fuse finding file upload bugs via penetration testing
play

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, - PowerPoint PPT Presentation

Jul 24, 2023 •378 likes •995 views

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee, Sooel Son KAIST Upload Functionality Sharing user-provided content has become a de facto standard feature of modern web applications 2 File

  1. FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee, Sooel Son KAIST

  2. Upload Functionality • Sharing user-provided content has become a de facto standard feature of modern web applications 2

  3. File Uploading Procedure Web server PHP interpreter Web application File Content-filtering Extractor checks Disable uploading NDSS.png specified file types NDSS.png Upload request [HTTP(S) POST] User A 3

  4. File Uploading Procedure Web server PHP interpreter Web application File Content-filtering Extractor https://wsplab.com/NDSS.png checks NDSS.png Download NDSS.png Upload Access request https://wsplab.com/NDSS.png User A User B 4

  5. Disable Uploading Malicious Files Web server PHP interpreter Web application File Content-filtering Discard Extractor checks webshell.php <?php system(‘ls’); ?> webshell.php Upload request Attacker 5 5

  6. Content-filtering Checks Content-filtering checks php <?php $black_list = array(‘js’,‘php’,‘html’,...) if (!in_array(ext($file_name), $black_list)) { <?php Error: move($file_name, $upload_path); system(‘ ls ’); forbidden } ?> file type else { PHP interpreter webshell.php message(' Error: forbidden file type '); } ?> 6

  7. File Upload Vulnerabilities - Server Side What will be happening? Web server PHP interpreter Web application File Content-filtering Discard Extractor checks webshell.php <?php Unrestricted File Upload Potential code system(‘ls’); <?php ?> execution (UFU) system(‘ls’); webshell.php ?> webshell.php Upload request Attacker 7 7

  8. File Upload Vulnerabilities - Server Side Arbitrary code execution Unrestricted Executable via a URL Web server File Upload (UEFU) PHP interpreter Web application File Content-filtering Extractor checks Unrestricted File Upload Potential code <?php execution (UFU) system(‘ls’); ?> webshell.php Access https://wsplab.com/webshell.php Attacker 8

  9. File Upload Vulnerabilities - Client Side Arbitrary code execution Unrestricted Executable Web server File Upload (UEFU) via a URL PHP interpreter Web application File Content-filtering Extractor <html> https://wsplab.com/xss.html checks <script> alert(‘xss’); Unrestricted File Upload </script> < html > < script > </html> (UFU) alert(‘xss’); xss.html </ script > </ html > xss.html Upload Access request https://wsplab.com/xss.html Attacker Victim 9

  10. How to Find UEFU Vulnerabilities? Web server PHP interpreter Web application File Content-filtering Extractor checks #1: Bypassing application-specific checks Executable Upload request Attacker 10 10

  11. How to Find UEFU Vulnerabilities? #2: Preserving the Web server execution semantic PHP interpreter Web application File Content-filtering Extractor https://wsplab.com/Executable checks #1: Bypassing application-specific checks Executable Upload request Attacker Victim 11 11

  12. #2: Preserving the Execution Semantic Web server PHP interpreter Web application File Content-filtering Extractor checks <?php #1: Bypassing system(‘ls’); <?php ?> application-specific checks system(‘ls’); webshell.foo ?> php → foo webshell.foo Upload request Attacker 12 12

  13. #2: Preserving the Execution Semantic A web server does not #2: Preserving the execute webshell.foo execution semantic Web server (Not a php-style extension) PHP interpreter Web application File Content-filtering Extractor checks Potential code #1: Bypassing <?php application-specific checks execution system(‘ls’); ?> webshell.foo Access https://wsplab.com/webshell.foo Attacker 13 13 13

  14. Summary #2: Preserving the Web server execution semantic PHP interpreter Web application File Content-filtering Extractor https://wsplab.com/Executable checks #1: Bypassing application-specific checks Executable Upload request Attacker Victim 14 14

  15. Previous Studies • Static analysis − Pixy, Oakland ’06 − Merlin, PLDI ’09 Few studies have addressed • Dynamic analysis finding U(E)FU vulnerabilities ! − Saner, Oakland ’08 − Riding out DOMsday, NDSS ’18 • Symbolic execution − NAVEX, USENIX ’18 − SAFERPHP, PLAS ’11 15

  16. How we address all the challenges? 16

  17. We propose FUSE 17

  18. Our Approach Web server PHP interpreter Web application File Content-filtering Rejected Extractor checks Initial upload FUSE request 18 18

  19. Our Approach - Mutate Upload Request Web server PHP interpreter Web application File Content-filtering Rejected Extractor checks UEFU vulnerability Mutated upload FUSE request 19 19

  20. Our Approach Analyze web servers #2: Preserving the Web server execution semantic and browsers PHP interpreter Web application File Content-filtering Extractor https://wsplab.com/Executable checks Investigate root causes #1: Bypassing application-specific checks of U(E)FU bugs Executable Initial upload FUSE request Victim 20 20

  21. Our Approach Analyze web servers Analyze web servers Web server and browsers and browsers PHP interpreter Web application File Content-filtering Extractor https://wsplab.com/Executable checks Investigate root causes of U(E)FU bugs Web server Executable Initial upload FUSE request Victim 21 21

  22. Mutate Upload Request Analyze web servers Investigate root causes and browsers of U(E)FU bugs Web server Design 13 Mutate Initial upload FUSE mutation operations request 22 22

  23. Our Goal: Finding U(E)FU Bugs Mutator Uploader Mutated upload request 23

  24. Our Goal: Finding U(E)FU Bugs Mutator Uploader Validator Mutated Upload upload request information UFU and UEFU vulnerabilities 24

  25. Upload Request filename content-type content Web server Upload FUSE request 25

  26. Upload Request filename xss.html content-type <html> text/html <script> content alert(‘xss’); </script> <html><script>al </html> ert(‘xss’)</scri xss.html pt></html> Upload request 26

  27. Five objectives that trigger Mutation Objectives common mistakes in implementing checks filename Content-filtering checks xss.html if (finfo_file( content ) not in expected_type) content-type reject(file); text/html if (ext( file_name ) not in expected_ext) content reject(file); if (expected_keyword in content ) <html><script>al reject(file); ert(‘xss’)</scri if ( content_type not in expected_type) pt></html> reject(file); accept(file) Upload request 27

  28. Mutation Objectives #1 filename Content-filtering checks xss.html if (finfo_file( content ) == ‘text/html’) content-type reject(file); text/html Exploiting the absence of if (ext( file_name ) == ‘php’) content reject(file); content-filtering checks if ( ‘ <?php ’ in content ) <html><script>al reject(file); ert(‘xss’)</scri if ( content_type == ‘text/html’) pt></html> reject(file); accept(file) Upload No mutation request 28

  29. Mutation Objectives #2 ‘image/png’ filename Content-filtering checks xss.html if (finfo_file( content ) == ‘text/html’) content-type reject(file); text/html if (ext( file_name ) == ‘php’) content \x89\x50\x4e\x47 reject(file); Causing incorrect type if ( ‘ <?php ’ in content ) \x0d\x0a\x1a... <html><script>al inferences based on reject(file); ert(‘xss’)</scri <html><script>al PNG header if ( content_type == ‘text/html’) pt></html> ert(‘xss’)</scri content reject(file); pt></html> accept(file) Upload M1: Prepending a resource header request 29

  30. Mutation Objectives #3 filename Content-filtering checks ‘php5’ webshell.php5 webshell.php if (finfo_file( content ) == ‘text/html’) content-type reject(file); application/x-php if (ext( file_name ) == ‘php’) content reject(file); if ( ‘ <?php ’ in content ) <?php Exploiting incomplete reject(file); system(‘ls’); if ( content_type == ‘text/html’) blacklist based on ?> reject(file); extension accept(file) Upload M4: Changing a file extension request 30

  31. Mutation Objectives #4 filename Content-filtering checks webshell.php Bypassing keyword if (finfo_file( content ) == ‘text/html’) content-type checks based on content reject(file); application/x-php if (ext( file_name ) == ‘php’) content reject(file); if ( ‘ <?php ’ in content ) <? <?php reject(file); system(‘ls’); system(‘ls’); ‘<?’ if ( content_type == ‘text/html’) ?> ?> reject(file); accept(file) Upload M5: Replace PHP tags with short tags request 31

  32. Mutation Objectives #5 filename Content-filtering checks xss.html if (finfo_file( content ) == ‘text/html’) content-type Bypassing filtering logic reject(file); image/png text/html if (ext( file_name ) == ‘php’) based on content-type content reject(file); ‘image/png’ if ( ‘ <?php ’ in content ) <html><script>al reject(file); ert(‘xss’)</scri if ( content_type == ‘text/html’) pt></html> reject(file); accept(file) Upload M3: Changing the content-type of an upload request request 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

File Upload / Download Perl Scripts The five Perl scripts must be installed on the conference file server to enable authors and editors to upload and download manuscript and talk files. The file server must have an up-to-date version of

272 views • 9 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!)

Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!)

Mini-Lecture 9 Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!) Debugging : Process of finding bugs and removing them. Testing : Process of analyzing, running program, looking for bugs. Test

365 views • 13 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

943 views • 75 slides
Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science Two promising approaches to make

1.25k views • 85 slides
Direct-FUSE: Removing the Middleman for High-Performance FUSE File System Support Yue Zhu *, Teng

Direct-FUSE: Removing the Middleman for High-Performance FUSE File System Support Yue Zhu *, Teng

Direct-FUSE: Removing the Middleman for High-Performance FUSE File System Support Yue Zhu *, Teng Wang*, Kathryn Mohror + , Adam Moody + , Kento Sato + , Muhib Khan*, Weikuan Yu* Florida State University* Lawrence Livermore National Laboratory +

489 views • 20 slides
Direct-FUSE: Removing the Middleman for High-Performance FUSE File System Support Yue Zhu*, Teng

Direct-FUSE: Removing the Middleman for High-Performance FUSE File System Support Yue Zhu*, Teng

Direct-FUSE: Removing the Middleman for High-Performance FUSE File System Support Yue Zhu*, Teng Wang*, Kathryn Mohror + , Adam Moody + , Kento Sato + , Muhib Khan*, Weikuan Yu* Florida State University* Lawrence Livermore National Laboratory +

277 views • 6 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing Taegyu

RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing Taegyu

RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing Taegyu Kim , Chung Hwan Kim, Junghwan Rhee, Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, Dongyan Xu Robotic Vehicles? How Do Robotic

351 views • 17 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Penetration testing auditability Alexandros Tsiridis &amp; Stamatios Maritsas What is the purpose

Penetration testing auditability Alexandros Tsiridis &amp; Stamatios Maritsas What is the purpose

MSc System and Network Engineering Penetration testing auditability Alexandros Tsiridis &amp; Stamatios Maritsas What is the purpose of penetration testing auditability? Research questions What are the sources of penetration testing

554 views • 13 slides
Web Application Penetration By: Frank Coburn &amp; Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn &amp; Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn &amp; Haris Mahboob Testing Take Aways Overview of the web Web proxy tool Reporting Gaps in the process app penetration testing process Penetration testing vs vulnerability assessment What

301 views • 17 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
OpenSMART: Single-cycle Multi-hop NoC Generator in BSV and Chisel Hyoukjun Kwon and Tushar Krishna

OpenSMART: Single-cycle Multi-hop NoC Generator in BSV and Chisel Hyoukjun Kwon and Tushar Krishna

OpenSMART: Single-cycle Multi-hop NoC Generator in BSV and Chisel Hyoukjun Kwon and Tushar Krishna Georgia Institute of Technology Synergy Lab (http://synergy.ece.gatech.edu) hyoukjun@gatech.edu April 25, 2017 Hardware Development Cost

494 views • 38 slides
Maternity Bundled Payment Workgroup January 8 th , 2019 Agenda Welcome and Introductions

Maternity Bundled Payment Workgroup January 8 th , 2019 Agenda Welcome and Introductions

Maternity Bundled Payment Workgroup January 8 th , 2019 Agenda Welcome and Introductions Bree Collaborative Overview Background Past Work Open Public Meetings Act Review Washington State Pregnancy and Perinatal Work

478 views • 22 slides
Wednesday, January 9, 2019 NOVEMBER 2018-2019 REVENUE VARIANCE $0.7 $1.2 -$0.1 $0.1 -$1.3

Wednesday, January 9, 2019 NOVEMBER 2018-2019 REVENUE VARIANCE $0.7 $1.2 -$0.1 $0.1 -$1.3

Wednesday, January 9, 2019 NOVEMBER 2018-2019 REVENUE VARIANCE $0.7 $1.2 -$0.1 $0.1 -$1.3 $2.0 $0.1 $2.7 % CHANGE 0.6% 3.5% -1.4% 3.2% -12.9% 250% 1.3% 1.6% $200.0 $174.9 $172.2 $150.0 $125.2 $124.5 FY 2018 $100.0 FY 2019

1.19k views • 93 slides
Gravity Pipeline Outreach Meeting March 22, 2017 Regional Environmental Sewer Conveyance Upgrade

Gravity Pipeline Outreach Meeting March 22, 2017 Regional Environmental Sewer Conveyance Upgrade

Gravity Pipeline Outreach Meeting March 22, 2017 Regional Environmental Sewer Conveyance Upgrade Agenda Introduction (Teresa) Gravity Pipeline Project Overview (Bruce) Procurement Process and Stages (Teresa) Key Parts of the

742 views • 60 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
AHA 2016 David P Taggart MD(Hons),PhD,FRCS,FESC Professor of Cardiovascular Surgery University

AHA 2016 David P Taggart MD(Hons),PhD,FRCS,FESC Professor of Cardiovascular Surgery University

Arterial Revascularization Trial (ART) Randomiz ized comparis ison of f sin single le versus bila ilateral l in internal l mammary ry art rtery ry graft ftin ing in in 3102 patie ients: Effects on majo jor cardio iovascula lar

331 views • 18 slides
The SYNTAX E xtended S urvival Study Ten-Year Survival in Patients Randomized to Percutaneous

The SYNTAX E xtended S urvival Study Ten-Year Survival in Patients Randomized to Percutaneous

The SYNTAX E xtended S urvival Study Ten-Year Survival in Patients Randomized to Percutaneous Coronary Intervention versus Coronary Artery Bypass Grafting Daniel J.F.M. Thuijs , A. Pieter Kappetein, Patrick W. Serruys, Friedrich-Wilhelm Mohr,

610 views • 20 slides
CABG v. PCI: History and Trends CABG PCI Initial use 1967 1977 Use in MVD and LMD 50 years

CABG v. PCI: History and Trends CABG PCI Initial use 1967 1977 Use in MVD and LMD 50 years

12/8/19 The Role of PCI vs. CABG Surgery in the Management of Left Main and Multi-vessel CAD December 8, 2019 John S. MacGregor, M.D., Ph.D. Professor of Medicine University of California San Francisco 1 CABG v. PCI: History and Trends

360 views • 19 slides

More recommend