                     5.    if (isInteger(password))
login
login:String         6.       db.execute(“insert into UserTable ”
                                           + “(login, password) values (”
                                           + loginName + “, ” + password + “)”)
                     7.       displayAddressForm()
                     8.   else
                     9.       displayErrorPage(“Bad password.”)
                    10. else if (action.equals(“provideAddress”))
login:String
login               11.    String loginName = req.getParameter(“login”)
                    12.    String address = req.getParameter(“address”)
address:String
address
                    13.    db.execute(“update UserTable set”
                                         + “ address =’” + address + “’”
                                         + “where loginName=” + loginName)
                    14. else
                    15.    displayCreateLoginForm()
           1) Interface Analysis: Group IPs
userAction:String    public void service(HttpServletRequest req)
                                                  1
{“createLogin”,
userAction           1. String action = req.getParameter(“userAction”)
“provideAddress”}    2. if (action.equals(“createLogin”)) {
                     3.    String password = req.getParameter(“password”)
                                                  2
password:String
password
password:Integer     4.    String loginName = req.getParameter(“login”)
                     5.    if (isInteger(password))
login
login:String         6.       db.execute(“insert into UserTable ” 3
                                         10
                                           + “(login, password) values (”
                                           + loginName + “, ” + password + “)”)
                     7.          14
                              displayAddressForm()11                4
                     8.   else
                     9.       displayErrorPage(“Bad password.”)
                                 15
                    10. else if (action.equals(“provideAddress”))5
                                                  12
login:String
login               11.    String loginName = req.getParameter(“login”)
                    12.    String address = req.getParameter(“address”)
address:String
address
                    13.    db.execute(“update UserTable set”              6
                                                  13       8
                                         + “ address =’” + address + “’”
                                         + “where loginName=” + loginName)
                    14. else
                    15.    displayCreateLoginForm()        9              7
1) Information Gathering: Summary

Interface   Parameter    Domain    Relevant Values
                                   “createLogin”,
            userAction   String
                                   “provideAddress”
       1
            login        String
            password     Integer
                                   “createLogin”,
            userAction   String
                                   “provideAddress”
       2
            login        String
            address      String
                                   “createLogin”,
       3    userAction   String
                                   “provideAddress”
               2) Attack Generation
                                  Interface
                                    userAction
                                    login
                                    password
              White Hat
                Tester




                    userAction = ?               userAction = createLogin
IP Domain
                    login = <attack string>      login = <attack string>
Information         password = ?                 password = 1234
3) Response Analysis with WASP
 Response Analysis:
   1. Send attack to web application
   2. If WASP detects attack
       1.   Block attack
       2.   Send out-of-band signal
    3. Check for signal on client side

 WASP:
   1. Positive tainting: Identify and mark
      developer-trusted strings. Propagate
      taint markings at runtime
   2. Syntax-Aware Evaluation: Check that
      all keywords and operators in a query
      were formed using marked strings
3) WASP: Identify Trusted Data
    public void service(HttpServletRequest req)
    1. String action = req.getParameter(“userAction”)
    2. if (action.equals(“createLogin”)) {
    3.    String password = req.getParameter(“password”)
    4.    String loginName = req.getParameter(“login”)
    5.    if (isInteger(password))
    6.       db.execute(“insert into UserTable ”
                          + “(login, password) values (‘”
                          + loginName + “’, ” + password + “)”)
    7.       displayAddressForm()
    8.   else
    9.       displayErrorPage(“Bad password.”)
   10. else if (action.equals(“provideAddress”))
   11.    String loginName = req.getParameter(“login”)
   12.    String address = req.getParameter(“address”)
   13.    db.execute(“update UserTable set”
                        + “ address =’” + address + “’”
                        + “where loginName=” + loginName)
   14. else
   15.    displayCreateLoginForm()
3) WASP: Syntax Aware Evaluation

Legitimate Query:
  Input: login = “GJ”, address = “Home”

   update userTable set address = ‘Home’ where login = ‘GJ’



Attempted SQL Injection:
  Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”


   update userTable set address = ‘Home’ where

   login = ‘GJ’ ; drop table userTable -- ’
        Empirical Evaluation

Goal:
 Evaluate the usefulness of our approach as
 compared to a traditional penetration testing
 approach.


Research Questions (RQ):
  1. Runtime of analysis
  2. Thoroughness of the penetration testing
  3. Number of vulnerabilities discovered

                                                 16
Implementation: Baseline Approach
               SQLMap integrated with
 SQLMap++
               OWASP WebScarab Spider

• Information Gathering  OWASP WebScarab
  • Widely used code-base
  • Actively maintained
• Attack Generation  SQLMap
  • Widely used penetration testing tool
  • Commonly used attack generation heuristics
• Response analysis  WASP[FSE 2006]
  Implementation: Our Approach
        Static and Dynamic Analysis-based
SDAPT
        Penetration Testing

• Analyzes bytecode of Java Enterprise
  Edition (JEE) based web applications
• Interface analysis  WAM[FSE 2007]
• Attack generation  leverages SQLMap
• Response analysis  WASP[FSE 2006]
              Subject Applications

Subject                LOC      Classes Servlets
Bookstore              19,402     28       27

Checkers               5,415      59       32

Classifieds            10,702     18       18

Daffodil               18,706     119      70

Employee Directory     5,529      11        9

Events                 7,164      13       12

Filelister             8,671      41       10

Office Talk            4,670      63       39

Portal                 16,089     28       27
                                RQ1: Runtime
                                             Analysis Time (s)
10000
                                                                                                       SQLMAP++
                                                                                                       SDAPT
1000




 100




  10




   1
        Bookstore   Checkers   Classifieds   Daffodil   Empl. Dir   Events   Filelister   Officetalk      Portal




         • SDAPT ranged from 8 to 40 mins
         • Positive note: Testing was more thorough
                      RQ2: Thoroughness
                                     Number of Input Vectors                                                  SQLMAP++
250                                                                                                           SDAPT

200

150

100

 50

     0
          Bookstore   Checkers   Classifieds   Daffodil   Empl. Dir    Events    Filelister      Officetalk       Portal




                                       Number of Components                                                        SQLMAP++
50                                                                                                                 SDAPT
40

30

20

10

0
         Bookstore    Checkers   Classifieds   Daffodil    Empl. Dir    Events      Filelister       Officetalk       Portal
     RQ3: Number of Vulnerabilities
                            Number of Discovered Vulnerabilities
18

                                                                                    SQLMAP++
16
                                                                                    SDAPT
14                                                                                  SQLMAP++NORA

12


10


8                                         Average increase: 246%
6


4


2


0
     Bookstore   Checkers   Classifieds     Daffodil   Empl. Dir.   Events   Filelister     Officetalk   Portal
        Summary of Results


• Improvements to penetration testing
  • Information gathering with static analysis
  • Response analysis with dynamic detection
• Relatively longer analysis time
• More thorough and more vulnerabilities
  discovered during penetration testing

								
To top