WAPTEC: Whitebox Analysis of Web Applications for
Parameter Tampering Exploit Construction
Prithvi Bisht (http://cs.uic.edu/~pbisht) +
Timothy Hinrichs*+, Nazari Skrupsky+, V.N. Venkatakrishnan+
+: University of Illinois, Chicago* : University of Chicago, Chicago
Background: User Input Validation
• Web applications need to • Validate user supplied input • Reject invalid input
Examples: • “Credit card number is exactly16 digits”• “Expiration date of Jan 2009 is not valid”
• Validation traditionally done at server: round-trip, load
• Popular trend: Client-side validation through JavaScript
Client Side Validation using JavaScript
onSubmit=validateCard();
validateQuantities();
Validation Pass?
send inputsto server
rejectinputs
Yes No
Problem: Client is Untrusted Environment
• Validation can be bypassed
• Previously rejected values, sent to server
• Invalid quantity: -4
• Ideally: Re-validate at server-side and reject
• If not, Parameter Tampering Attacks
Prior work: CCS’10 9 /13 applications vulnerable to parameter tampering Online banking: Unauthorized money transfers Online shopping: Unlimited shopping discounts
Identify parameter tampering opportunities server-side code blackbox Manually construct exploits
Question: If server side code is available, automatically construct parameter tampering exploits?
Threat is Real!
Results Summary: 45 exploits in 6 applications
First analysis that combines JavaScript/HTML, PHP, MySQL
Client-side code (JavaScript/HTML)
exploits
WAPTEC
Server-side code (PHP, MySQL)
Whitebox Parameter Tampering Detection
Intuition
• Fclient : inputs accepted by client
• ┐ Fclient : inputs rejected by client
• Fserver : inputs accepted by server
inputs that
client would have rejected
but server accepted!!
Venn diagram
U
ParameterTampering Exploits
┐Fclient ∩ Fserver
Intuition (contd…)
error
Input valid?
send to
server
Input valid?
error
Client-side code (JavaScript/HTML)
Accepted inputs reach herefclient = Program condition (logical formula)
Server-side code (PHP/MySQL)
error
Input valid?
Sensitive
operation
fserver = satisfied conditions(logical formula)
Control FlowGraph
error
Input valid?
Accepted inputs reach here
Intuition (contd…)
error
Input valid?
send to
server
Input valid?
error
Client-side code (JavaScript/HTML)
Server-side code (PHP/MySQL)
error
Input valid?
Sensitive
operation
ControlFlowGraph
error
Input valid?
generate benign inputs that reach a sensitive operation
Check if rejected (hostiles)Inputs can reach the SAME sensitive operation
fclien
tfserver
┐fclient
fserve
r
1
2
fclient ∩ fserver
┐fclient ∩ fserver
Intuition: quantity example
error
quantity ≥ 0
send to
server
Client-side code (JavaScript/HTML)
Server-side code (PHP/MySQL)
cost = quantity * price
mysql_query( insert … cost )
ControlFlowGraph
quantity = 1
┐fclient ∩ fserver = (quantity < 0)
1
2
fclient = quantity ≥ 0
fserver = true
Parameter tampering exploitsquantity = -1, -2, ….
n = user_input ( ‘name’ ); a = user_input ( ‘age’ );
if ( n == null ) exit ( “please specify user name” );
if ( a < 0 ) exit ( “please specify age ” );
f = mysql_query ( “insert … name = ” . n . “ … age = ” . d ) ;
Fserver: Inputs that reach sensitive ops
fserver = ( all conditions on user inputs that must be satisfied to reach sensitive operations )
n == null
mysql_query
a < 0
exit
Control Flow Graph
exit
n = user_input ( ‘name’ ); a = user_input ( ‘age’ );
if ( n == null ) exit ( “please specify user name” );
if ( a < 0 ) exit ( “please specify age ” );
f = mysql_query ( “insert …) ;
Computing fserver
Computed dynamically: execute server-side code concretely with benign inputs
name = bob age = 55
n = user_input ( ‘name’ ); a = user_input ( ‘age’ );
Server-side code
Execution trace
fserver = ( name != “”) ∩ ( age ≥ 0 )
( n != null )
( a ≥ 0 )
f = mysql_query ( “insert…”)
Challenges in computing execution traces
x = 10;
x = 20;
y = x; incorrect !!
function f1(){ x = 10 f2(); y = x;
}function f2 () {
x = 20}
Execution trace
PHP 5 Object-oriented Programs
Use context information
f1_x = 10; f2_x = 20; f1_y = f1_x;
class C {function m()
{x = 10;
}}o1 -> m ()o2 -> m ()
m_x = 10;
m_x = 10;
id1_m_x = 10;
id2_m_x = 10;
Uniquely identify objects
n = user_input ( ‘name’ ); d = user_input ( ‘address’ );
if ( n == null ) exit ( “please specify user name” );
f = mysql_query ( “insert …) ;
if ( f == null ) exit ( “please specify an
address” );
Computing fserver (contd…)
Inputs reaching sensitive operations may still be rejected!!
name = bob
Server-side code
Reaches SQL sink, but rejected because address is null
Extract constraints imposed by database schema
create table profiles { … addrDB … NOT NULL, }
Computing fserver (contd…)
Database schema: Set of SQL statements for creating tables / views.Column definitions specify constraints.
Example: Profile table
addrDB != null
Column Definition
Constraint
enum ( a, b, c ) column IN {a, b, c}
NOT NULL column != null
VARCHAR ( n ) length ( column ) ≤ number
constraints on column names
but fserver
is in terms of inputs
How to map?
Computing fserver (contd…)
Generate symbolic query from the trace
addrDB != null
constraint on table column
insert into profile … set addrDB = _POST[‘address’]
user input address
inserted in column addrDB
constraint on user input
address != null
Bridging namespaces for database, PHP
n = user_input ( ‘name’ ); d = user_input ( ‘address’ );
if ( u == “”) exit ( “please specify user name” );
f = mysql_query ( “insert … naDB = ” . u . “…addrDB = ” . a ) ;
if ( f == null )exit ( “please specify address” );
Summary: Computing fserver
1
Conditions checked encode restrictions on inputs
2
Database may also encode restrictions on inputs
1 2
fserver = +
fcode fdb
Evaluation: Results
Application
Size(LOC)
WAPTECConfirmed Exploits
DcpPortal 145K 32
SPHPBlog 27K 1
Lanshop 15K 3
MyBloggie 9K 6
SnipeGallery
9K 2
PHPNews 6K 1
45 parameter tampering exploits
Confirmed Exploits CCS’2010
13
1
3
1
2
1
23 false positives
24 false negatives
DcpPortal: Create Imposter Accounts
Vulnerability: duplicate check does not enforce length restriction
Exploit: Create imposter account name =
Imposter account name “alice”
Client-side constraints: 1.length ( name ) ≤ 32 )
Server-side code: a. Check DB for duplicate name
(does not restrict length)b. Insert name in DB
(truncates name to 32 char)
alice
32 characters 33rd character
a
DcpPortal: Create Admin Account
Vulnerability: attacker can set cookie make_install_prn
Exploit: Negative tampering - create admin account No mention of make_install_prn in Fclient
Fserver contains (make_install_prn != 1)
Server-side code:
privilege = non-admin;
if ( _COOKIE[‘make_install_prn’] == 1 ) privilege = admin;
Create account with privilege;
Some related work Multi-tier analysis of web application
Legacy code: MiMosa: Balzarotti et al. CCS 2007, Chong et al. SIGMOD 2007 Principled development of applications: Links, Google Web Toolkit, Corcoran et
al. SIGMOD 2009
Specification inference AutoISES Tan et al. Security 2008, Engler et al. SOSP 2001, Felmetsger et al.
Security 2010, Srivastava et al. PLDI 2011
Test input generation Saxena et al. SP 2010, Halfond et al. ISSTA 2009, Kiezun et al. ICSE 2009, Emmi
et al. ISSTA 2007, Godefroid et al. NDSS 2008….
Input validation Su et al. POPL 2006, Balduzzi et al. NDSS 2011, Jayaraman et al. DBSec 2010
Sanitization Balzarotti et al. SP 2008…
Summary
Parameter tampering vulnerabilities: widespread
First analysis that combined analysis of HTML/JavaScript, PHP, database imposed constraints.
Possible to infer specification of intended behavior from source code and use it in vulnerability detection.
Thanks and Questions
Refining Search for a Success Sink
Fclient = (i > 0) Server requires (i > 0 ∩ i < 11)
First attempt benign: i = 11Sink not reached Fserver = NOT (i > 0 ∩ i < 11)
Refine client-side spec: Fclient ∩ NOT Fserver
Intuition: Fserver for failed runs contains condition that was not satisfied
Second attempt: (i > 0) ∩ NOT ( NOT ( i > 0 ∩ i < 11))
i = 1 .. 10 (accepted by the server-side code)
Top Related