Penetration Testing with Improved Input Vector Identification
-
Upload
shauvik-choudhary -
Category
Technology
-
view
3.607 -
download
0
description
Transcript of Penetration Testing with Improved Input Vector Identification
Penetration Testing with Improved Input Vector
Identification!
William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso!
College of Computing!Georgia Institute of Technology!
!
2!
Web Application Overview !
Other Systems
Web Server
End Users
Database
3!
Web Application Overview !
Other Systems
End Users
Web Application!
HTML
Servlets
Database
4!
Web Application Overview !
Other Systems
End Users
HTTP Requests
Web Application!
HTML
Servlets
Database
5!
Web Application Overview !
Other Systems
End Users
HTTP Requests
Web Application!
HTML
Servlets
Database
6!
Web Application Overview !
Other Systems
End Users
HTTP Requests
HTML Pages
Web Application!
HTML
Servlets
Database
7!
Penetration Testing Overview !
Other Systems
White Hat Tester
Web Application!
HTML
Servlets
Database
8!
Penetration Testing Overview !
Other Systems
White Hat Tester
!@#$
Web Application!
HTML
Servlets
Database
9!
Penetration Testing Overview !
Other Systems
White Hat Tester
!@#$
Secret Data!
Web Application!
HTML
Servlets
Database
Penetration Testing Phases!
White Hat Tester
Web Application!
HTML
Servlets
Information Gathering
Attack Generation
Response Analysis Report
Target!Selection !
Analysis!Feedback!
Information! Attacks!
Responses!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
Example Web Application Code!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
Example Web Application Code!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
Example Web Application Code!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
Example Web Application Code!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
Example Web Application Code!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
Example Web Application Code!
!!
Our Approach!
Goal:!Improve penetration testing by improving information gathering and response analysis.!
Our Approach!
Improvements to penetration testing:!1. Information gathering ð Static interface analysis!2. Attack Generation ð Generate realistic test-inputs!3. Response Analysis ð Produce observable side
effect of attack!
Goal:!Improve penetration testing by improving information gathering and response analysis.!
Interfaces Interface!Analysis!
[FSE 2007]!
1) Information Gathering: Interface Analysis!
19!
Web Application
HTML
Servlets
Interfaces
1) Information Gathering: Interface Analysis!
20!
Web Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
Interfaces
1) Information Gathering: Interface Analysis!
21!
Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!
Web Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
Interfaces
1) Information Gathering: Interface Analysis!
22!
Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!
Web Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
Interfaces
1) Information Gathering: Interface Analysis!
23!
Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!
Web Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
address
login
password
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
password
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Compute IP Domains!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
userAction
login
login
address
userAction:String {“createLogin”, “provideAddress”}
password password:String password:Integer
login:String
login:String
address:String
1
14
10
2
15
11
12
13
4
3
5
7
6
9
8
1) Information Gathering: Summary!
Interface! Parameter! Domain! Relevant Values!
1!userAction! String! “createLogin”,
“provideAddress”!login! String!password! Integer!
2!userAction! String! “createLogin”,
“provideAddress”!login! String!address! String!
3! userAction! String! “createLogin”, “provideAddress”!
2) Attack Generation!
White Hat Tester
Interface
userAction login password
2) Attack Generation!
White Hat Tester
Interface
userAction login password
2) Attack Generation!
White Hat Tester
Interface
userAction login password
userAction = ? login = <attack string> password = ?
2) Attack Generation!
White Hat Tester
Interface
userAction login password
userAction = ? login = <attack string> password = ?
IP Domain !Information!
2) Attack Generation!
White Hat Tester
Interface
userAction login password
userAction = ? login = <attack string> password = ?
IP Domain !Information!
userAction = createLogin login = <attack string> password = 1234
3) Response Analysis with WASP!Response Analysis:!
1. Send attack to web application!2. If WASP detects attack!
1. Block attack!2. Send out-of-band signal!
3. Check for signal on client side!
3) Response Analysis with WASP!
WASP:!1. Positive tainting: Identify and mark
developer-trusted strings. Propagate taint markings at runtime!
2. Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings!
Response Analysis:!1. Send attack to web application!2. If WASP detects attack!
1. Block attack!2. Send out-of-band signal!
3. Check for signal on client side!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (‘”! + loginName + “’, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
3) WASP: Identify Trusted Data!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (‘”! + loginName + “’, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
3) WASP: Identify Trusted Data!
public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (‘”! + loginName + “’, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
3) WASP: Identify Trusted Data!
3) WASP: Syntax Aware Evaluation!
Legitimate Query:!
Attempted SQL Injection:!
Input: login = “GJ”, address = “Home”!
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
update userTable set address = ‘Home’ where login = ‘GJ’!
3) WASP: Syntax Aware Evaluation!
Legitimate Query:!
Attempted SQL Injection:!
Input: login = “GJ”, address = “Home”!
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
update userTable set address = ‘Home’ where login = ‘GJ’!
3) WASP: Syntax Aware Evaluation!
Legitimate Query:!
Attempted SQL Injection:!
Input: login = “GJ”, address = “Home”!
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!
update userTable set address = ‘Home’ where login = ‘GJ’!
3) WASP: Syntax Aware Evaluation!
Legitimate Query:!
Attempted SQL Injection:!
Input: login = “GJ”, address = “Home”!
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!
update userTable set address = ‘Home’ where login = ‘GJ’!
3) WASP: Syntax Aware Evaluation!
Legitimate Query:!
Attempted SQL Injection:!
Input: login = “GJ”, address = “Home”!
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
Empirical Evaluation!
Goal: !Evaluate the usefulness of our approach as compared to a traditional penetration testing approach.!!
Research Questions (RQ):!1. Runtime of analysis!2. Thoroughness of the penetration testing!3. Number of vulnerabilities discovered!
61!
Implementation: Baseline Approach!
• Information Gathering ð OWASP WebScarab!• Widely used code-base!• Actively maintained!
• Attack Generation ð SQLMap!• Widely used penetration testing tool!• Commonly used attack generation heuristics!
• Response analysis ð WASP[FSE 2006]!
SQLMap++ ! SQLMap integrated with OWASP WebScarab Spider!
Implementation: Our Approach!
• Analyzes bytecode of Java Enterprise Edition (JEE) based web applications!
• Interface analysis ð WAM[FSE 2007]!
• Attack generation ð leverages SQLMap!• Response analysis ð WASP[FSE 2006]!
SDAPT! Static and Dynamic Analysis-based Penetration Testing!
Subject Applications!
Subject! LOC! Classes! Servlets!Bookstore! 19,402! 28! 27!
Checkers! 5,415! 59! 32!
Classifieds! 10,702! 18! 18!
Daffodil! 18,706! 119! 70!
Employee Directory! 5,529! 11! 9!
Events! 7,164! 13! 12!
Filelister! 8,671! 41! 10!
Office Talk! 4,670! 63! 39!
Portal! 16,089! 28! 27!
RQ1: Runtime!
1!
10!
100!
1000!
10000!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!
Analysis Time (s)!
SQLMAP++!SDAPT!
RQ1: Runtime!
1!
10!
100!
1000!
10000!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!
Analysis Time (s)!
SQLMAP++!SDAPT!
• SDAPT ranged from 8 to 40 mins!• Positive note: Testing was more thorough!
RQ1: Runtime!
1!
10!
100!
1000!
10000!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!
Analysis Time (s)!
SQLMAP++!SDAPT!
• SDAPT ranged from 8 to 40 mins!• Positive note: Testing was more thorough!
RQ2: Thoroughness!
0!
50!
100!
150!
200!
250!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!
Number of Input Vectors! SQLMAP++!SDAPT!
0!
10!
20!
30!
40!
50!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!
Number of Components! SQLMAP++!SDAPT!
RQ3: Number of Vulnerabilities!
RQ3: Number of Vulnerabilities!
0!
2!
4!
6!
8!
10!
12!
14!
16!
18!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!
Number of Discovered Vulnerabilities!
SQLMAP++!
SDAPT!
RQ3: Number of Vulnerabilities!
0!
2!
4!
6!
8!
10!
12!
14!
16!
18!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!
Number of Discovered Vulnerabilities!
SQLMAP++!
SDAPT!
Average increase: 246%!
Summary of Results!
• Improvements to penetration testing!• Information gathering with static analysis!• Response analysis with dynamic detection!
• Relatively longer analysis time!• More thorough and more vulnerabilities
discovered during penetration testing!