Using Web Security Scanners to Detect Vulnerabilities in Web - - PowerPoint PPT Presentation

CISUC Department of Informatics Engineering University of Coimbra

DSN 2009

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Marco Vieira, Nuno Antunes, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt

2

Outline

 Contextualization  Research Goals  Methodology  Results  Conclusions and Future Work

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

3

Contextualization

 Web services are increasingly becoming a

strategic component in a wide range of

• rganizations

 Web services are so exposed that any

existing vulnerability will most probably be uncovered/exploited

 Both providers and consumers need to

assess services’ security

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

4

Web Services

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

5

Web Services Security

 Security threats

 Hackers are moving their focus to applications’ code  Traditional security mechanisms

(Firewall, IDS, encryption) cannot mitigate these attacks

 Vulnerabilities like SQL Injection and XPath Injection

are particularly relevant

 Developers must

 Apply best coding practices  Security testing!

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

6

Vulnerability Examples

public String auth(String login, String pass) throw SQLException { String sql = "SELECT * FROM users WHERE "+ "username='" + login + "' AND "+ "password='" + pass + "'"; ResultSet rs = statement.executeQuery(sql); (…) } public void delete(String str) throw SQLException{ String sql = "DELETE FROM table "WHERE id='" + str + "'"; statement.executeUpdate(sql); } ' OR 1=1 -- "SELECT * FROM users WHERE username='' OR 1=1 -- ' AND password=''“; "DELETE FROM table WHERE id='' OR '' = ''"; ' OR ''='

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

7

Software Testing techniques

 White-box testing:

 The analysis of the application’s code

 Black-box testing:

 The analysis of application’s execution searching for

vulnerabilities

 Known as penetration testing

 Gray-box testing:

 Approaches that combine black box and white box

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

8

Web Security Scanners

 Easy and widely-used way to test

applications searching vulnerabilities

 Use fuzzing techniques to attack applications  Perform thousands of tests in an automated

way

 What is the effectiveness of these tools?

 Can programmers rely on these tools?

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

9

Research Goals

 Study the effectiveness of the scanners  Identify common types of vulnerabilities  In the context of web service environments

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

10

Methodology

 Apply leading commercial scanners in public

web services

 300 Web Services tested

 Randomly selected

 4 Scanners used (including two different

versions of a brand)

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

11

Experimental Study

 Preparation

 Select services and scanners

 Execution

 Test the services using the scanners

 Verification

 Identify false positives

 Analysis

 Analysis and systematization of results

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

12

Scanners

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

13

Vulnerabilities Found

 SQL injection  XPath Injection  Code Execution  Possible Parameter Based Buffer Overflow  Possible Username or Password Disclosure  Possible Server Path Disclosure

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

14

Vulnerability Types VS1.1 VS1.2 VS2 VS3

# Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS SQL Injection 217 38 225 38 25 5 35 11 XPath Injection 10 1 10 1 Code Execution 1 1 1 1 Possible Parameter Based Buffer Overflow 4 3 Possible Username or Password Disclosure 47 3 Possible Server Path Disclosure 17 5 Total 228 40 236 40 25 5 103 22

Overall results analysis

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

15

SQL Injection

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

VS1.2 225

16

SQL Injection

VS1.1 VS1.2 198 19 27

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

17

SQL Injection

VS1.1 VS3 VS1.2 172 19 24 6 26 3

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

18

SQL Injection

VS1.1 VS2 VS3 VS1.2 171 19 24 5 21 5 2 1 1 3

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

19

SQL Injection

VS1.1 VS2 VS3 VS1.2 171 19 24 5 21 5 2 1 1 3

?

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

20

 False positive when

 the error/answer obtained is related to an

application robustness problem.

 the same problem occurs when the service is

executed with valid inputs

 Confirmed Vulnerabilities when

 is possible to observe that a SQL command was

invalidated by the “injected” values

 the “injected” values lead to exceptions raised by

the database server

 is possible to access unauthorized resources

False Positives examination

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

21

False Positives results

116 116 17 21 14 26 8 5 87 83 9 25 50 75 100 125 150 175 200 225 VS1.1 VS1.2 VS2 VS3 False Positives Doubtful Confirmed Vulnerabilities

40% 37% 11,6% 6,5% 32% 25,7% 14%

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

22

SQL Injection without False Positives

VS1.2 142

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

23

SQL Injection without False Positives

VS1.1 VS1.2 3 127 15

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

24

SQL Injection without False Positives

VS1.1 VS3 VS1.2 24 3 103 15 2

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

25

SQL Injection without False Positives

VS1.1 VS2 VS3 VS1.2 21 1 3 3 1 2 102 15 1

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

26

SQL Injection without False Positives

VS1.1 VS2 VS3 VS1.2 21 1 3 3 1 2 102 15 1

?

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

27

Coverage analysis

Scanner # SQL Injection Vulnerabilities Coverage % VS1.1 130 87.2% VS1.2 142 95.3% VS2 25 16.8% VS3 26 17.4% Total 149 100%

 Real number of vulnerabilities unavailable

 It is possible to make a comparative analysis

 Overestimated Coverage values!!

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

28

Common Vulnerabilities

149 16 10 1 1

SQL Injection (149) Possible Server Path Disclosure (16) XPath Injection (10) Code Execution (1) Possible Parameter Based Buffer Overflow (1)

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

29

Conclusions

 A large number of vulnerabilities was observed  SQL Injection vulnerabilities are prevalent  Selecting a scanner for web services is a very

difficult task

 Different scanners detect different types of vulnerabilities  High false positives rates  Low coverage rates

 Can we do better?

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

30

Preliminary work

 Develop a new approach for vulnerabilities

detection

 Detect SQL Injection and XPath Injection

vulnerabilities effectively

 Generate workload and attackload  Analyze responses  Analyze vulnerabilities to avoid False

positives

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

31

Preliminary Work Results

47 47 17 21 52 13 25 4 4 13 93 86 1 14 20 40 60 80 100 120 140 160 180 VS1.1 VS1.2 VS2 VS3 VS.WS False Positives Doubtful Confirmed

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

32

Innovations introduced

 Generation of a more complete workload:

 A better knowledge of service’s behavior

 A complete attackload

 All attacks used by scanners and other present in

bibliography

 Better analysis of service’s responses:

 Compare with valid requests  Robustness testing applied

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

33

Questions?

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal