The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present...
-
Upload
chad-morrison -
Category
Documents
-
view
213 -
download
0
Transcript of The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present...
The Essence of The Essence of Command Injection Attacks Command Injection Attacks
in Web Applicationsin Web Applications
Zhendong Su and Gary Wassermann
Present by Alon KremerApril 2011
OutlineOutline
19:21 2
Command injection attacks in web application
Formal definition of web
application
Formal Definition of command
injection attack
An algorithm to prevent those attacks
Attacking the Web Attacking the Web ApplicationApplicationWeb application:
◦takes input strings from the user and interprets it.
◦Interacts with back-end database.◦Retrieve data and dynamically generates
new content.◦Presents the output to the user.
The threat – Command Injection Attack:◦Unexpected input may cause problems.
19:21 3
Web Application ArchitectureWeb Application Architecture
Web browser
Application
Database
User input Database query
Application generates query based on user input
ResultWeb page
19:21 4
SQLCIAs - ExampleSQLCIAs - Example
String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName +
“’ AND cardtype = ” + strCType + “;”;
Expected input: SELECT cardnum FROM accounts
WHERE username = ‘John’ AND cardtype = 2;
Result: Returns John’s saved credit card number.
19:21 5
Malicious input: SELECT cardnum FROM accounts
WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1;
SQLCIAs - ExampleSQLCIAs - Example
Result: Returns all saved credit card numbers.
(() )
19:21 6
String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName +
“’ AND cardtype = ” + strCType + “;”;
Web Application – FormallyWeb Application – FormallyA function from n-tuples of input strings to
queries strings.It doesn’t check changes in the query
structure or gives information about the source of the strings.
h “John”, “2” i
“SELECT cardnum FROM ccards WHERE name = ‘John’ AND cardtype = 2”
19:21 7
Quick OverviewQuick Overview
Many web applications are vulnerable and lots of private records can be exposed in 1 attack.
Ways to regulate user inputs◦ Filter out “bad” strings. (‘O’brian’ ?)◦ Escape quotes. ( 2 OR 1=1 ?)◦ Limiting input’s length. ◦ Regular expression, etc.
The cause of problems is that the input changes the syntactic structure of whole query.
19:21 8
SQLCIAs – InformallySQLCIAs – Informally
19:21 9
SQLCIAs – InformallySQLCIAs – InformallySQLCIA – modifies syntactic
structure of a query.Our goal is to track user inputs with
metadata: m and n so the input is syntactically confined in the augmented query.
Modify SQL grammar to include metadata: nonterm ::= m symbol n
Attempt to parse augmented query◦Fails ) block; Succeeds ) allow.
19:21 10
Valid Syntactic FormsValid Syntactic FormsGiven G = {V, , S, P}, choose policy
of input we want to allow U µ V [ VSF idea is that the parse tree has a
node in U which has an input substring as descendants.
b_term ::= b_term AND condcond ::= val comp valval ::= num | idcomp ::= < | > | =…
U = { cond }3 < x
2 OR 1 = 1
19:21 11
SQLCIAs – FormallySQLCIAs – Formally
Query q is a SQLCIA if◦ q has a parse tree
Tq .
◦ For some filter f and some input i:
◦ f(i) is a substring in q and is not a VSF in Tq .
19:21 12
Augmented QueryAugmented QueryOur goal is to track and identify the
user input inside the query (in the parse tree).
By augmenting the input to mikn we can determine which substrings of the constructed query come from the input.
A query qa is an augmented query if it was generated from augmented input. qa =W(mi1n,…,minn)
19:21 13
Augmented GrammarAugmented GrammarGiven: G = {V, , S, P} and U µ [ VAn augmented query qa is in L(Ga) iff
◦ q is in L(G), and◦ for each substring S that separates a pair of
matching m,n, if the meta-characters are removed then S is VSF.
Ga = {V [ {ua | u 2 U}, [ {m,n}, S, Pa}ua : fresh non-terminalPa = {v ! rhsa | v ! rhs 2 P} [ {ua ! u | u 2 U} [ {ua ! mun | u 2 U}
19:21 14
Augmented GrammarAugmented Grammar{v ! rhsa | v ! rhs 2 P} construct
production rules that all “Right Hand Side” occurrencesof u 2 U are replaced with ua
Example:
U = { b, D }
S ::= bCDC ::= cD ::= d | dd
S ::= baCDa ba ::= mbn | bC ::= cDa ::= mDn | DD ::= d | dd
P = Pa =
19:21 15
TheoremTheorem
For all i1,…,in,
W(mi1n,…,minn) = qa 2 L(Ga) iff
W(i1,…,in) = q 2 L(G) and q is not an SQLCIA.
19:21 16
ImplementationImplementationMeta Characters- two random four
letters strings, except dictionary words. Total of
Most user inputs are dictionary words, passwords with numbers or other then 4 letters, so the probability for using the meta-characters is
The policy U is defined in terms of which non terminals in SQL grammar are permitted to be at the root of VSF.
19:21 17
426 72,421 384,555
0.000052
SQLCheck returns q if qa 2 L(Ga)
•use randomly generated strings
ImplementationImplementationG
U
G’
augment
SQL grammar
Policy
Augmented SQL grammar
Parser Generator
SQLCheck
Web Browser Application
Databasem n
m n
…bool ::= terma
terma ::= term | mtermn
term ::= faca
faca ::= fac | mfacn
…
bool
terma
term
fac
faca
m n
bool
terma
term
fac
faca
m n19:21 18
Test SubjectsTest Subjects
Subject Description LOC Query Checks Added
Query SitesPHP JSP
Employee Directory Online employee directory 2,801 3,114 5 16
Events Event tracking system 2,819 3,894 7 20
Classifieds Online management system for classifieds
5,540 5,819 10 41
Portal Portal for a club 8,745 8,870 13 42
Bookstore Online bookstore 9,224 9,649 18 56
• Two languages (PHP & JSP):– Most techniques require a language-specific
front-end; ours does not
19:21 19
EvaluationEvaluationLanguage Subject Queries Timing (ms)
Legitimate(Attempted / Allowed)
Attacks(Attempted / Prevented)
Mean Std Dev
PHP
Employee Directory 660 / 660 3937 / 3937 3.230 2.080
Events 900 / 900 3605 / 3605 2.613 0.961
Classifieds 576 / 576 3724 / 3724 2.478 1.049
Portal 1080 / 1080 3685 / 3685 3.788 3.233
Bookstore 608 / 608 3473 / 3473 2.806 1.625
JSP
Employee Directory 660 / 660 3937 / 3937 3.186 0.652
Events 900 / 900 3605 / 3605 3.368 0.710
Classifieds 576 / 576 3724 / 3724 3.134 0.548
Portal 1080 / 1080 3685 / 3685 3.063 0.441
Bookstore 608 / 608 3473 / 3473 2.897 0.257
RTT over internet: ~80-100ms
19:21 20
ConclusionsConclusionsFormal definition of SQLCIAs and
an algorithm to prevent them by syntactically constrain substrings from user input.
SqlCheck intercepts all queries and check their syntactic form.
Suitable for different languages and web interfaces.
19:21 21
Future WorkFuture WorkExperiment with more real-world
online web applications and more sophisticated testing techniques. (input place holder).
Apply to XSS, Xpath injection, etc.
19:21 22
A few thoughts about the A few thoughts about the articlearticleThe formal definition of the web
application and the SQLCIA referred to the most common and basic properties.
The algorithm was simple and elegant.This solution suits for all web apps even in different programming languages.
Easy to control the input policy.The evaluation was not tested versus
attackers attempting to defeat this particular mechanism.
19:21 23