Slide 1 - University of Illinois at Chicago

Document Sample

```					NoTamper: Automatic Blackbox Detection
of Parameter Tampering Opportunities
In Web Applications

Prithvi Bisht (http://cs.uic.edu/~pbisht)+

Timothy Hinrichs*, Nazari Skrupsky+,
Radoslaw Bobrowicz+, V.N. Venkatakrishnan+

+: University of Illinois, Chicago
* : University of Chicago, Chicago
Background: User Input Validation

• Web applications need to
• Validate user supplied input
• Reject invalid input

Examples:
• “Credit card number is exactly16 digits”
• “Expiration date of Jan 2009 is not valid”

• Validation traditionally done at server: round-trip, load

• Popular trend: Client-side validation through JavaScript
Client Side Validation using JavaScript

onSubmit=
validateCard();
validateQuantities();

Validation Pass?

Yes           No

send inputs    reject
to             inputs
server
Problem: Client is Untrusted Environment

• Validation can be
bypassed

• Previously rejected
values, sent to server
• Invalid quantity: -4

• Ideally: Re-validate
at server-side and
reject
• If not, security risks
Example: Bypassed Validation Security Risks

   Client validation:
   Field: quantity                quantity = 1, price = 100
“reject negative values”        cost = cost + 100

   quantity= -1, price = 100
   Server-side code:
cost = cost - 100
cost = cost + price * quantity

   How to automatically find such inputs in a
blackbox fashion?
Intuition
   Automatically generate two sets of inputs
   Valid inputs      quantity = 1
   Invalid inputs    quantity = -1

   Done through client code analysis
If ( quantity ≥ 0 )             quantity = 1
submit to application     (valid input)
else
reject, ask to re-enter   quantity= -1
(invalid input)

   How does the server-side code respond
   Heuristically determine if server rejects invalid inputs
   Server rejects: quantity = -1
NoTamper Architecture and Outline
hints

Formula            Input             Opportunity
Extractor          Generator         Detector                      opportunities

Web                                                                 External
Page                                                                analysis
Solve constraints                                       exploits
Logical formula for      Benign inputs
client side validation                         Compare responses for
e.g., quantity = 0    benign and hostile inputs
Fclient: quantity ≥ 0
Hostile inputs
e.g., quantity = -1

Outline
1. Formula extraction from client code
2. Input generation
3. Opportunity detection
4. Evaluation
5. Conclusion
Formula Extraction from Client Code
   HTML and JavaScript both restrict inputs
Drop down menu: select one of these

card == 1234…
OR
card == 7890…

   HTML form controls               Constraint
   Drop down menu:          value IN (value_1, …, value_n)
tags
   Radio/Checkboxes:        value IN (value_1,…, value_n)
   Hidden attribute:        value = constant
   Readonly attribute:      value = constant           attributes
   Maxlength attribute:     length(value) ≤ constant
Formula Extraction from Client Code (cont…)
   Event driven JavaScript validation
f2
f1                           fn
onChange
onSubmit                                                     Valid: all
Valid: none                                 Invalid: none
Invalid: all fk                   fm
Valid: field1             (form submitted)
Invalid: rest
   State machine
   Start: no fields validated, end: all validation passed
   Transitions w/ validation functions: f1, f2, … fn
   Over-approximation: All function executed: f1          f2               …fn

   Execute functions symbolically
   conditions when all functions accept inputs
Formula Extraction from Client Code (cont…)
   Program condition when validation succeeds
if (quantity ≥ 0)
return true;        constraint: quantity ≥ 0
else
return false;

   JavaScript interaction w/ Document Object Model
   Reading form fields (e.g., getElementById)
   Enable/disable form fields (e.g., disabled property)

   At the end of symbolic execution
Fclient = (path conditions) AND (constraints of enabled fields)
Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
Input Generation
   Benign inputs
   Pass client side validation
   Satisfy Fclient

Example: Fclient: quantity ≥ 0
Constraint solving
quantity = 1

   Satisfying values determined with type information
   Collected while analyzing HTML/JavaScript
   quantity:        -? [0-9]*
Input Generation (cont…)
   Hostile inputs
 Bypass client side validation
 Satisfy NOT (Fclient)
Example: NOT ( quantity ≥ 0 )                 quantity = -1

   Supplying required variables
   Example:
NOT (quantity ≥ 0)     U   NOT (gift-note in [a-z]*)

quantity = -1            gift-note = “-”
   Field value mandated by JavaScript
   Heuristics: special markers like * in the field description
Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
Opportunity Detection

Rejected                   Response
inputs                     for hostile inputs

Different
structures
Response
for hostile inputs
Similar          Exploit
Accepted                       structures       opportunity
inputs
Response
for Benign inputs
Opportunity Detection (contd…)
   Compare responses to benign and hostile inputs
   But noise: user name, address, time, online users, …

a1
a2             Remove
B1 a3             differences       ---
a2    C1
Difference rank =
a3
B2 b1
a2
a3          h1                                Edit Distance (C1,C2)
H1 a2
a3                   ---
a2    C2
B1 a1                   a3
a2
a3
Low rank  opportunity
Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
Applications
Application        LOC     Constraints source   Use
SMF                97K     HTML+JavaScript      Forum
Ezybiz             186K    HTML+JavaScript      Busn Mgt
OpenDB             92K     HTML+JavaScript      Inventory
8
MyBloggie          9K      HTML+JavaScript      Blog
open
B2evolution        167K    HTML                 Blog
source
PhpNuke            228K    HTML+JavaScript      Content Mgt
OpenIT             114K    HTML+JavaScript      Support
LegalCase          58K     HTML                 Inventory
smi-online.co.uk   ---     HTML                 Conference
5      wiley.com          ---     HTML+JavaScript      Library
live     garena.com         ---     HTML                 Gaming
sites    selfreliance.com   ---     HTML                 Banking
codemicro.com      ---     HTML+JavaScript      Shopping
Applications (cont…)
Application        For   Hostile   Opport    Confi
ms    Inputs    unities   rmed
SMF                5     56        42        √
Ezybiz             3     37        35        √
OpenDB             1     10        8         √
MyBloggie          1     8         8         √
B2evolution        1     25        21
PhpNuke            1     6         5         √
OpenIT             3     28        27        √
LegalCase          2     13        9         √
Hostile and benign
smi-online.co.uk   1     23        4
responses separated by an
wiley.com          1     15        4
order of magnitude
garena.com         1     4         4
selfreliance.com   1     5         1         √       Opportunities: 169
codemicro.com      1     6         1         √       Examined: 50
Confirmed exploits: 9/13
applications
SelfReliance.com: Online banking

Client-side constraints:
1. from IN (Accnt1, Accnt2)
2. to IN (Accnt1, Accnt2)

Server-side code:
transfer money from  to

   Vulnerability: from/to – arbitrary accounts
   Exploit: Unauthorized money transfers
   Transfer money from unrelated accounts
   Account number hardly a secret e.g., checks contain them

   Status: fixed within 24 hours
   ESP solution (espsolution.net) s/w provider patched s/w for other clients
CodeMicro.com : Shopping
Client-side constraints:
1. quantity1 ≥ 0
2. quantity2 ≥ 0

Server-side code:
total = quantity1 * price1 + quantity2 * price2

   Vulnerability: quantities can be negative
   Exploit: Unlimited shopping rebates
   Two items in cart: price1 = 100\$, price2 = 500\$
   quantity1 = -4, quantity2 = 1, total = 100\$ (rebate of 400\$ on price2)

   Status: fixed within 24 hours
OpenIT: Support
Client-side constraints:
Hidden                            1. userId == 1 (hidden field)
Field

Server-side code:
Update profile with id 1, with new details

   Vulnerability: update arbitrary account
   Exploit: Privilege escalation
   Inject a Cross-site scripting (XSS) payload in admin account
   Cookies stolen every time admin logged in.

   Status: open
Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
Conclusion

   Framework to identify parameter tampering
opportunities
   Used client-side restrictions to aid hostile input generation
   Several serious problems in open source / commercial
applications

   Significant gap:
validation that should happen and that does happen

Thanks and Questions
Backup
False positives

• maxlength constraints   : 31
• Mutated inputs          : 12
Split of HTML, JavaScript and Hidden Field
Constraints

• HTML constraints          : 110/169   (65%)
• JavaScript constraints : 20/169       (12%)
• Hidden fields constraints : 39/169    (23%)
Manual intervention

• Unique variables            : 3
• (SMF: 2, phpNuke: 1)

• Session id/cookies          : all except phpNuke

• Required variables          : 12
• (SMF: 5, phpNuke: 4, B2Evolution: 1, Garena.com: 2)

• Typically 5 minutes per form
• Bounded by the number of fields
Limitations
   Unsound
   False positive: application mutates invalid inputs e.g., truncate
   12 such instances in our experiments

   False positive: similar responses for failure/success

   Incomplete
   JavaScript over-approximation
   Mutually exclusive events may cause Fclient – false

   JavaScript unhandled features
   document.write/eval

   constraints not checked at client
   Fclient = true
Some related work
   Input validation
   Prevent affect of invalid inputs: Su et al. POPL’06, Bandhakavi et al. CCS’07,
Saxena et al.NDSS’09, Van Gundy M et al. Oakland’09, Ter-louw et al. Oakland’09
   Find insufficient validation: Livshits et al. Usenix’05, Balzarotti et al. CCS’07,
Balzarotti et al. Oakland’08, …

   Vulnerability analysis
   JavaScript analysis based client side attacks: Saxena et al. Oakland’10

   Fuzzing/directed testing
   Benign/Hostile input generation:         Godefroid et al. SIGPLAN’05, Godefroid et al.
NDSS’08, Saxena et al. NDSS’10, …

   Prevention techniques
   Sandbox/restrict client code: Grier et al. Oakland’08, Reis et al. EuroSys’09, Wang
et al. Usenix’09, Vikram et al. Oakland’09, Chong et al. CCS’09, …

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 1 posted: 10/6/2011 language: English pages: 30