Penetration Testing with Improved Input Vector Identification
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Penetration Testing with Improved Input Vector Identification

on

  • 3,633 views

Presented at IEEE International Conference on Software Testing Verification and Validation (ICST 2009), Denver, Colorado

Presented at IEEE International Conference on Software Testing Verification and Validation (ICST 2009), Denver, Colorado

Statistics

Views

Total Views
3,633
Views on SlideShare
3,633
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Penetration Testing with Improved Input Vector Identification Presentation Transcript

  • 1. Penetration Testing withImproved Input VectorIdentification!William G.J. Halfond, Shauvik RoyChoudhary, and Alessandro Orso!College of Computing!Georgia Institute of Technology!!
  • 2. 2!Web Application Overview !OtherSystemsWebServerEnd UsersDatabase
  • 3. 3!Web Application Overview !OtherSystemsEnd UsersWebApplication!HTMLServlets Database
  • 4. 4!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets Database
  • 5. 5!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets Database
  • 6. 6!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsHTML PagesWebApplication!HTMLServlets Database
  • 7. 7!Penetration Testing Overview !OtherSystemsWhite HatTesterWebApplication!HTMLServlets Database
  • 8. 8!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$WebApplication!HTMLServlets Database
  • 9. 9!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$Secret Data!WebApplication!HTMLServlets Database
  • 10. Penetration Testing Phases!White HatTesterWebApplication!HTMLServlets InformationGatheringAttackGenerationResponseAnalysisReportTarget!Selection !Analysis!Feedback!Information! Attacks!Responses!
  • 11. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  • 12. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  • 13. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  • 14. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  • 15. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  • 16. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!!!
  • 17. Our Approach!Goal:!Improve penetration testing by improvinginformation gathering and response analysis.!
  • 18. Our Approach!Improvements to penetration testing:!1.  Information gathering ð Static interface analysis!2.  Attack Generation ð Generate realistic test-inputs!3.  Response Analysis ð Produce observable sideeffect of attack!Goal:!Improve penetration testing by improvinginformation gathering and response analysis.!
  • 19. Interfaces Interface!Analysis![FSE 2007]!1) Information Gathering: Interface Analysis!19!WebApplication HTML Servlets
  • 20. Interfaces 1) Information Gathering: Interface Analysis!20!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  • 21. Interfaces 1) Information Gathering: Interface Analysis!21!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  • 22. Interfaces 1) Information Gathering: Interface Analysis!22!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  • 23. Interfaces 1) Information Gathering: Interface Analysis!23!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  • 24. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 25. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userAction
  • 26. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginaddressloginpassword
  • 27. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddresspasswordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 28. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 29. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 30. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 31. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 32. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 33. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 34. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  • 35. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String
  • 36. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 37. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 38. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 39. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 40. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 41. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 42. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 43. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 44. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  • 45. 1) Information Gathering: Summary!Interface! Parameter! Domain! Relevant Values!1!userAction! String!“createLogin”,“provideAddress”!login! String!password! Integer!2!userAction! String!“createLogin”,“provideAddress”!login! String!address! String!3! userAction! String!“createLogin”,“provideAddress”!
  • 46. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
  • 47. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
  • 48. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?
  • 49. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Domain !Information!
  • 50. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Domain !Information!userAction = createLoginlogin = <attack string>password = 1234
  • 51. 3) Response Analysis with WASP!Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!1.  Block attack!2.  Send out-of-band signal!3.  Check for signal on client side!
  • 52. 3) Response Analysis with WASP!WASP:!1.  Positive tainting: Identify and markdeveloper-trusted strings. Propagatetaint markings at runtime!2.  Syntax-Aware Evaluation: Check thatall keywords and operators in a querywere formed using marked strings!Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!1.  Block attack!2.  Send out-of-band signal!3.  Check for signal on client side!
  • 53. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  • 54. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  • 55. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  • 56. 3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  • 57. update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  • 58. update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  • 59. update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  • 60. update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  • 61. Empirical Evaluation!Goal: !Evaluate the usefulness of our approach ascompared to a traditional penetration testingapproach.!!Research Questions (RQ):!1.  Runtime of analysis!2.  Thoroughness of the penetration testing!3.  Number of vulnerabilities discovered!61!
  • 62. Implementation: Baseline Approach!•  Information Gathering ð OWASP WebScarab!•  Widely used code-base!•  Actively maintained!•  Attack Generation ð SQLMap!•  Widely used penetration testing tool!•  Commonly used attack generation heuristics!•  Response analysis ð WASP[FSE 2006]!SQLMap++ !SQLMap integrated withOWASP WebScarab Spider!
  • 63. Implementation: Our Approach!•  Analyzes bytecode of Java EnterpriseEdition (JEE) based web applications!•  Interface analysis ð WAM[FSE 2007]!•  Attack generation ð leverages SQLMap!•  Response analysis ð WASP[FSE 2006]!SDAPT!Static and Dynamic Analysis-basedPenetration Testing!
  • 64. Subject Applications!Subject! LOC! Classes! Servlets!Bookstore! 19,402! 28! 27!Checkers! 5,415! 59! 32!Classifieds! 10,702! 18! 18!Daffodil! 18,706! 119! 70!Employee Directory! 5,529! 11! 9!Events! 7,164! 13! 12!Filelister! 8,671! 41! 10!Office Talk! 4,670! 63! 39!Portal! 16,089! 28! 27!
  • 65. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!
  • 66. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!
  • 67. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!
  • 68. RQ2: Thoroughness!0!50!100!150!200!250!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Number of Input Vectors! SQLMAP++!SDAPT!0!10!20!30!40!50!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Number of Components! SQLMAP++!SDAPT!
  • 69. RQ3: Number of Vulnerabilities!
  • 70. RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!Number of Discovered Vulnerabilities!SQLMAP++!SDAPT!
  • 71. RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!Number of Discovered Vulnerabilities!SQLMAP++!SDAPT!Average increase: 246%!
  • 72. Summary of Results!•  Improvements to penetration testing!•  Information gathering with static analysis!•  Response analysis with dynamic detection!•  Relatively longer analysis time!•  More thorough and more vulnerabilitiesdiscovered during penetration testing!