SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher...
-
Upload
luis-anderson -
Category
Documents
-
view
222 -
download
0
Transcript of SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher...
SecuBat:SecuBat:An Automated Web Vulnerability An Automated Web Vulnerability
Detection FrameworkDetection Framework
Stefan Kals, Engin KirdaChristopher Kruegel and Nenad Jovanovic
Secure Systems LabVienna University of Technology
Austria
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
2
OutlineOutline
Motivation Problem Definition Typical Vulnerabilities Automated Attack & Analysis Concepts SecuBat Implementation Related Tools Prototype Results Findings & Case Study
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
3
MotivationMotivation
Highly increasing number of web applications Developers lack awareness of typical
vulnerabilities The „Why me?“ belief Manual vulnerability checking causes much
work Automated tool would solve the problems and
raise the security level
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
4
Problem DefinitionProblem Definition
Demonstrate how easy an attacker can find soft targets on the web if web vulnerabilities are not fixed
Implement a crawling engine for collecting potential targets
Find generic and automatically executable attack techniques for the chosen approaches (SQL Injection, Cross-Site Scripting)
Find suitable analysis techniques Assemble these parts together into a pluggable
vulnerability analysis and detection framework
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
5
Typical Vulnerabilities 1/2 – Typical Vulnerabilities 1/2 – SQL InjectionSQL Injection
Problem: No input validation before using values to query database
Dynamically built SQL query:q = “select * from user where mail=‘“ + mail + “‘ and pw=‘“ + pw + “‘“
Enter values using SQL syntax:mail: ‘ or 1=1-- password: ‘ or 1=1--
Query has changed its semantics:q = “select * from user where mail=‘‘ or 1=1--‘ and pw=‘‘ or 1=1--‘“
Resulting query:q = “select * from user“
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
6
Typical Vulnerabilities 2/2 -Typical Vulnerabilities 2/2 -Cross-Site ScriptingCross-Site Scripting
Injecting HTML/Javascript by attacker – displayed & executed in victim’s browser
Reflected vs. Stored XSS Stealing of user data (Cookies,
Credentials…) Example: Redirecting login form to hacker’s
web server Create exploit URLs & use for authentic
Phishing e-mails
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
7
Attack & Analysis Concepts Attack & Analysis Concepts 1/4 - General1/4 - General
Open framework for easily implementing & adding new attacks
Attack & Analysis modules (Black Box) Runtime configurable Plugins Use common Crawling and Attacking APIs Store analysis results into database
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
8
Attack & Analysis Concepts Attack & Analysis Concepts 2/4 - SQL Injection2/4 - SQL Injection
1. Attack module prepares new attack & sends it to server (e.g. single quote)
2. Server sends back a response page
3. Analysis module parses response for keywords, builds summary confidence factor
Web Server
Attacker PC
1
2
MySQL 40
Server Error 75
Java.lang 60
Exception occurred 85
...
3
Keyword List
q = “select * from user where mail=‘ ‘ ‘ “
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
9
Attack & Analysis Concepts Attack & Analysis Concepts 3/4 - XSS Attack3/4 - XSS Attack
1. Attack module prepares new attack & sends it to server (e.g. Javascript to show a message box)
2. Server sends back a response page
3. Analysis module parses response checking for the occurrence of the injected string (and the executability)
Web Server
Attacker PC
1
2
3
Search forinjected HTML
…You searched for:<b><script>alert(’XSS’);</script></b>:...
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
10
Attack & Analysis Concepts Attack & Analysis Concepts 4/4 – Enhanced Attacks4/4 – Enhanced Attacks
Enhanced XSS attack Uses decimal HTML encoding to bypass input filters Replaces characters, e.g.: ‘ => '
Form-Redirecting XSS scenario Checks for potential assets (stealable credentials) Uses an encoded injection string redirecting the
found login form to the “attacker‘s server” Simulates a real XSS attack, does not only check
input validation
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
11
SecuBat Implementation 1/2SecuBat Implementation 1/2
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
12
SecuBat Implementation 2/2SecuBat Implementation 2/2
Implementation Details C# Data Store:
MS SQL Database Requirements
MS Windows 2000, XP, 2003
MS .NET Framework 2.0 MS SQL Server 2000/2005 or MSDE/SQL
Express 2005
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
13
Related ToolsRelated Tools
Acunetix Web Vulnerability Scanner (commercial) + Web server technology detection + Application level attacks: Simple SQL injection, XSS - Closed source, no papers, no details to the public
Nessus, Nikto - Rely on repositories of known vulnerabilities
NMap, Xprobe... - Port scanners only - Network/OS level, no application level attacks
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
14
Prototype ResultsPrototype Results
Evaluation Run Results (Google search for „login“): 25.064 crawled pages 21.627 web forms 4 attack types SQL Injection: 6,63% Simple XSS: 4,30% Enhanced XSS: 5,60% Form-Red. XSS: 5,52%
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
15
FindingsFindings
Critical XSS Vulnerabilities (assets) eBay (Auction access) Austrian Finance Ministry (E-Government access) Geizhals (Price management) Crit.org (Security associated content) Apple (Developer access) …
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
16
A Case StudyA Case Study
eBay.de Press http://presse.ebay.de/news.exe?typ=SU&search=%68%74%74%70%3A%2F%2F%70%72%65%73%73%65%2E%65%62%61%79%2E%64%65%2F%26%71%75%6F%74%3B%3E...
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
17
NotificationsNotifications
Query recipients using WhoIs service
591 Mails sent 306 “recipient
unknown” 48 detail inquiries
after 1 week
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
18
ConclusionConclusion
Increasing use of web technology needs increasing security effort
Rather simple attacks (SQL Injection, XSS Attack) but many vulnerable web sites
An automated detection approach can increase your site’s security
Implementation of an extensible (pluggable) analysis framework (“SecuBat”)
First results of a prototype version show proof of concept
2006/05/25 SecuBat: An Automated Web Vulnerability Detection Framework, © 2006 Stefan Kals
19
The EndThe End
http://www.secubat.orghttp://www.secubat.org