Penetration Testing with Improved Input Vector Identification

1. Penetration Testing with Improved Input Vector Identiﬁcation! William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso! College of Computing! Georgia Institute of Technology! !

2. 2! Web Application Overview ! Other Systems Web Server End Users Database

3. 3! Web Application Overview ! Other Systems End Users Web Application! HTML Servlets Database

4. 4! Web Application Overview ! Other Systems End Users HTTP Requests Web Application! HTML Servlets Database

5. 5! Web Application Overview ! Other Systems End Users HTTP Requests Web Application! HTML Servlets Database

6. 6! Web Application Overview ! Other Systems End Users HTTP Requests HTML Pages Web Application! HTML Servlets Database

7. 7! Penetration Testing Overview ! Other Systems White Hat Tester Web Application! HTML Servlets Database

8. 8! Penetration Testing Overview ! Other Systems White Hat Tester !@#$ Web Application! HTML Servlets Database

9. 9! Penetration Testing Overview ! Other Systems White Hat Tester !@#$ Secret Data! Web Application! HTML Servlets Database

10. Penetration Testing Phases! White Hat Tester Web Application! HTML Servlets Information Gathering Attack Generation Response AnalysisReport Target! Selection ! Analysis! Feedback! Information! Attacks! Responses!

11. public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()! Example Web Application Code!

16. public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()! Example Web Application Code! !!

17. Our Approach! Goal:! Improve penetration testing by improving information gathering and response analysis.!

18. Our Approach! Improvements to penetration testing:! 1.  Information gathering ð Static interface analysis! 2.  Attack Generation ð Generate realistic test-inputs! 3.  Response Analysis ð Produce observable side effect of attack! Goal:! Improve penetration testing by improving information gathering and response analysis.!

19. Interfaces Interface! Analysis! [FSE 2007]! 1) Information Gathering: Interface Analysis! 19! Web Application HTML Servlets

20. Interfaces 1) Information Gathering: Interface Analysis! 20! Web Application HTML Servlets Compute IP Domains Group IPs Identify IP Names

21. Interfaces 1) Information Gathering: Interface Analysis! 21! Phase 1: Identify Input Parameters (IP) names! Phase 2: Compute IP domain information! Phase 3: Group IP into distinct interfaces! Web Application HTML Servlets Compute IP Domains Group IPs Identify IP Names

24. 1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()!

25. 1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()! userAction

26. 1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()! userAction login address login password

27. 1) Interface Analysis: Compute IP Domains! userAction login login address password public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()!

28. 1) Interface Analysis: Compute IP Domains! userAction login login address userAction:String {“createLogin”, “provideAddress”} password public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()!

31. 1) Interface Analysis: Compute IP Domains! userAction login login address userAction:String {“createLogin”, “provideAddress”} passwordpassword:String public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()!

32. 1) Interface Analysis: Compute IP Domains! userAction login login address userAction:String {“createLogin”, “provideAddress”} passwordpassword:String public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()!

33. 1) Interface Analysis: Compute IP Domains! userAction login login address userAction:String {“createLogin”, “provideAddress”} passwordpassword:Stringpassword:Integer public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()!

34. 1) Interface Analysis: Compute IP Domains! userAction login login address userAction:String {“createLogin”, “provideAddress”} passwordpassword:Stringpassword:Integer login:String login:String address:String public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()!

35. 1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()! userAction login login address userAction:String {“createLogin”, “provideAddress”} passwordpassword:Stringpassword:Integer login:String login:String address:String

36. 1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()! userAction login login address userAction:String {“createLogin”, “provideAddress”} passwordpassword:Stringpassword:Integer login:String login:String address:String 1 14 10 2 15 11 12 13 4 3 5 7 6 9 8

45. 1) Information Gathering: Summary! Interface! Parameter! Domain! Relevant Values! 1! userAction! String! “createLogin”, “provideAddress”! login! String! password! Integer! 2! userAction! String! “createLogin”, “provideAddress”! login! String! address! String! 3! userAction! String! “createLogin”, “provideAddress”!

46. 2) Attack Generation! White Hat Tester Interface userAction login password

47. 2) Attack Generation! White Hat Tester Interface userAction login password

48. 2) Attack Generation! White Hat Tester Interface userAction login password userAction = ? login = <attack string> password = ?

49. 2) Attack Generation! White Hat Tester Interface userAction login password userAction = ? login = <attack string> password = ? IP Domain ! Information!

50. 2) Attack Generation! White Hat Tester Interface userAction login password userAction = ? login = <attack string> password = ? IP Domain ! Information! userAction = createLogin login = <attack string> password = 1234

51. 3) Response Analysis with WASP! Response Analysis:! 1.  Send attack to web application! 2.  If WASP detects attack! 1.  Block attack! 2.  Send out-of-band signal! 3.  Check for signal on client side!

52. 3) Response Analysis with WASP! WASP:! 1.  Positive tainting: Identify and mark developer-trusted strings. Propagate taint markings at runtime! 2.  Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings! Response Analysis:! 1.  Send attack to web application! 2.  If WASP detects attack! 1.  Block attack! 2.  Send out-of-band signal! 3.  Check for signal on client side!

53. public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (‘”! + loginName + “’, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)! 10. else if (action.equals(“provideAddress”)) ! 11. String loginName = req.getParameter(“login”)! 12. String address = req.getParameter(“address”)! 13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)! 14. else! 15. displayCreateLoginForm()! 3) WASP: Identify Trusted Data!

56. 3) WASP: Syntax Aware Evaluation! Legitimate Query:! Attempted SQL Injection:! Input: login = “GJ”, address = “Home”! Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!

57. update userTable set address = ‘Home’ where login = ‘GJ’! 3) WASP: Syntax Aware Evaluation! Legitimate Query:! Attempted SQL Injection:! Input: login = “GJ”, address = “Home”! Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!

58. update userTable set address = ‘Home’ where login = ‘GJ’! 3) WASP: Syntax Aware Evaluation! Legitimate Query:! Attempted SQL Injection:! Input: login = “GJ”, address = “Home”! Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!

59. update userTable set address = ‘Home’ where ! ! login = ‘GJ’ ; drop table userTable -- ’! update userTable set address = ‘Home’ where login = ‘GJ’! 3) WASP: Syntax Aware Evaluation! Legitimate Query:! Attempted SQL Injection:! Input: login = “GJ”, address = “Home”! Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!

60. update userTable set address = ‘Home’ where ! ! login = ‘GJ’ ; drop table userTable -- ’! update userTable set address = ‘Home’ where login = ‘GJ’! 3) WASP: Syntax Aware Evaluation! Legitimate Query:! Attempted SQL Injection:! Input: login = “GJ”, address = “Home”! Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!

61. Empirical Evaluation! Goal: ! Evaluate the usefulness of our approach as compared to a traditional penetration testing approach.! ! Research Questions (RQ):! 1.  Runtime of analysis! 2.  Thoroughness of the penetration testing! 3.  Number of vulnerabilities discovered! 61!

62. Implementation: Baseline Approach! •  Information Gathering ð OWASP WebScarab! •  Widely used code-base! •  Actively maintained! •  Attack Generation ð SQLMap! •  Widely used penetration testing tool! •  Commonly used attack generation heuristics! •  Response analysis ð WASP[FSE 2006]! SQLMap++ ! SQLMap integrated with OWASP WebScarab Spider!

63. Implementation: Our Approach! •  Analyzes bytecode of Java Enterprise Edition (JEE) based web applications! •  Interface analysis ð WAM[FSE 2007]! •  Attack generation ð leverages SQLMap! •  Response analysis ð WASP[FSE 2006]! SDAPT! Static and Dynamic Analysis-based Penetration Testing!

64. Subject Applications! Subject! LOC! Classes! Servlets! Bookstore! 19,402! 28! 27! Checkers! 5,415! 59! 32! Classiﬁeds! 10,702! 18! 18! Daffodil! 18,706! 119! 70! Employee Directory! 5,529! 11! 9! Events! 7,164! 13! 12! Filelister! 8,671! 41! 10! Ofﬁce Talk! 4,670! 63! 39! Portal! 16,089! 28! 27!

65. RQ1: Runtime! 1! 10! 100! 1000! 10000! Bookstore! Checkers! Classiﬁeds! Daffodil! Empl. Dir! Events! Filelister! Ofﬁcetalk! Portal! Analysis Time (s)! SQLMAP++! SDAPT!

66. RQ1: Runtime! 1! 10! 100! 1000! 10000! Bookstore! Checkers! Classiﬁeds! Daffodil! Empl. Dir! Events! Filelister! Ofﬁcetalk! Portal! Analysis Time (s)! SQLMAP++! SDAPT! •  SDAPT ranged from 8 to 40 mins! •  Positive note: Testing was more thorough!

67. RQ1: Runtime! 1! 10! 100! 1000! 10000! Bookstore! Checkers! Classiﬁeds! Daffodil! Empl. Dir! Events! Filelister! Ofﬁcetalk! Portal! Analysis Time (s)! SQLMAP++! SDAPT! •  SDAPT ranged from 8 to 40 mins! •  Positive note: Testing was more thorough!

68. RQ2: Thoroughness! 0! 50! 100! 150! 200! 250! Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal! Number of Input Vectors! SQLMAP++! SDAPT! 0! 10! 20! 30! 40! 50! Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal! Number of Components! SQLMAP++! SDAPT!

69. RQ3: Number of Vulnerabilities!

70. RQ3: Number of Vulnerabilities! 0! 2! 4! 6! 8! 10! 12! 14! 16! 18! Bookstore! Checkers! Classiﬁeds! Daffodil! Empl. Dir.! Events! Filelister! Ofﬁcetalk! Portal! Number of Discovered Vulnerabilities! SQLMAP++! SDAPT!

71. RQ3: Number of Vulnerabilities! 0! 2! 4! 6! 8! 10! 12! 14! 16! 18! Bookstore! Checkers! Classiﬁeds! Daffodil! Empl. Dir.! Events! Filelister! Ofﬁcetalk! Portal! Number of Discovered Vulnerabilities! SQLMAP++! SDAPT! Average increase: 246%!

72. Summary of Results! •  Improvements to penetration testing! •  Information gathering with static analysis! •  Response analysis with dynamic detection! •  Relatively longer analysis time! •  More thorough and more vulnerabilities discovered during penetration testing!

Penetration Testing with Improved Input Vector Identification

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (18)

En vedette

En vedette (8)

Similaire à Penetration Testing with Improved Input Vector Identification

Similaire à Penetration Testing with Improved Input Vector Identification (20)

Plus de Shauvik Roy Choudhary, Ph.D.

Plus de Shauvik Roy Choudhary, Ph.D. (10)

Dernier

Dernier (20)

Penetration Testing with Improved Input Vector Identification