Docstoc

Slide 1 - University of Illinois at Chicago

Document Sample
Slide 1 - University of Illinois at Chicago Powered By Docstoc
					NoTamper: Automatic Blackbox Detection
 of Parameter Tampering Opportunities
          In Web Applications


        Prithvi Bisht (http://cs.uic.edu/~pbisht)+

         Timothy Hinrichs*, Nazari Skrupsky+,
      Radoslaw Bobrowicz+, V.N. Venkatakrishnan+

            +: University of Illinois, Chicago
           * : University of Chicago, Chicago
        Background: User Input Validation




• Web applications need to
  • Validate user supplied input
  • Reject invalid input

Examples:
 • “Credit card number is exactly16 digits”
 • “Expiration date of Jan 2009 is not valid”

• Validation traditionally done at server: round-trip, load

• Popular trend: Client-side validation through JavaScript
Client Side Validation using JavaScript

                            onSubmit=
                               validateCard();
                               validateQuantities();


                              Validation Pass?

                             Yes           No


                         send inputs    reject
                         to             inputs
                         server
Problem: Client is Untrusted Environment

                          • Validation can be
                          bypassed

                          • Previously rejected
                          values, sent to server
                           • Invalid quantity: -4

                          • Ideally: Re-validate
                          at server-side and
                          reject
                           • If not, security risks
    Example: Bypassed Validation Security Risks

   Client validation:
        Field: quantity                quantity = 1, price = 100
         “reject negative values”        cost = cost + 100

                                        quantity= -1, price = 100
   Server-side code:
                                         cost = cost - 100
    cost = cost + price * quantity




   How to automatically find such inputs in a
    blackbox fashion?
                               Intuition
   Automatically generate two sets of inputs
       Valid inputs      quantity = 1
       Invalid inputs    quantity = -1

       Done through client code analysis
        If ( quantity ≥ 0 )             quantity = 1
              submit to application     (valid input)
        else
              reject, ask to re-enter   quantity= -1
                                        (invalid input)

   How does the server-side code respond
       Heuristically determine if server rejects invalid inputs
       Server rejects: quantity = -1
                NoTamper Architecture and Outline
                           hints


            Formula            Input             Opportunity
            Extractor          Generator         Detector                      opportunities

Web                                                                 External
Page                                                                analysis
                           Solve constraints                                       exploits
  Logical formula for      Benign inputs
  client side validation                         Compare responses for
                           e.g., quantity = 0    benign and hostile inputs
  Fclient: quantity ≥ 0
                           Hostile inputs
                           e.g., quantity = -1

  Outline
  1. Formula extraction from client code
  2. Input generation
  3. Opportunity detection
  4. Evaluation
  5. Conclusion
          Formula Extraction from Client Code
   HTML and JavaScript both restrict inputs
                               Drop down menu: select one of these

                               card == 1234…
                               OR
                               card == 7890…

   HTML form controls               Constraint
       Drop down menu:          value IN (value_1, …, value_n)
                                                                  tags
       Radio/Checkboxes:        value IN (value_1,…, value_n)
       Hidden attribute:        value = constant
       Readonly attribute:      value = constant           attributes
       Maxlength attribute:     length(value) ≤ constant
    Formula Extraction from Client Code (cont…)
   Event driven JavaScript validation
                                                     f2
                                       f1                           fn
               onChange
            onSubmit                                                     Valid: all
                             Valid: none                                 Invalid: none
                             Invalid: all fk                   fm
                                               Valid: field1             (form submitted)
                                               Invalid: rest
   State machine
       Start: no fields validated, end: all validation passed
       Transitions w/ validation functions: f1, f2, … fn
       Over-approximation: All function executed: f1          f2               …fn

   Execute functions symbolically
       conditions when all functions accept inputs
     Formula Extraction from Client Code (cont…)
   Program condition when validation succeeds
           if (quantity ≥ 0)
                return true;        constraint: quantity ≥ 0
           else
                return false;


   JavaScript interaction w/ Document Object Model
       Reading form fields (e.g., getElementById)
       Enable/disable form fields (e.g., disabled property)


   At the end of symbolic execution
    Fclient = (path conditions) AND (constraints of enabled fields)
                        Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
                        Input Generation
   Benign inputs
       Pass client side validation
       Satisfy Fclient

    Example: Fclient: quantity ≥ 0
                                         Constraint solving
                      quantity = 1


   Satisfying values determined with type information
       Collected while analyzing HTML/JavaScript
       quantity:        -? [0-9]*
                   Input Generation (cont…)
   Hostile inputs
     Bypass client side validation
     Satisfy NOT (Fclient)
    Example: NOT ( quantity ≥ 0 )                 quantity = -1


   Supplying required variables
       Example:
             NOT (quantity ≥ 0)     U   NOT (gift-note in [a-z]*)


               quantity = -1            gift-note = “-”
               gift-note = “abc”
       Field value mandated by JavaScript
       Heuristics: special markers like * in the field description
                        Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
       Opportunity Detection



Rejected                   Response
inputs                     for hostile inputs

              Different
              structures
                           Response
                           for hostile inputs
                               Similar          Exploit
Accepted                       structures       opportunity
inputs
                            Response
                            for Benign inputs
              Opportunity Detection (contd…)
    Compare responses to benign and hostile inputs
        But noise: user name, address, time, online users, …

   a1
   a2             Remove
B1 a3             differences       ---
                                    a2    C1
                                                 Difference rank =
                                    a3
B2 b1
   a2
   a3          h1                                Edit Distance (C1,C2)
            H1 a2
               a3                   ---
                                    a2    C2
            B1 a1                   a3
               a2
               a3
                                          Low rank  opportunity
                        Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
                                  Applications
         Application        LOC     Constraints source   Use
         SMF                97K     HTML+JavaScript      Forum
         Ezybiz             186K    HTML+JavaScript      Busn Mgt
         OpenDB             92K     HTML+JavaScript      Inventory
 8
         MyBloggie          9K      HTML+JavaScript      Blog
open
         B2evolution        167K    HTML                 Blog
source
         PhpNuke            228K    HTML+JavaScript      Content Mgt
         OpenIT             114K    HTML+JavaScript      Support
         LegalCase          58K     HTML                 Inventory
         smi-online.co.uk   ---     HTML                 Conference
  5      wiley.com          ---     HTML+JavaScript      Library
live     garena.com         ---     HTML                 Gaming
sites    selfreliance.com   ---     HTML                 Banking
         codemicro.com      ---     HTML+JavaScript      Shopping
                             Applications (cont…)
Application        For   Hostile   Opport    Confi
                   ms    Inputs    unities   rmed
SMF                5     56        42        √
Ezybiz             3     37        35        √
OpenDB             1     10        8         √
MyBloggie          1     8         8         √
B2evolution        1     25        21
PhpNuke            1     6         5         √
OpenIT             3     28        27        √
LegalCase          2     13        9         √
                                                     Hostile and benign
smi-online.co.uk   1     23        4
                                                     responses separated by an
wiley.com          1     15        4
                                                     order of magnitude
garena.com         1     4         4
selfreliance.com   1     5         1         √       Opportunities: 169
codemicro.com      1     6         1         √       Examined: 50
                                                     Confirmed exploits: 9/13
                                                     applications
              SelfReliance.com: Online banking

                                           Client-side constraints:
                                           1. from IN (Accnt1, Accnt2)
                                           2. to IN (Accnt1, Accnt2)

                                           Server-side code:
                                              transfer money from  to

   Vulnerability: from/to – arbitrary accounts
   Exploit: Unauthorized money transfers
        Transfer money from unrelated accounts
        Account number hardly a secret e.g., checks contain them


   Status: fixed within 24 hours
        ESP solution (espsolution.net) s/w provider patched s/w for other clients
                    CodeMicro.com : Shopping
                                Client-side constraints:
                                1. quantity1 ≥ 0
                                2. quantity2 ≥ 0

                                Server-side code:
                                total = quantity1 * price1 + quantity2 * price2


   Vulnerability: quantities can be negative
   Exploit: Unlimited shopping rebates
        Two items in cart: price1 = 100$, price2 = 500$
        quantity1 = -4, quantity2 = 1, total = 100$ (rebate of 400$ on price2)


   Status: fixed within 24 hours
                              OpenIT: Support
                                  Client-side constraints:
Hidden                            1. userId == 1 (hidden field)
Field


                                  Server-side code:
                                  Update profile with id 1, with new details


     Vulnerability: update arbitrary account
     Exploit: Privilege escalation
          Inject a Cross-site scripting (XSS) payload in admin account
          Cookies stolen every time admin logged in.


     Status: open
                        Outline

1. Formula extraction from client code

2. Input generation

3. Opportunity detection

4. Evaluation

5. Conclusion
                            Conclusion

   Framework to identify parameter tampering
    opportunities
       Used client-side restrictions to aid hostile input generation
       Several serious problems in open source / commercial
        applications

       Significant gap:
        validation that should happen and that does happen




              Thanks and Questions
Backup
                   False positives




• maxlength constraints   : 31
• Mutated inputs          : 12
   Split of HTML, JavaScript and Hidden Field
                   Constraints




• HTML constraints          : 110/169   (65%)
• JavaScript constraints : 20/169       (12%)
• Hidden fields constraints : 39/169    (23%)
                 Manual intervention


• Unique variables            : 3
 • (SMF: 2, phpNuke: 1)

• Session id/cookies          : all except phpNuke

• Required variables          : 12
 • (SMF: 5, phpNuke: 4, B2Evolution: 1, Garena.com: 2)


• Typically 5 minutes per form
• Bounded by the number of fields
                                           Limitations
   Unsound
        False positive: application mutates invalid inputs e.g., truncate
              12 such instances in our experiments


        False positive: similar responses for failure/success

   Incomplete
        JavaScript over-approximation
              Mutually exclusive events may cause Fclient – false


        JavaScript unhandled features
              document.write/eval


        constraints not checked at client
              Fclient = true
                               Some related work
   Input validation
        Prevent affect of invalid inputs: Su et al. POPL’06, Bandhakavi et al. CCS’07,
         Saxena et al.NDSS’09, Van Gundy M et al. Oakland’09, Ter-louw et al. Oakland’09
        Find insufficient validation: Livshits et al. Usenix’05, Balzarotti et al. CCS’07,
         Balzarotti et al. Oakland’08, …



   Vulnerability analysis
        JavaScript analysis based client side attacks: Saxena et al. Oakland’10


   Fuzzing/directed testing
        Benign/Hostile input generation:         Godefroid et al. SIGPLAN’05, Godefroid et al.
         NDSS’08, Saxena et al. NDSS’10, …



   Prevention techniques
        Sandbox/restrict client code: Grier et al. Oakland’08, Reis et al. EuroSys’09, Wang
         et al. Usenix’09, Vikram et al. Oakland’09, Chong et al. CCS’09, …

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:10/6/2011
language:English
pages:30