Presentation at the 2011 ACM Conference on Computer and Communications Security (CCS) on the paper "Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities"
The paper is available here:
http://cs.ucsb.edu/~adoupe/static/fear-the-ear-ccs2011.pdf
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Discovering and Mitigating Execution After Redirect Vulnerabilities
1. Fear the EAR: Discovering
and Mitigating Execution After
Redirect Vulnerabilities
Adam Doupé, Bryce Boe,
Christopher Kruegel, and Giovanni Vigna
University of California, Santa Barbara
CCS 2011 – 10/19/11
2. Motivation
• Everyone uses web applications
• Web applications are written by humans
– They have flaws
– Input sanitization flaws (XSS, SQLi) are most
prevalent
• Logic flaws are harder to detect than input
sanitization flaws
Doupé - 10/19/11
3. HTTP Redirects
GET /user/info HTTP/1.1
Host: example.com
HTTP/1.1 302 Moved
Location: http://example.com/login
GET /login HTTP/1.1
Host: example.com
Doupé - 10/19/11
4. Execution After Redirect: Overview
• Developer issues a redirect assuming
execution will halt
– Redirect used as a goto
– This is how it appears from the browser’s
perspective
• However, code continues to execute
Doupé - 10/19/11
5. Execution After Redirect: Example
class TopicsController < ApplicationController
def update
@topic = Topic.find(params[:id])
if not current_user.is_admin?
redirect_to(“/”)
end
@topic.update_attributes(params[:topic])
flash[:notice] = “Topic updated!”
end
end
Doupé - 10/19/11
6. EAR History
• 17 Common Vulnerabilities and Exposures
(CVE)
– Starting in 2007
– Difficult to find – no consistent category
• Blog post about Cake PHP 2006
– Resulted in a bug filed and documentation
changed
• Prior work on logic flaws
– Found EAR in J2EE web application
• No one recognized it as a systemic logic flaw
amongst web applications
Doupé - 10/19/11
7. EAR Security Challenge
• Attempt to observe familiarity to EARs
• Added EAR challenge to the 2010 iCTF
• Results
– 34 / 72 teams accessed page that redirected
them and leaked information
– 12 of the 34 discovered and exploited the
vulnerability
• Conclusion: teams not very familiar
Doupé - 10/19/11
8. Types of EARs
• Benign
– No confidentiality or integrity violated
• Vulnerable
– Allows for the unauthorized modification of the
application state or discloses unauthorized
data
Doupé - 10/19/11
10. EAR: Nested Example
class UsersController < ApplicationController
def ensure_admin
unless current_user.is_admin?
redirect_to(“/”)
return
end
end
def delete
ensure_admin()
@user = User.find(params[:id])
@user.delete()
flash[:notice] = “User Deleted”
end
end
Doupé - 10/19/11
11. Outline
• Overview of Execution After Redirects
• EAR Detection Algorithm
• Results
• Prevention
Doupé - 10/19/11
12. EAR Detection: Overview
• Static source code analysis
– Attempt to find code that can possibly be
executed after a redirect
– Distinguish between benign and vulnerable
Doupé - 10/19/11
14. EAR Detection: Build Control Flow
Graph
• CFG built using prior work
– Diamondback Ruby parser by Furr et al.
• Simplifies Ruby into easier-to-analyze format
• Compiles Ruby into a subset called Ruby
Intermediate Language (RIL)
– CFG can be incomplete
• eval
• Ruby’s dynamic nature
Doupé - 10/19/11
15. EAR Detection: Build CFG
class UsersController < ApplicationController
def ensure_logged_in
unless current_user
redirect_to(“/”) and return true
end
@logged_in_users += 1
return false
end
def delete_all
unless ensure_logged_in()
return
User.delete(:all)
end
end
Doupé - 10/19/11
17. EAR Detection: Find Redirection
Methods
• Find all program paths in the CFG that call
the Ruby on Rails method redirect_to
• Inter-procedural analysis
– Methods that call redirect_to are added to
interesting_methods
– All methods that call an interesting_method
are added to interesting_methods
– Rinse and repeat until a fixpoint is reached
Doupé - 10/19/11
23. EAR Email Notification
• 624 project maintainers notified
• 107 responded
– 49 confirmed the EAR we reported
– 26 told us that the app was demo or toy
– 3 pointed out false positives
– 6 NOFIX
– Rest thanked us but did not offer confirmation
Doupé - 10/19/11
25. True Positive Example
class BanksController < ApplicationController
def redirect_to_login
redirect_to(“/login”) and return
end
def create
if not current_user.is_admin?
redirect_to_login() and return
end
@bank = Bank.create(params[:bank])
end
end
Doupé - 10/19/11
26. False Positive Example
class UsersController < ApplicationController
def update
if request.get?
redirect_to(“/users”)
end
if request.post?
@user = User.find(params[:id])
@user.update_attributes(params[:user])
end
end
end
Doupé - 10/19/11
29. Prevention
• Secure design
– Django, ASP.NET MVC
• Terminate process or thread
– ASP.NET, CakePHP, Zend, CodeIgniter
• Patched Ruby on Rails
– Exception handling
Doupé - 10/19/11
30. Contributions
• Described a relatively unknown web
application vulnerability called Execution
After Redirect (EAR)
• Developed an algorithm to statically detect
EARs in Ruby on Rails applications
• Discovered many vulnerabilities in real-
world open-source Ruby on Rails
applications
Doupé - 10/19/11