static detection of second order vulnerabilities in web
play

Static Detection of Second-Order Vulnerabilities in Web Applications - PowerPoint PPT Presentation

Jan 23, 2024 •163 likes •579 views

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

  1. Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security ’14, 20-22 August 2014, San Diego, CA, USA

  2. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion „First-Order“ Vulnerabilities ● SQL injection <?php $name = $_POST ['name']; // ', 1), (version(), 1)-- - $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send !“*$()&/'\ user input application 2

  3. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Sanitization ● SQL injection (prevented) <?php $name = mysql_real_escape_string ( $_POST ['name']); $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send !“*$()&/'\ user input application 3

  4. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerability (1) ● Database Write <?php $name = mysql_real_escape_string ( $_POST ['name']); $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send write user input database application 4

  5. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerability (2) ● Database Read <?php $result = mysql_query ('SELECT * FROM users'); $row = mysql_fetch_assoc ( $result ); echo $row ['name']; ?> send write read user input database application 5

  6. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploit (1) ● First-Order SQL injection <?php $name = $_POST ['name']; // ', 'payload')-- - $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send !“*$()&/'\ user input database application 6

  7. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploit (1) ● Exploit First-Order SQL injection <?php $name = $_POST ['name']; // ', 'payload')-- - $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send write user input database application 7

  8. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploit (2) ● Second-Order Command Execution <?php $result = mysql_query ('SELECT * FROM users'); $row = mysql_fetch_assoc ( $result ); system ('htpasswd -b .htpasswd Admin ' .$row ['pwd']); ?> request read database application 8

  9. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerabilities User input Sensitive Sink Persistent Data Store (PDS) 1. 2. ● $_GET ● Databases ● Cross-Site Scripting ● $_POST ● File Names ● SQL Injection ● $_COOKIE ● $_SESSION (File Content) ● Code Execution ● $_FILES ... ● File Inclusion ● $_SERVER ● File Disclosure ... ... 9

  10. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerabilities User input Sensitive Sink Persistent Data Store (PDS) 1. 2. ● $_GET ● Databases ● Cross-Site Scripting ● $_POST ● File Names ● SQL Injection ● $_COOKIE ● $_SESSION (File Content) ● Code Execution ● $_FILES ... ● File Inclusion ● $_SERVER ● File Disclosure ... ... 10

  11. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Our Approach ● Static Code Analysis (no access to environment) ● Analyze writes and reads to persistent data stores ● Connect input and output points at the end of the analysis to detect second-order and multi-step vulnerabilities 11

  12. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion 2. Implementation (Overview) Source: http://rewalls.com 12

  13. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; mysql_query ('insert into users values(null, ' $name ', ' $pwd '); 13

  14. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; mysql_query ('insert into users values(null, ' $name ', '$pwd'); 14

  15. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; mysql_query ('insert into users values(null, ' $name ', '$pwd'); 15

  16. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; Vulnerability Report POST[name] SQLi mysql_query ('insert into users values(null, ' $name ', '$pwd'); 16

  17. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (write) $name = escape ( $_POST ['name']); users mysql_query ('insert into users id name pass values(null, ' $name ', '$pwd'); 17

  18. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Taint Analysis (write) $name = $_POST ['name']; Vulnerability Report POST[name] SQLi users mysql_query ('insert into users id name pass values(null, ' $name ', '$pwd'); 18

  19. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); $row = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 19

  20. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); $row = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 20

  21. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); $row = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 21

  22. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); Temporary Vulnerability Report users[name] $row XSS = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 22

  23. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS connect Reads Writes users id name pass Temporary Vulnerability Report users[name] * XSS PDS' 23

  24. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS Reads Writes users id name pass tainted? Temporary Vulnerability Report users[name] * XSS PDS' 24

  25. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS Reads Writes users id name pass Temporary Vulnerability sanitized? Report users[name] * XSS PDS' 25

  26. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS Reads Writes users id name pass Temporary Vulnerability Report users[name] * XSS Second-Order Vulnerability Report XSS PDS' 26

  27. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion 3. Evaluation Source: http://rewalls.com 27

  28. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Selected Software ● osCommerce 2.3.3.4 ● HotCRP 2.61 ● OpenConf 5.30 ● MyBloggie 2.1.4 ● NewsPro 1.1.5 ● Scarf 2007-02-27 28

  29. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion PDS Usage and Coverage (first-order) Manually counted PDS (841) Non-Taintable 77% Taintable '"\<> Detected Taintable PDS 23% False Positive True Positive 6% False Negative 29% 71% PDS 29

  30. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerabilities ● 159 True Positives (79%) 97% persistent XSS (database)  Missed by previous work  ● 43 False Positives (21%) PDS Root cause: Path-sensitive sanitization  E.g., store only valid email  Failures in 1 st step propagate to 2 nd step  30

  31. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploits ● 14 True Positives (93%) 2 based on file upload  12 based on SQLi  Missed by previous work  PDS ● 1 False Positives (7%) False positive SQLi  31

  32. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order LFI in OpenConf PDS $r = mysql_query("select setting, value from " . OCC_TABLE_CONFIG); while ($l = mysql_fetch_assoc($r)) { $config[$l['setting']] = $l['value']; } function printHeader($what, $function="0") { require $GLOBALS['pfx'] . $GLOBALS['config']['OC_headerFile']; } 32

  33. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order LFI in OpenConf PDS $r = mysql_query("select setting, value from " . OCC_TABLE_CONFIG); while ($l = mysql_fetch_assoc($r)) { $config[$l['setting']] = $l['value']; } function printHeader($what, $function="0") { require $GLOBALS['pfx'] . $GLOBALS['config']['OC_headerFile']; } 33

Recommend

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani Rigel Gjomemo, V.N. Venkatakrishnan Stefano Zanero University of Illinois at Chicago University of Illinois at Chicago

419 views • 11 slides
Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis (Part II) Lucas Cordeiro (Formal

2.24k views • 169 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

1.33k views • 56 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

804 views • 35 slides
Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security Justin Smith (Lafayette College) smithjus@lafayette.edu Lisa Nguyen Quang Do (Google) lisanqd@google.com Emerson Murphy-Hill (Google)

605 views • 15 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016 Outline Introduction Static Code Analysis Static Analyzer List Kernels Static Analysis Report Conclusion 2 System

809 views • 22 slides
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities Theofilos Petsios , Jason Zhao, Angelos D. Keromytis, and Suman Jana Columbia University ACM Conference on Computer and Communications Security (CCS)

563 views • 38 slides
Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU Darmstadt, Germany software-lab.org 1 Static Bug Detection Error Prone 2 Static Bug Detection Error Prone General framework Scalable

804 views • 49 slides
Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work with Sam Blackshear, Peter OHearn, Nikos Gorogiannis Key Messages Static analyses for concurrency can be made scalable and precise . Unsound

827 views • 80 slides
Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris

Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris

Improving MIMO Sphere Detection Through Antenna Detection Order Scheduling Michael Wu, Chris Dick, Yang Sun, Joseph Cavallaro December 1, 2011 MIMO Detection Spatial Multiplexing H Increases throughput Used in many wireless

200 views • 16 slides
Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Introduction Static State Versioning Version Computation Conclusion Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming Languages and Compilers Institute of Software Technology University of

577 views • 28 slides
Physics 1 Overview Collision detection Model representation Dynamic vs. static

Physics 1 Overview Collision detection Model representation Dynamic vs. static

Physics 1 Overview Collision detection Model representation Dynamic vs. static Discrete vs. continuous Efficiency issues Collision resolution Events Solvers Dynamics Rigid bodies Impulse-based collision

433 views • 24 slides
Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

659 views • 46 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Software Reliability Estimation Based on Static Error Detection M. Moiseev, M. Glukhikh , A.

Software Reliability Estimation Based on Static Error Detection M. Moiseev, M. Glukhikh , A.

7 th Central and Eastern European Software Engineering Conference in Russia - CEE-SECR 2011 October 31 November 3, Moscow Software Reliability Estimation Based on Static Error Detection M. Moiseev, M. Glukhikh , A. Karpenko, H. Richter

884 views • 32 slides
Static Data Race Detection for SPMD Programs via an Extended Polyhedral Representation Prasanth

Static Data Race Detection for SPMD Programs via an Extended Polyhedral Representation Prasanth

Static Data Race Detection for SPMD Programs via an Extended Polyhedral Representation Prasanth Chatarasi, Jun Shirako, Vivek Sarkar Habanero Extreme Scale Software Research Group Department of Computer Science Rice University 6th

657 views • 37 slides

More recommend