WAPTEC: Whitebox Analysis of Web Applications for

Parameter Tampering Exploit Construction

Prithvi Bisht (http://cs.uic.edu/~pbisht) +

Timothy Hinrichs*+, Nazari Skrupsky+, V.N. Venkatakrishnan+

+: University of Illinois, Chicago* : University of Chicago, Chicago

Background: User Input Validation

• Web applications need to • Validate user supplied input • Reject invalid input

Examples: • “Credit card number is exactly16 digits”• “Expiration date of Jan 2009 is not valid”

• Validation traditionally done at server: round-trip, load

• Popular trend: Client-side validation through JavaScript

Client Side Validation using JavaScript

onSubmit=validateCard();

validateQuantities();

Validation Pass?

send inputsto server

rejectinputs

Yes No

Problem: Client is Untrusted Environment

• Validation can be bypassed

• Previously rejected values, sent to server

• Invalid quantity: -4

• Ideally: Re-validate at server-side and reject

• If not, Parameter Tampering Attacks

Prior work: CCS’10 9 /13 applications vulnerable to parameter tampering Online banking: Unauthorized money transfers Online shopping: Unlimited shopping discounts

Identify parameter tampering opportunities server-side code blackbox Manually construct exploits

Question: If server side code is available, automatically construct parameter tampering exploits?

Threat is Real!

Results Summary: 45 exploits in 6 applications

First analysis that combines JavaScript/HTML, PHP, MySQL

Client-side code (JavaScript/HTML)

exploits

WAPTEC

Server-side code (PHP, MySQL)

Whitebox Parameter Tampering Detection

Intuition

• Fclient : inputs accepted by client

• ┐ Fclient : inputs rejected by client

• Fserver : inputs accepted by server

inputs that

client would have rejected

but server accepted!!

Venn diagram

U

ParameterTampering Exploits

┐Fclient ∩ Fserver

Intuition (contd…)

error

Input valid?

send to

server

Input valid?

error

Client-side code (JavaScript/HTML)

Accepted inputs reach herefclient = Program condition (logical formula)

Server-side code (PHP/MySQL)

error

Input valid?

Sensitive

operation

fserver = satisfied conditions(logical formula)

Control FlowGraph

error

Input valid?

Accepted inputs reach here

Intuition (contd…)

error

Input valid?

send to

server

Input valid?

error

Client-side code (JavaScript/HTML)

Server-side code (PHP/MySQL)

error

Input valid?

Sensitive

operation

ControlFlowGraph

error

Input valid?

generate benign inputs that reach a sensitive operation

Check if rejected (hostiles)Inputs can reach the SAME sensitive operation

fclien

tfserver

┐fclient

fserve

r

1

2

fclient ∩ fserver

┐fclient ∩ fserver

Intuition: quantity example

error

quantity ≥ 0

send to

server

Client-side code (JavaScript/HTML)

Server-side code (PHP/MySQL)

cost = quantity * price

mysql_query( insert … cost )

ControlFlowGraph

quantity = 1

┐fclient ∩ fserver = (quantity < 0)

1

2

fclient = quantity ≥ 0

fserver = true

Parameter tampering exploitsquantity = -1, -2, ….

WAPTEC Architecture

WAPTEC Architecture

WAPTEC Architecture

WAPTEC Architecture

WAPTEC Architecture

WAPTEC Architecture

WAPTEC Architecture

1. Intuition

2. Computing fserver

3. Evaluation

4. Summary

Outline

n = user_input ( ‘name’ ); a = user_input ( ‘age’ );

if ( n == null ) exit ( “please specify user name” );

if ( a < 0 ) exit ( “please specify age ” );

f = mysql_query ( “insert … name = ” . n . “ … age = ” . d ) ;

Fserver: Inputs that reach sensitive ops

fserver = ( all conditions on user inputs that must be satisfied to reach sensitive operations )

n == null

mysql_query

a < 0

exit

Control Flow Graph

exit

n = user_input ( ‘name’ ); a = user_input ( ‘age’ );

if ( n == null ) exit ( “please specify user name” );

if ( a < 0 ) exit ( “please specify age ” );

f = mysql_query ( “insert …) ;

Computing fserver

Computed dynamically: execute server-side code concretely with benign inputs

name = bob age = 55

n = user_input ( ‘name’ ); a = user_input ( ‘age’ );

Server-side code

Execution trace

fserver = ( name != “”) ∩ ( age ≥ 0 )

( n != null )

( a ≥ 0 )

f = mysql_query ( “insert…”)

Challenges in computing execution traces

x = 10;

x = 20;

y = x; incorrect !!

function f1(){ x = 10 f2(); y = x;

}function f2 () {

x = 20}

Execution trace

PHP 5 Object-oriented Programs

Use context information

f1_x = 10; f2_x = 20; f1_y = f1_x;

class C {function m()

{x = 10;

}}o1 -> m ()o2 -> m ()

m_x = 10;

m_x = 10;

id1_m_x = 10;

id2_m_x = 10;

Uniquely identify objects

n = user_input ( ‘name’ ); d = user_input ( ‘address’ );

if ( n == null ) exit ( “please specify user name” );

f = mysql_query ( “insert …) ;

if ( f == null ) exit ( “please specify an

address” );

Computing fserver (contd…)

Inputs reaching sensitive operations may still be rejected!!

name = bob

Server-side code

Reaches SQL sink, but rejected because address is null

Extract constraints imposed by database schema

create table profiles { … addrDB … NOT NULL, }

Computing fserver (contd…)

Database schema: Set of SQL statements for creating tables / views.Column definitions specify constraints.

Example: Profile table

addrDB != null

Column Definition

Constraint

enum ( a, b, c ) column IN {a, b, c}

NOT NULL column != null

VARCHAR ( n ) length ( column ) ≤ number

constraints on column names

but fserver

is in terms of inputs

How to map?

Computing fserver (contd…)

Generate symbolic query from the trace

addrDB != null

constraint on table column

insert into profile … set addrDB = _POST[‘address’]

user input address

inserted in column addrDB

constraint on user input

address != null

Bridging namespaces for database, PHP

n = user_input ( ‘name’ ); d = user_input ( ‘address’ );

if ( u == “”) exit ( “please specify user name” );

f = mysql_query ( “insert … naDB = ” . u . “…addrDB = ” . a ) ;

if ( f == null )exit ( “please specify address” );

Summary: Computing fserver

1

Conditions checked encode restrictions on inputs

2

Database may also encode restrictions on inputs

1 2

fserver = +

fcode fdb

1. Intuition

2. Computing Fserver

3. Evaluation

4. Summary

Outline

Evaluation: Results

Application

Size(LOC)

WAPTECConfirmed Exploits

DcpPortal 145K 32

SPHPBlog 27K 1

Lanshop 15K 3

MyBloggie 9K 6

SnipeGallery

9K 2

PHPNews 6K 1

45 parameter tampering exploits

Confirmed Exploits CCS’2010

13

1

3

1

2

1

23 false positives

24 false negatives

DcpPortal: Create Imposter Accounts

Vulnerability: duplicate check does not enforce length restriction

Exploit: Create imposter account name =

Imposter account name “alice”

Client-side constraints: 1.length ( name ) ≤ 32 )

Server-side code: a. Check DB for duplicate name

(does not restrict length)b. Insert name in DB

(truncates name to 32 char)

alice

32 characters 33rd character

a

DcpPortal: Create Admin Account

Vulnerability: attacker can set cookie make_install_prn

Exploit: Negative tampering - create admin account No mention of make_install_prn in Fclient

Fserver contains (make_install_prn != 1)

Server-side code:

privilege = non-admin;

if ( _COOKIE[‘make_install_prn’] == 1 ) privilege = admin;

Create account with privilege;

Some related work Multi-tier analysis of web application

Legacy code: MiMosa: Balzarotti et al. CCS 2007, Chong et al. SIGMOD 2007 Principled development of applications: Links, Google Web Toolkit, Corcoran et

al. SIGMOD 2009

Specification inference AutoISES Tan et al. Security 2008, Engler et al. SOSP 2001, Felmetsger et al.

Security 2010, Srivastava et al. PLDI 2011

Test input generation Saxena et al. SP 2010, Halfond et al. ISSTA 2009, Kiezun et al. ICSE 2009, Emmi

et al. ISSTA 2007, Godefroid et al. NDSS 2008….

Input validation Su et al. POPL 2006, Balduzzi et al. NDSS 2011, Jayaraman et al. DBSec 2010

Sanitization Balzarotti et al. SP 2008…

Summary

Parameter tampering vulnerabilities: widespread

First analysis that combined analysis of HTML/JavaScript, PHP, database imposed constraints.

Possible to infer specification of intended behavior from source code and use it in vulnerability detection.

Thanks and Questions

Backup

WAPTEC Architecture

Refining Search for a Success Sink

Fclient = (i > 0) Server requires (i > 0 ∩ i < 11)

First attempt benign: i = 11Sink not reached Fserver = NOT (i > 0 ∩ i < 11)

Refine client-side spec: Fclient ∩ NOT Fserver

Intuition: Fserver for failed runs contains condition that was not satisfied

Second attempt: (i > 0) ∩ NOT ( NOT ( i > 0 ∩ i < 11))

i = 1 .. 10 (accepted by the server-side code)

WAPTEC Architecture