SlideShare une entreprise Scribd logo

Discovering and Mitigating Execution After Redirect Vulnerabilities

Télécharger en tant que PPTX, PDF
Adam Doupe
Adam Doupe

Presentation at the 2011 ACM Conference on Computer and Communications Security (CCS) on the paper "Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities" The paper is available here: http://cs.ucsb.edu/~adoupe/static/fear-the-ear-ccs2011.pdf

Technologie
1  sur  31
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara CCS 2011 – 10/19/11
Motivation • Everyone uses web applications • Web applications are written by humans – They have flaws – Input sanitization flaws (XSS, SQLi) are most prevalent • Logic flaws are harder to detect than input sanitization flaws Doupé - 10/19/11
HTTP Redirects GET /user/info HTTP/1.1 Host: example.com HTTP/1.1 302 Moved Location: http://example.com/login GET /login HTTP/1.1 Host: example.com Doupé - 10/19/11
Execution After Redirect: Overview • Developer issues a redirect assuming execution will halt – Redirect used as a goto – This is how it appears from the browser’s perspective • However, code continues to execute Doupé - 10/19/11
Execution After Redirect: Example class TopicsController < ApplicationController def update @topic = Topic.find(params[:id]) if not current_user.is_admin? redirect_to(“/”) end @topic.update_attributes(params[:topic]) flash[:notice] = “Topic updated!” end end Doupé - 10/19/11
EAR History • 17 Common Vulnerabilities and Exposures (CVE) – Starting in 2007 – Difficult to find – no consistent category • Blog post about Cake PHP 2006 – Resulted in a bug filed and documentation changed • Prior work on logic flaws – Found EAR in J2EE web application • No one recognized it as a systemic logic flaw amongst web applications Doupé - 10/19/11
EAR Security Challenge • Attempt to observe familiarity to EARs • Added EAR challenge to the 2010 iCTF • Results – 34 / 72 teams accessed page that redirected them and leaked information – 12 of the 34 discovered and exploited the vulnerability • Conclusion: teams not very familiar Doupé - 10/19/11
Types of EARs • Benign – No confidentiality or integrity violated • Vulnerable – Allows for the unauthorized modification of the application state or discloses unauthorized data Doupé - 10/19/11
EAR: Information Leakage <?php $current_user = get_current_user(); if (!$current_user->is_admin()) { header(“Location: /”); } echo “457-55-5462”; ?> Doupé - 10/19/11
EAR: Nested Example class UsersController < ApplicationController def ensure_admin unless current_user.is_admin? redirect_to(“/”) return end end def delete ensure_admin() @user = User.find(params[:id]) @user.delete() flash[:notice] = “User Deleted” end end Doupé - 10/19/11
Outline • Overview of Execution After Redirects • EAR Detection Algorithm • Results • Prevention Doupé - 10/19/11
EAR Detection: Overview • Static source code analysis – Attempt to find code that can possibly be executed after a redirect – Distinguish between benign and vulnerable Doupé - 10/19/11
EAR Detection: Overview 1. Build CFG 2. Find redirection methods 3. Prune infeasible paths 4. Detect EARs 5. Classify as vulnerable Doupé - 10/19/11
EAR Detection: Build Control Flow Graph • CFG built using prior work – Diamondback Ruby parser by Furr et al. • Simplifies Ruby into easier-to-analyze format • Compiles Ruby into a subset called Ruby Intermediate Language (RIL) – CFG can be incomplete • eval • Ruby’s dynamic nature Doupé - 10/19/11
EAR Detection: Build CFG class UsersController < ApplicationController def ensure_logged_in unless current_user redirect_to(“/”) and return true end @logged_in_users += 1 return false end def delete_all unless ensure_logged_in() return User.delete(:all) end end Doupé - 10/19/11
EAR Detection: Build CFG _tmp_ = ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
EAR Detection: Find Redirection Methods • Find all program paths in the CFG that call the Ruby on Rails method redirect_to • Inter-procedural analysis – Methods that call redirect_to are added to interesting_methods – All methods that call an interesting_method are added to interesting_methods – Rinse and repeat until a fixpoint is reached Doupé - 10/19/11
EAR Detection: Find Redirect _tmp_ = Methods ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
EAR Detection: Prune Infeasible _tmp_ = Paths ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
EAR Detection: Detect EARs _tmp_ = ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
EAR Detection: Classify as Vulnerable • Simple heuristic – Name of methods that modify database – Search for these on path Doupé - 10/19/11
Results • 18,127 Ruby on Rails projects from GitHub • 1,173 projects contained 3,944 EARs – 3,089 Benign EARs – 855 Vulnerable EARs Doupé - 10/19/11
EAR Email Notification • 624 project maintainers notified • 107 responded – 49 confirmed the EAR we reported – 26 told us that the app was demo or toy – 3 pointed out false positives – 6 NOFIX – Rest thanked us but did not offer confirmation Doupé - 10/19/11
Detection Effectiveness • Manual verification of all vulnerable EARs – 485 True vulnerable (56.7%) – 325 False positives (vulnerable) (38.0%) – 45 False positives (EARs) (5.3%) • Manual verification of 200 random benign EARs – 13 False positives (EARs) (6.5%) – 0 False negatives (vulnerable) Doupé - 10/19/11
True Positive Example class BanksController < ApplicationController def redirect_to_login redirect_to(“/login”) and return end def create if not current_user.is_admin? redirect_to_login() and return end @bank = Bank.create(params[:bank]) end end Doupé - 10/19/11
False Positive Example class UsersController < ApplicationController def update if request.get? redirect_to(“/users”) end if request.post? @user = User.find(params[:id]) @user.update_attributes(params[:user]) end end end Doupé - 10/19/11
EAR Detection: Limitations • False negatives – eval, send • False positives – Infeasible paths – No type analysis • Vulnerable EARs Doupé - 10/19/11
Framework Susceptibility • Analyzed 9 web frameworks – Rails, Grails, Django, ASP.NET MVC, Zend Framework, CakePHP, CodeIgniter, J2EE, Struts • Susceptible – Ruby on Rails – Grails – J2EE – Struts Doupé - 10/19/11
Prevention • Secure design – Django, ASP.NET MVC • Terminate process or thread – ASP.NET, CakePHP, Zend, CodeIgniter • Patched Ruby on Rails – Exception handling Doupé - 10/19/11
Contributions • Described a relatively unknown web application vulnerability called Execution After Redirect (EAR) • Developed an algorithm to statically detect EARs in Ruby on Rails applications • Discovered many vulnerabilities in real- world open-source Ruby on Rails applications Doupé - 10/19/11
Questions? Code: http://github.com/adamdoupe/find_ear_rails Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe Doupé - 10/19/11

Recommandé

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness
Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational AwarenessHit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness
Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational AwarenessAdam Doupe
 
водород
водородводород
водородСтојан Ѓоревски
 
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...Adam Doupe
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
 
Writing Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsWriting Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsAdam Doupe
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 

Recommandé

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness
Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational AwarenessHit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness
Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational AwarenessAdam Doupe
 
водород
водородводород
водородСтојан Ѓоревски
 
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...Adam Doupe
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
 
Writing Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsWriting Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsAdam Doupe
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 

Contenu connexe

Dernier

Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 

Dernier (20)

Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 

En vedette

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 

En vedette (20)

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 

Discovering and Mitigating Execution After Redirect Vulnerabilities

  • 1. Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara CCS 2011 – 10/19/11
  • 2. Motivation • Everyone uses web applications • Web applications are written by humans – They have flaws – Input sanitization flaws (XSS, SQLi) are most prevalent • Logic flaws are harder to detect than input sanitization flaws Doupé - 10/19/11
  • 3. HTTP Redirects GET /user/info HTTP/1.1 Host: example.com HTTP/1.1 302 Moved Location: http://example.com/login GET /login HTTP/1.1 Host: example.com Doupé - 10/19/11
  • 4. Execution After Redirect: Overview • Developer issues a redirect assuming execution will halt – Redirect used as a goto – This is how it appears from the browser’s perspective • However, code continues to execute Doupé - 10/19/11
  • 5. Execution After Redirect: Example class TopicsController < ApplicationController def update @topic = Topic.find(params[:id]) if not current_user.is_admin? redirect_to(“/”) end @topic.update_attributes(params[:topic]) flash[:notice] = “Topic updated!” end end Doupé - 10/19/11
  • 6. EAR History • 17 Common Vulnerabilities and Exposures (CVE) – Starting in 2007 – Difficult to find – no consistent category • Blog post about Cake PHP 2006 – Resulted in a bug filed and documentation changed • Prior work on logic flaws – Found EAR in J2EE web application • No one recognized it as a systemic logic flaw amongst web applications Doupé - 10/19/11
  • 7. EAR Security Challenge • Attempt to observe familiarity to EARs • Added EAR challenge to the 2010 iCTF • Results – 34 / 72 teams accessed page that redirected them and leaked information – 12 of the 34 discovered and exploited the vulnerability • Conclusion: teams not very familiar Doupé - 10/19/11
  • 8. Types of EARs • Benign – No confidentiality or integrity violated • Vulnerable – Allows for the unauthorized modification of the application state or discloses unauthorized data Doupé - 10/19/11
  • 9. EAR: Information Leakage <?php $current_user = get_current_user(); if (!$current_user->is_admin()) { header(“Location: /”); } echo “457-55-5462”; ?> Doupé - 10/19/11
  • 10. EAR: Nested Example class UsersController < ApplicationController def ensure_admin unless current_user.is_admin? redirect_to(“/”) return end end def delete ensure_admin() @user = User.find(params[:id]) @user.delete() flash[:notice] = “User Deleted” end end Doupé - 10/19/11
  • 11. Outline • Overview of Execution After Redirects • EAR Detection Algorithm • Results • Prevention Doupé - 10/19/11
  • 12. EAR Detection: Overview • Static source code analysis – Attempt to find code that can possibly be executed after a redirect – Distinguish between benign and vulnerable Doupé - 10/19/11
  • 13. EAR Detection: Overview 1. Build CFG 2. Find redirection methods 3. Prune infeasible paths 4. Detect EARs 5. Classify as vulnerable Doupé - 10/19/11
  • 14. EAR Detection: Build Control Flow Graph • CFG built using prior work – Diamondback Ruby parser by Furr et al. • Simplifies Ruby into easier-to-analyze format • Compiles Ruby into a subset called Ruby Intermediate Language (RIL) – CFG can be incomplete • eval • Ruby’s dynamic nature Doupé - 10/19/11
  • 15. EAR Detection: Build CFG class UsersController < ApplicationController def ensure_logged_in unless current_user redirect_to(“/”) and return true end @logged_in_users += 1 return false end def delete_all unless ensure_logged_in() return User.delete(:all) end end Doupé - 10/19/11
  • 16. EAR Detection: Build CFG _tmp_ = ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 17. EAR Detection: Find Redirection Methods • Find all program paths in the CFG that call the Ruby on Rails method redirect_to • Inter-procedural analysis – Methods that call redirect_to are added to interesting_methods – All methods that call an interesting_method are added to interesting_methods – Rinse and repeat until a fixpoint is reached Doupé - 10/19/11
  • 18. EAR Detection: Find Redirect _tmp_ = Methods ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 19. EAR Detection: Prune Infeasible _tmp_ = Paths ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 20. EAR Detection: Detect EARs _tmp_ = ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 21. EAR Detection: Classify as Vulnerable • Simple heuristic – Name of methods that modify database – Search for these on path Doupé - 10/19/11
  • 22. Results • 18,127 Ruby on Rails projects from GitHub • 1,173 projects contained 3,944 EARs – 3,089 Benign EARs – 855 Vulnerable EARs Doupé - 10/19/11
  • 23. EAR Email Notification • 624 project maintainers notified • 107 responded – 49 confirmed the EAR we reported – 26 told us that the app was demo or toy – 3 pointed out false positives – 6 NOFIX – Rest thanked us but did not offer confirmation Doupé - 10/19/11
  • 24. Detection Effectiveness • Manual verification of all vulnerable EARs – 485 True vulnerable (56.7%) – 325 False positives (vulnerable) (38.0%) – 45 False positives (EARs) (5.3%) • Manual verification of 200 random benign EARs – 13 False positives (EARs) (6.5%) – 0 False negatives (vulnerable) Doupé - 10/19/11
  • 25. True Positive Example class BanksController < ApplicationController def redirect_to_login redirect_to(“/login”) and return end def create if not current_user.is_admin? redirect_to_login() and return end @bank = Bank.create(params[:bank]) end end Doupé - 10/19/11
  • 26. False Positive Example class UsersController < ApplicationController def update if request.get? redirect_to(“/users”) end if request.post? @user = User.find(params[:id]) @user.update_attributes(params[:user]) end end end Doupé - 10/19/11
  • 27. EAR Detection: Limitations • False negatives – eval, send • False positives – Infeasible paths – No type analysis • Vulnerable EARs Doupé - 10/19/11
  • 28. Framework Susceptibility • Analyzed 9 web frameworks – Rails, Grails, Django, ASP.NET MVC, Zend Framework, CakePHP, CodeIgniter, J2EE, Struts • Susceptible – Ruby on Rails – Grails – J2EE – Struts Doupé - 10/19/11
  • 29. Prevention • Secure design – Django, ASP.NET MVC • Terminate process or thread – ASP.NET, CakePHP, Zend, CodeIgniter • Patched Ruby on Rails – Exception handling Doupé - 10/19/11
  • 30. Contributions • Described a relatively unknown web application vulnerability called Execution After Redirect (EAR) • Developed an algorithm to statically detect EARs in Ruby on Rails applications • Discovered many vulnerabilities in real- world open-source Ruby on Rails applications Doupé - 10/19/11
  • 31. Questions? Code: http://github.com/adamdoupe/find_ear_rails Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe Doupé - 10/19/11