static detection of second order vulnerabilities in web
play

Static Detection of Second-Order Vulnerabilities in Web Applications - PowerPoint PPT Presentation

Jan 23, 2024 •163 likes •579 views

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

  1. Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security ’14, 20-22 August 2014, San Diego, CA, USA

  2. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion „First-Order“ Vulnerabilities ● SQL injection <?php $name = $_POST ['name']; // ', 1), (version(), 1)-- - $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send !“*$()&/'\ user input application 2

  3. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Sanitization ● SQL injection (prevented) <?php $name = mysql_real_escape_string ( $_POST ['name']); $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send !“*$()&/'\ user input application 3

  4. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerability (1) ● Database Write <?php $name = mysql_real_escape_string ( $_POST ['name']); $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send write user input database application 4

  5. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerability (2) ● Database Read <?php $result = mysql_query ('SELECT * FROM users'); $row = mysql_fetch_assoc ( $result ); echo $row ['name']; ?> send write read user input database application 5

  6. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploit (1) ● First-Order SQL injection <?php $name = $_POST ['name']; // ', 'payload')-- - $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send !“*$()&/'\ user input database application 6

  7. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploit (1) ● Exploit First-Order SQL injection <?php $name = $_POST ['name']; // ', 'payload')-- - $sql = “INSERT INTO users VALUES (' $name ', '$pwd')“; mysql_query ( $sql ); ?> send write user input database application 7

  8. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploit (2) ● Second-Order Command Execution <?php $result = mysql_query ('SELECT * FROM users'); $row = mysql_fetch_assoc ( $result ); system ('htpasswd -b .htpasswd Admin ' .$row ['pwd']); ?> request read database application 8

  9. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerabilities User input Sensitive Sink Persistent Data Store (PDS) 1. 2. ● $_GET ● Databases ● Cross-Site Scripting ● $_POST ● File Names ● SQL Injection ● $_COOKIE ● $_SESSION (File Content) ● Code Execution ● $_FILES ... ● File Inclusion ● $_SERVER ● File Disclosure ... ... 9

  10. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerabilities User input Sensitive Sink Persistent Data Store (PDS) 1. 2. ● $_GET ● Databases ● Cross-Site Scripting ● $_POST ● File Names ● SQL Injection ● $_COOKIE ● $_SESSION (File Content) ● Code Execution ● $_FILES ... ● File Inclusion ● $_SERVER ● File Disclosure ... ... 10

  11. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Our Approach ● Static Code Analysis (no access to environment) ● Analyze writes and reads to persistent data stores ● Connect input and output points at the end of the analysis to detect second-order and multi-step vulnerabilities 11

  12. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion 2. Implementation (Overview) Source: http://rewalls.com 12

  13. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; mysql_query ('insert into users values(null, ' $name ', ' $pwd '); 13

  14. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; mysql_query ('insert into users values(null, ' $name ', '$pwd'); 14

  15. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; mysql_query ('insert into users values(null, ' $name ', '$pwd'); 15

  16. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion First-Order Taint Analysis $name = $_POST ['name']; Vulnerability Report POST[name] SQLi mysql_query ('insert into users values(null, ' $name ', '$pwd'); 16

  17. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (write) $name = escape ( $_POST ['name']); users mysql_query ('insert into users id name pass values(null, ' $name ', '$pwd'); 17

  18. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Taint Analysis (write) $name = $_POST ['name']; Vulnerability Report POST[name] SQLi users mysql_query ('insert into users id name pass values(null, ' $name ', '$pwd'); 18

  19. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); $row = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 19

  20. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); $row = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 20

  21. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); $row = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 21

  22. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Analysis (read) PDS $res = mysql_query ('select name from users'); Temporary Vulnerability Report users[name] $row XSS = mysql_fetch_assoc ( $res ); * echo ('Hi ' . $res ['name'] . ' !'); 22

  23. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS connect Reads Writes users id name pass Temporary Vulnerability Report users[name] * XSS PDS' 23

  24. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS Reads Writes users id name pass tainted? Temporary Vulnerability Report users[name] * XSS PDS' 24

  25. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS Reads Writes users id name pass Temporary Vulnerability sanitized? Report users[name] * XSS PDS' 25

  26. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Taint Decision PDS Reads Writes users id name pass Temporary Vulnerability Report users[name] * XSS Second-Order Vulnerability Report XSS PDS' 26

  27. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion 3. Evaluation Source: http://rewalls.com 27

  28. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Selected Software ● osCommerce 2.3.3.4 ● HotCRP 2.61 ● OpenConf 5.30 ● MyBloggie 2.1.4 ● NewsPro 1.1.5 ● Scarf 2007-02-27 28

  29. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion PDS Usage and Coverage (first-order) Manually counted PDS (841) Non-Taintable 77% Taintable '"\<> Detected Taintable PDS 23% False Positive True Positive 6% False Negative 29% 71% PDS 29

  30. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order Vulnerabilities ● 159 True Positives (79%) 97% persistent XSS (database)  Missed by previous work  ● 43 False Positives (21%) PDS Root cause: Path-sensitive sanitization  E.g., store only valid email  Failures in 1 st step propagate to 2 nd step  30

  31. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Multi-Step Exploits ● 14 True Positives (93%) 2 based on file upload  12 based on SQLi  Missed by previous work  PDS ● 1 False Positives (7%) False positive SQLi  31

  32. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order LFI in OpenConf PDS $r = mysql_query("select setting, value from " . OCC_TABLE_CONFIG); while ($l = mysql_fetch_assoc($r)) { $config[$l['setting']] = $l['value']; } function printHeader($what, $function="0") { require $GLOBALS['pfx'] . $GLOBALS['config']['OC_headerFile']; } 32

  33. 1. Introduction 2. Implementation 3. Evaluation 4. Conclusion Second-Order LFI in OpenConf PDS $r = mysql_query("select setting, value from " . OCC_TABLE_CONFIG); while ($l = mysql_fetch_assoc($r)) { $config[$l['setting']] = $l['value']; } function printHeader($what, $function="0") { require $GLOBALS['pfx'] . $GLOBALS['config']['OC_headerFile']; } 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani Rigel Gjomemo, V.N. Venkatakrishnan Stefano Zanero University of Illinois at Chicago University of Illinois at Chicago

419 views • 11 slides
Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis (Part II) Lucas Cordeiro (Formal

2.24k views • 169 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

1.33k views • 56 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

803 views • 35 slides
Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security Justin Smith (Lafayette College) smithjus@lafayette.edu Lisa Nguyen Quang Do (Google) lisanqd@google.com Emerson Murphy-Hill (Google)

605 views • 15 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016 Outline Introduction Static Code Analysis Static Analyzer List Kernels Static Analysis Report Conclusion 2 System

809 views • 22 slides
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities Theofilos Petsios , Jason Zhao, Angelos D. Keromytis, and Suman Jana Columbia University ACM Conference on Computer and Communications Security (CCS)

563 views • 38 slides
Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU Darmstadt, Germany software-lab.org 1 Static Bug Detection Error Prone 2 Static Bug Detection Error Prone General framework Scalable

804 views • 49 slides
Welcome to Year 5 Year 5 Teachers: Class 13 Mr Woodward Class 14 Miss Alladice Class 15

Welcome to Year 5 Year 5 Teachers: Class 13 Mr Woodward Class 14 Miss Alladice Class 15

Welcome to Year 5 Year 5 Teachers: Class 13 Mr Woodward Class 14 Miss Alladice Class 15 Miss Wilson In the classroom Daily Routines Lates and Absences Uniform Daily expectations, P.E and Swimming (appropriate kit)

410 views • 12 slides
This lesson is intended to explain and extend students understanding of global warming. 1 US:

This lesson is intended to explain and extend students understanding of global warming. 1 US:

This lesson is intended to explain and extend students understanding of global warming. 1 US: Next Generation Science Standards MS-ESS3 Earth and Human Activity MS-ESS3-1 Construct a scientific explanation based on evidence for how the

729 views • 27 slides
Northern California WateReuse Chapter Meeting How Much Can an Indirect Potable Project Change?

Northern California WateReuse Chapter Meeting How Much Can an Indirect Potable Project Change?

Northern California WateReuse Chapter Meeting How Much Can an Indirect Potable Project Change? Pure Water Monterey A Groundwater Replenishment Project August 22, 2014 1 Salinas River Basin Internal Board Seawater Intrusion Goal: No Monterey

551 views • 32 slides
? ? 1 Music Rondo Form (1).notebook March 12, 2015 Twinkle, Twinkle Little Star Pull

? ? 1 Music Rondo Form (1).notebook March 12, 2015 Twinkle, Twinkle Little Star Pull

Music Rondo Form (1).notebook March 12, 2015 In Music, the way a song or musical piece is organized is called form . We often use letter names to show how the piece is organized. Let's review the form of a couple of familiar songs. Press on

420 views • 29 slides
BATHURST RESOURCES AGM presentation November 2018 AGENDA FY18 overview FY19 progress

BATHURST RESOURCES AGM presentation November 2018 AGENDA FY18 overview FY19 progress

BATHURST RESOURCES AGM presentation November 2018 AGENDA FY18 overview FY19 progress update How our business has changed Operations Strategy LMCH update FY19 forecast 2 FY18 HIGHLIGHTS A record year

628 views • 30 slides
Photogrammetry &amp; Virtual Reality Transporting Real Sites into VR Daniel Sproll @left_big_toe

Photogrammetry &amp; Virtual Reality Transporting Real Sites into VR Daniel Sproll @left_big_toe

Photogrammetry &amp; Virtual Reality Transporting Real Sites into VR Daniel Sproll @left_big_toe David Finsterwalder @DFinsterwalder Photogrammetry Photo gram metry (phots) = light (grmma) = drawing

882 views • 30 slides
Mli lisse sse A circle of spectators deputes the space for a contemporary sabbath, a

Mli lisse sse A circle of spectators deputes the space for a contemporary sabbath, a

Mli lisse sse A circle of spectators deputes the space for a contemporary sabbath, a succession of rituals signs the different phases of life: childhood, adulthood, old age. Three women evoke the liminal moment between life and its past

253 views • 3 slides
QS/EC Competencies in Europe The position of the QS/EC CEEC study October 2017 1 Part 2

QS/EC Competencies in Europe The position of the QS/EC CEEC study October 2017 1 Part 2

QS/EC Competencies in Europe The position of the QS/EC CEEC study October 2017 1 Part 2 &gt; 2 questions ! Team Building : the place of the QS/EC in the design /construction phase ? Process of design / construction phase /

443 views • 8 slides

More recommend