essence

Document Sample
essence Powered By Docstoc
					The Essence of
Command Injection Attacks
in Web Applications
Zhendong Su and Gary Wassermann

Present by Alon Kremer
April 2011
Outline

    Command injection attacks in
        web application


                            Formal Definition of
   Formal definition of
                            command injection
     web application
                                 attack



               An algorithm to prevent
                    those attacks



                             01:27                 2
Attacking the Web Application
   Web application:
    ◦ takes input strings from the user and interprets it.
    ◦ Interacts with back-end database.
    ◦ Retrieve data and dynamically generates new
      content.
    ◦ Presents the output to the user.

   The threat – Command Injection Attack:
    ◦ Unexpected input may cause problems.

                               01:27                     3
    Web Application Architecture

       Application generates query based on user input




                        Application


Web browser                                        Database
                                  01:27                   4
   SQLCIAs - Example

String query = “SELECT cardnum FROM accounts
     WHERE username = „” + strUName +
     “‟ AND cardtype = ” + strCType + “;”;


     Expected input:
     SELECT cardnum FROM accounts
           WHERE username = „John‟
           AND cardtype = 2;


      Result: Returns John’s saved credit card number.

                                01:27                    5
   SQLCIAs - Example

String query = “SELECT cardnum FROM accounts
     WHERE username = „” + strUName +
     “‟ AND cardtype = ” + strCType + “;”;


     Malicious input:
     SELECT cardnum FROM accounts
                  (
            WHERE username = „John‟
                                ) (
            AND cardtype = 2 OR 1 = 1;      )
      Result: Returns all saved credit card numbers.

                                01:27                  6
     Web Application – Formally
       A function from n-tuples of input strings to queries
        strings.
       It doesn‟t check changes in the query structure or
        gives information about the source of the strings.




h “John”, “2” i           “SELECT cardnum FROM ccards WHERE
                          name = „John‟ AND cardtype = 2”


                                  01:27                        7
Quick Overview
 Many web applications are vulnerable and lots of
  private records can be exposed in 1 attack.
 Ways to regulate user inputs
    ◦   Filter out “bad” strings. („O‟brian‟ ?)
    ◦   Escape quotes. ( 2 OR 1=1 ?)
    ◦   Limiting input‟s length.
    ◦   Regular expression, etc.
   The cause of problems is that the input changes the
    syntactic structure of whole query.

                                      01:27           8
SQLCIAs – Informally




                 01:27   9
SQLCIAs – Informally
 SQLCIA – modifies syntactic structure of
  a query.
 Our goal is to track user inputs with
  metadata: m and n so the input is
  syntactically confined in the augmented
  query.
 Modify SQL grammar to include metadata:
             nonterm ::= m symbol n
   Attempt to parse augmented query
    ◦ Fails ) block; Succeeds ) allow.
                              01:27          10
    Valid Syntactic Forms
     Given G = {V, , S, P}, choose policy of input
      we want to allow U µ V [ 
     VSF idea is that the parse tree has a node in U
      which has an input substring as descendants.


b_term ::= b_term AND cond
cond ::= val comp val                             3 < x
val ::= num | id             U = { cond }
comp ::= < | > | =
…                                               2 OR 1 = 1


                                        01:27                11
SQLCIAs – Formally
Query q is a SQLCIA if
◦ q has a parse tree Tq .
◦ For some filter f and
  some input i:
◦ f(i) is a substring in q and
  is not a VSF in Tq .




                                 01:27   12
Augmented Query
 Our goal is to track and identify the user
  input inside the query (in the parse tree).
 By augmenting the input to mikn we can
  determine which substrings of the
  constructed query come from the input.
 A query qa is an augmented query if it
  was generated from augmented input.
   qa =W(mi1n,…,minn)

                         01:27                  13
Augmented Grammar
 Given: G = {V, , S, P} and U µ  [ V
 An augmented query qa is in L(Ga) iff
    ◦ q is in L(G), and
    ◦ for each substring S that separates a pair of matching m,n,
      if the meta-characters are removed then S is VSF.

   Ga = {V [ {ua | u 2 U}, [ {m,n}, S, Pa}
    ua : fresh non-terminal
    Pa = {v ! rhsa | v ! rhs 2 P}
        [ {ua ! u | u 2 U} [ {ua ! mun | u 2 U}
                                   01:27                            14
  Augmented Grammar
      {v ! rhsa | v ! rhs 2 P} construct production
       rules that all “Right Hand Side” occurrences
       of u 2 U are replaced with ua

      Example:

                                                S ::= baCDa
    S ::= bCD                                   ba ::= mbn | b
    C ::= c                                     C ::= c
P = D ::= d | dd   U = { b, D }           P a =
                                                Da ::= mDn | D
                                                D ::= d | dd


                                  01:27                          15
   Theorem

               For all i1,…,in,
           W(mi1n,…,minn) = qa 2 L(Ga)
                       iff
W(i1,…,in) = q 2 L(G) and q is not an SQLCIA.




                           01:27                16
Implementation
 Meta Characters- two random four letters
  strings, except dictionary words.
  Total of 264  72, 421  384,555
 Most user inputs are dictionary words,
  passwords with numbers or other then 4
  letters, so the probability for using the meta-
  characters is  0.000052
 The policy U is defined in terms of which non
  terminals in SQL grammar are permitted to be
  at the root of VSF.
                         01:27                 17
Implementation
   G

  SQL
                               G‟
grammar
                 augment    Augmented        Parser
   U                                                      SQLCheck
                           SQL grammar      Generator
 Policy
                 •use …
                      randomly generated strings
                      bool ::= terma
                                       bool                    bool
                      terma ::= term                  terma
                                           terma
                               | mtermn
                       SQLCheck returns q if qa 2 L(Ga)
                      term
                          m ::= faca
                             n
                      faca ::= fac          term       term
                               | mfacn m n
                      …                      faca       faca
                                                  Database
         Web
       Browser                                                 fac
                             Application        fac
                                            m         n    m          n
                                    01:27                             18
Test Subjects
Subject              Description                         LOC         Query    Query
                                                                     Checks   Sites
                                                     PHP     JSP     Added
Employee Directory   Online employee directory       2,801   3,114     5       16

Events               Event tracking system           2,819   3,894     7       20

Classifieds          Online management system        5,540   5,819    10       41
                     for classifieds
Portal               Portal for a club               8,745   8,870    13       42

Bookstore            Online bookstore                9,224   9,649    18       56


• Two languages (PHP & JSP):
    – Most techniques require a language-specific
      front-end; ours does not
                                             01:27                                  19
      Evaluation
Language   Subject                                Queries                           Timing (ms)
                                   Legitimate                     Attacks          Mean    Std Dev
                                (Attempted / Allowed)    (Attempted / Prevented)

           Employee Directory       660 / 660                   3937 / 3937        3.230    2.080
           Events                   900 / 900                   3605 / 3605        2.613    0.961
PHP        Classifieds              576 / 576                   3724 / 3724        2.478    1.049
           Portal                 1080 / 1080                   3685 / 3685        3.788    3.233
           Bookstore                608 / 608                   3473 / 3473        2.806    1.625
           Employee Directory       660 / 660                   3937 / 3937        3.186    0.652
           Events                   900 / 900                   3605 / 3605        3.368    0.710
JSP        Classifieds              576 / 576                   3724 / 3724        3.134    0.548
           Portal                 1080 / 1080                   3685 / 3685        3.063    0.441
           Bookstore                608 / 608                   3473 / 3473        2.897    0.257


                                                            RTT over internet: ~80-100ms

                                                        01:27                                        20
Conclusions
   Formal definition of SQLCIAs and an
    algorithm to prevent them by syntactically
    constrain substrings from user input.

   SqlCheck intercepts all queries and check
    their syntactic form.

   Suitable for different languages and web
    interfaces.

                           01:27                 21
Future Work
   Experiment with more real-world online
    web applications and more sophisticated
    testing techniques. (input place holder).
   Apply to XSS, Xpath injection, etc.




                              01:27             22
A few thoughts about the article
 The formal definition of the web
  application and the SQLCIA referred to
  the most common and basic properties.
 The algorithm was simple and elegant.
  This solution suits for all web apps even
  in different programming languages.
 Easy to control the input policy.
 The evaluation was not tested versus
  attackers attempting to defeat this
  particular mechanism.  01:27                23

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:7/23/2011
language:English
pages:23