Axa Assurance Maroc - Insurer Innovation Award 2024
Penetration Testing with Improved Input Vector Identification
1. Penetration Testing with
Improved Input Vector
Identification!
William G.J. Halfond, Shauvik Roy
Choudhary, and Alessandro Orso!
College of Computing!
Georgia Institute of Technology!
!
10. Penetration Testing Phases!
White Hat
Tester
Web
Application!
HTML
Servlets
Information
Gathering
Attack
Generation
Response
AnalysisReport
Target!
Selection !
Analysis!
Feedback!
Information! Attacks!
Responses!
21. Interfaces
1) Information Gathering: Interface Analysis!
21!
Phase 1: Identify Input Parameters (IP) names!
Phase 2: Compute IP domain information!
Phase 3: Group IP into distinct interfaces!
Web
Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
22. Interfaces
1) Information Gathering: Interface Analysis!
22!
Phase 1: Identify Input Parameters (IP) names!
Phase 2: Compute IP domain information!
Phase 3: Group IP into distinct interfaces!
Web
Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
23. Interfaces
1) Information Gathering: Interface Analysis!
23!
Phase 1: Identify Input Parameters (IP) names!
Phase 2: Compute IP domain information!
Phase 3: Group IP into distinct interfaces!
Web
Application
HTML
Servlets
Compute IP Domains
Group IPs
Identify IP Names
51. 3) Response Analysis with WASP!
Response Analysis:!
1. Send attack to web application!
2. If WASP detects attack!
1. Block attack!
2. Send out-of-band signal!
3. Check for signal on client side!
52. 3) Response Analysis with WASP!
WASP:!
1. Positive tainting: Identify and mark
developer-trusted strings. Propagate
taint markings at runtime!
2. Syntax-Aware Evaluation: Check that
all keywords and operators in a query
were formed using marked strings!
Response Analysis:!
1. Send attack to web application!
2. If WASP detects attack!
1. Block attack!
2. Send out-of-band signal!
3. Check for signal on client side!
59. update userTable set address = ‘Home’ where !
!
login = ‘GJ’ ; drop table userTable -- ’!
update userTable set address = ‘Home’ where login = ‘GJ’!
3) WASP: Syntax Aware Evaluation!
Legitimate Query:!
Attempted SQL Injection:!
Input: login = “GJ”, address = “Home”!
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
60. update userTable set address = ‘Home’ where !
!
login = ‘GJ’ ; drop table userTable -- ’!
update userTable set address = ‘Home’ where login = ‘GJ’!
3) WASP: Syntax Aware Evaluation!
Legitimate Query:!
Attempted SQL Injection:!
Input: login = “GJ”, address = “Home”!
Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
61. Empirical Evaluation!
Goal: !
Evaluate the usefulness of our approach as
compared to a traditional penetration testing
approach.!
!
Research Questions (RQ):!
1. Runtime of analysis!
2. Thoroughness of the penetration testing!
3. Number of vulnerabilities discovered!
61!
62. Implementation: Baseline Approach!
• Information Gathering ð OWASP WebScarab!
• Widely used code-base!
• Actively maintained!
• Attack Generation ð SQLMap!
• Widely used penetration testing tool!
• Commonly used attack generation heuristics!
• Response analysis ð WASP[FSE 2006]!
SQLMap++ !
SQLMap integrated with
OWASP WebScarab Spider!
63. Implementation: Our Approach!
• Analyzes bytecode of Java Enterprise
Edition (JEE) based web applications!
• Interface analysis ð WAM[FSE 2007]!
• Attack generation ð leverages SQLMap!
• Response analysis ð WASP[FSE 2006]!
SDAPT!
Static and Dynamic Analysis-based
Penetration Testing!
70. RQ3: Number of Vulnerabilities!
0!
2!
4!
6!
8!
10!
12!
14!
16!
18!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!
Number of Discovered Vulnerabilities!
SQLMAP++!
SDAPT!
71. RQ3: Number of Vulnerabilities!
0!
2!
4!
6!
8!
10!
12!
14!
16!
18!
Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!
Number of Discovered Vulnerabilities!
SQLMAP++!
SDAPT!
Average increase: 246%!
72. Summary of Results!
• Improvements to penetration testing!
• Information gathering with static analysis!
• Response analysis with dynamic detection!
• Relatively longer analysis time!
• More thorough and more vulnerabilities
discovered during penetration testing!