SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher...

SecuBat:SecuBat:An Automated Web Vulnerability An Automated Web Vulnerability

Detection FrameworkDetection Framework

Stefan Kals, Engin KirdaChristopher Kruegel and Nenad Jovanovic

Secure Systems LabVienna University of Technology

Austria

2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals

2

OutlineOutline

Motivation Problem Definition Typical Vulnerabilities Automated Attack & Analysis Concepts SecuBat Implementation Related Tools Prototype Results Findings & Case Study


3

MotivationMotivation

Highly increasing number of web applications Developers lack awareness of typical

vulnerabilities The „Why me?“ belief Manual vulnerability checking causes much

work Automated tool would solve the problems and

raise the security level


4

Problem DefinitionProblem Definition

Demonstrate how easy an attacker can find soft targets on the web if web vulnerabilities are not fixed

Implement a crawling engine for collecting potential targets

Find generic and automatically executable attack techniques for the chosen approaches (SQL Injection, Cross-Site Scripting)

Find suitable analysis techniques Assemble these parts together into a pluggable

vulnerability analysis and detection framework


5

Typical Vulnerabilities 1/2 – Typical Vulnerabilities 1/2 – SQL InjectionSQL Injection

Problem: No input validation before using values to query database

Dynamically built SQL query:q = “select * from user where mail=‘“ + mail + “‘ and pw=‘“ + pw + “‘“

Enter values using SQL syntax:mail: ‘ or 1=1-- password: ‘ or 1=1--

Query has changed its semantics:q = “select * from user where mail=‘‘ or 1=1--‘ and pw=‘‘ or 1=1--‘“

Resulting query:q = “select * from user“


6

Typical Vulnerabilities 2/2 -Typical Vulnerabilities 2/2 -Cross-Site ScriptingCross-Site Scripting

Injecting HTML/Javascript by attacker – displayed & executed in victim’s browser

Reflected vs. Stored XSS Stealing of user data (Cookies,

Credentials…) Example: Redirecting login form to hacker’s

web server Create exploit URLs & use for authentic

Phishing e-mails


7

Attack & Analysis Concepts Attack & Analysis Concepts 1/4 - General1/4 - General

Open framework for easily implementing & adding new attacks

Attack & Analysis modules (Black Box) Runtime configurable Plugins Use common Crawling and Attacking APIs Store analysis results into database


8

Attack & Analysis Concepts Attack & Analysis Concepts 2/4 - SQL Injection2/4 - SQL Injection

1. Attack module prepares new attack & sends it to server (e.g. single quote)

2. Server sends back a response page

3. Analysis module parses response for keywords, builds summary confidence factor

Web Server

Attacker PC

1

2

MySQL 40

Server Error 75

Java.lang 60

Exception occurred 85

...

3

Keyword List

q = “select * from user where mail=‘ ‘ ‘ “


9

Attack & Analysis Concepts Attack & Analysis Concepts 3/4 - XSS Attack3/4 - XSS Attack

1. Attack module prepares new attack & sends it to server (e.g. Javascript to show a message box)

2. Server sends back a response page

3. Analysis module parses response checking for the occurrence of the injected string (and the executability)

Web Server

Attacker PC

1

2

3

Search forinjected HTML

…You searched for:<b><script>alert(’XSS’);</script></b>:...


10

Attack & Analysis Concepts Attack & Analysis Concepts 4/4 – Enhanced Attacks4/4 – Enhanced Attacks

Enhanced XSS attack Uses decimal HTML encoding to bypass input filters Replaces characters, e.g.: ‘ => '

Form-Redirecting XSS scenario Checks for potential assets (stealable credentials) Uses an encoded injection string redirecting the

found login form to the “attacker‘s server” Simulates a real XSS attack, does not only check

input validation


11

SecuBat Implementation 1/2SecuBat Implementation 1/2


12

SecuBat Implementation 2/2SecuBat Implementation 2/2

Implementation Details C# Data Store:

MS SQL Database Requirements

MS Windows 2000, XP, 2003

MS .NET Framework 2.0 MS SQL Server 2000/2005 or MSDE/SQL

Express 2005


13

Related ToolsRelated Tools

Acunetix Web Vulnerability Scanner (commercial) + Web server technology detection + Application level attacks: Simple SQL injection, XSS - Closed source, no papers, no details to the public

Nessus, Nikto - Rely on repositories of known vulnerabilities

NMap, Xprobe... - Port scanners only - Network/OS level, no application level attacks


14

Prototype ResultsPrototype Results

Evaluation Run Results (Google search for „login“): 25.064 crawled pages 21.627 web forms 4 attack types SQL Injection: 6,63% Simple XSS: 4,30% Enhanced XSS: 5,60% Form-Red. XSS: 5,52%


15

FindingsFindings

Critical XSS Vulnerabilities (assets) eBay (Auction access) Austrian Finance Ministry (E-Government access) Geizhals (Price management) Crit.org (Security associated content) Apple (Developer access) …


16

A Case StudyA Case Study

eBay.de Press http://presse.ebay.de/news.exe?typ=SU&search=%68%74%74%70%3A%2F%2F%70%72%65%73%73%65%2E%65%62%61%79%2E%64%65%2F%26%71%75%6F%74%3B%3E...


17

NotificationsNotifications

Query recipients using WhoIs service

591 Mails sent 306 “recipient

unknown” 48 detail inquiries

after 1 week


18

ConclusionConclusion

Increasing use of web technology needs increasing security effort

Rather simple attacks (SQL Injection, XSS Attack) but many vulnerable web sites

An automated detection approach can increase your site’s security

Implementation of an extensible (pluggable) analysis framework (“SecuBat”)

First results of a prototype version show proof of concept


19

The EndThe End

http://www.secubat.orghttp://www.secubat.org

SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher...

Documents

Transcript of SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher...