The Essence of The Essence of Command Injection Attacks Command Injection Attacks

in Web Applicationsin Web Applications

Zhendong Su and Gary Wassermann

Present by Alon KremerApril 2011

OutlineOutline

19:21 2

Command injection attacks in web application

Formal definition of web

application

Formal Definition of command

injection attack

An algorithm to prevent those attacks

Attacking the Web Attacking the Web ApplicationApplicationWeb application:

◦takes input strings from the user and interprets it.

◦Interacts with back-end database.◦Retrieve data and dynamically generates

new content.◦Presents the output to the user.

The threat – Command Injection Attack:◦Unexpected input may cause problems.

19:21 3

Web Application ArchitectureWeb Application Architecture

Web browser

Application

Database

User input Database query

Application generates query based on user input

ResultWeb page

19:21 4

SQLCIAs - ExampleSQLCIAs - Example

String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName +

“’ AND cardtype = ” + strCType + “;”;

Expected input: SELECT cardnum FROM accounts

WHERE username = ‘John’ AND cardtype = 2;

Result: Returns John’s saved credit card number.

19:21 5

Malicious input: SELECT cardnum FROM accounts

WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1;

SQLCIAs - ExampleSQLCIAs - Example

Result: Returns all saved credit card numbers.

(() )

19:21 6

String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName +

“’ AND cardtype = ” + strCType + “;”;

Web Application – FormallyWeb Application – FormallyA function from n-tuples of input strings to

queries strings.It doesn’t check changes in the query

structure or gives information about the source of the strings.

h “John”, “2” i

“SELECT cardnum FROM ccards WHERE name = ‘John’ AND cardtype = 2”

19:21 7

Quick OverviewQuick Overview

Many web applications are vulnerable and lots of private records can be exposed in 1 attack.

Ways to regulate user inputs◦ Filter out “bad” strings. (‘O’brian’ ?)◦ Escape quotes. ( 2 OR 1=1 ?)◦ Limiting input’s length. ◦ Regular expression, etc.

The cause of problems is that the input changes the syntactic structure of whole query.

19:21 8

SQLCIAs – InformallySQLCIAs – Informally

19:21 9

SQLCIAs – InformallySQLCIAs – InformallySQLCIA – modifies syntactic

structure of a query.Our goal is to track user inputs with

metadata: m and n so the input is syntactically confined in the augmented query.

Modify SQL grammar to include metadata: nonterm ::= m symbol n

Attempt to parse augmented query◦Fails ) block; Succeeds ) allow.

19:21 10

Valid Syntactic FormsValid Syntactic FormsGiven G = {V, , S, P}, choose policy

of input we want to allow U µ V [ VSF idea is that the parse tree has a

node in U which has an input substring as descendants.

b_term ::= b_term AND condcond ::= val comp valval ::= num | idcomp ::= < | > | =…

U = { cond }3 < x

2 OR 1 = 1

19:21 11

SQLCIAs – FormallySQLCIAs – Formally

Query q is a SQLCIA if◦ q has a parse tree

Tq .

◦ For some filter f and some input i:

◦ f(i) is a substring in q and is not a VSF in Tq .

19:21 12

Augmented QueryAugmented QueryOur goal is to track and identify the

user input inside the query (in the parse tree).

By augmenting the input to mikn we can determine which substrings of the constructed query come from the input.

A query qa is an augmented query if it was generated from augmented input. qa =W(mi1n,…,minn)

19:21 13

Augmented GrammarAugmented GrammarGiven: G = {V, , S, P} and U µ [ VAn augmented query qa is in L(Ga) iff

◦ q is in L(G), and◦ for each substring S that separates a pair of

matching m,n, if the meta-characters are removed then S is VSF.

Ga = {V [ {ua | u 2 U}, [ {m,n}, S, Pa}ua : fresh non-terminalPa = {v ! rhsa | v ! rhs 2 P} [ {ua ! u | u 2 U} [ {ua ! mun | u 2 U}

19:21 14

Augmented GrammarAugmented Grammar{v ! rhsa | v ! rhs 2 P} construct

production rules that all “Right Hand Side” occurrencesof u 2 U are replaced with ua

Example:

U = { b, D }

S ::= bCDC ::= cD ::= d | dd

S ::= baCDa ba ::= mbn | bC ::= cDa ::= mDn | DD ::= d | dd

P = Pa =

19:21 15

TheoremTheorem

For all i1,…,in,

W(mi1n,…,minn) = qa 2 L(Ga) iff

W(i1,…,in) = q 2 L(G) and q is not an SQLCIA.

19:21 16

ImplementationImplementationMeta Characters- two random four

letters strings, except dictionary words. Total of

Most user inputs are dictionary words, passwords with numbers or other then 4 letters, so the probability for using the meta-characters is

The policy U is defined in terms of which non terminals in SQL grammar are permitted to be at the root of VSF.

19:21 17

426 72,421 384,555

0.000052

SQLCheck returns q if qa 2 L(Ga)

•use randomly generated strings

ImplementationImplementationG

U

G’

augment

SQL grammar

Policy

Augmented SQL grammar

Parser Generator

SQLCheck

Web Browser Application

Databasem n

m n

…bool ::= terma

terma ::= term | mtermn

term ::= faca

faca ::= fac | mfacn

…

bool

terma

term

fac

faca

m n

bool

terma

term

fac

faca

m n19:21 18

Test SubjectsTest Subjects

Subject Description LOC Query Checks Added

Query SitesPHP JSP

Employee Directory Online employee directory 2,801 3,114 5 16

Events Event tracking system 2,819 3,894 7 20

Classifieds Online management system for classifieds

5,540 5,819 10 41

Portal Portal for a club 8,745 8,870 13 42

Bookstore Online bookstore 9,224 9,649 18 56

• Two languages (PHP & JSP):– Most techniques require a language-specific

front-end; ours does not

19:21 19

EvaluationEvaluationLanguage Subject Queries Timing (ms)

Legitimate(Attempted / Allowed)

Attacks(Attempted / Prevented)

Mean Std Dev

PHP

Employee Directory 660 / 660 3937 / 3937 3.230 2.080

Events 900 / 900 3605 / 3605 2.613 0.961

Classifieds 576 / 576 3724 / 3724 2.478 1.049

Portal 1080 / 1080 3685 / 3685 3.788 3.233

Bookstore 608 / 608 3473 / 3473 2.806 1.625

JSP

Employee Directory 660 / 660 3937 / 3937 3.186 0.652

Events 900 / 900 3605 / 3605 3.368 0.710

Classifieds 576 / 576 3724 / 3724 3.134 0.548

Portal 1080 / 1080 3685 / 3685 3.063 0.441

Bookstore 608 / 608 3473 / 3473 2.897 0.257

RTT over internet: ~80-100ms

19:21 20

ConclusionsConclusionsFormal definition of SQLCIAs and

an algorithm to prevent them by syntactically constrain substrings from user input.

SqlCheck intercepts all queries and check their syntactic form.

Suitable for different languages and web interfaces.

19:21 21

Future WorkFuture WorkExperiment with more real-world

online web applications and more sophisticated testing techniques. (input place holder).

Apply to XSS, Xpath injection, etc.

19:21 22

A few thoughts about the A few thoughts about the articlearticleThe formal definition of the web

application and the SQLCIA referred to the most common and basic properties.

The algorithm was simple and elegant.This solution suits for all web apps even in different programming languages.

Easy to control the input policy.The evaluation was not tested versus

attackers attempting to defeat this particular mechanism.

19:21 23