Penetration Testing withImproved Input VectorIdentification!William G.J. Halfond, Shauvik RoyChoudhary, and Alessandro Orso...
2!Web Application Overview !OtherSystemsWebServerEnd UsersDatabase
3!Web Application Overview !OtherSystemsEnd UsersWebApplication!HTMLServlets	Database
4!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets	Database
5!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets	Database
6!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsHTML PagesWebApplication!HTMLServlets	Database
7!Penetration Testing Overview !OtherSystemsWhite HatTesterWebApplication!HTMLServlets	Database
8!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$WebApplication!HTMLServlets	Database
9!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$Secret Data!WebApplication!HTMLServlets	Database
Penetration Testing Phases!White HatTesterWebApplication!HTMLServlets	InformationGatheringAttackGenerationResponseAnalysis...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
Our Approach!Goal:!Improve penetration testing by improvinginformation gathering and response analysis.!
Our Approach!Improvements to penetration testing:!1.  Information gathering ð Static interface analysis!2.  Attack Genera...
Interfaces	Interface!Analysis![FSE 2007]!1) Information Gathering: Interface Analysis!19!WebApplication	HTML	Servlets
Interfaces	1) Information Gathering: Interface Analysis!20!WebApplication	HTML	Servlets	Compute IP Domains	Group IPs	Ident...
Interfaces	1) Information Gathering: Interface Analysis!21!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute ...
Interfaces	1) Information Gathering: Interface Analysis!22!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute ...
Interfaces	1) Information Gathering: Interface Analysis!23!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute ...
1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(...
1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(...
1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddresspasswordpublic void service(HttpServletRequest req) !...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}pass...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}pass...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}pass...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}pass...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}pass...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}pass...
1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}pass...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAct...
1) Information Gathering: Summary!Interface! Parameter! Domain! Relevant Values!1!userAction! String!“createLogin”,“provid...
2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?
2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Do...
2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Do...
3) Response Analysis with WASP!Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!1.  Block ...
3) Response Analysis with WASP!WASP:!1.  Positive tainting: Identify and markdeveloper-trusted strings. Propagatetaint mar...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“creat...
3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: l...
update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL ...
update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL ...
update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Hom...
update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Hom...
Empirical Evaluation!Goal: !Evaluate the usefulness of our approach ascompared to a traditional penetration testingapproac...
Implementation: Baseline Approach!•  Information Gathering ð OWASP WebScarab!•  Widely used code-base!•  Actively maintai...
Implementation: Our Approach!•  Analyzes bytecode of Java EnterpriseEdition (JEE) based web applications!•  Interface anal...
Subject Applications!Subject! LOC! Classes! Servlets!Bookstore! 19,402! 28! 27!Checkers! 5,415! 59! 32!Classifieds! 10,702!...
RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Port...
RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Port...
RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Port...
RQ2: Thoroughness!0!50!100!150!200!250!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk...
RQ3: Number of Vulnerabilities!
RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Fil...
RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Fil...
Summary of Results!•  Improvements to penetration testing!•  Information gathering with static analysis!•  Response analys...
Upcoming SlideShare
Loading in …5
×

Penetration Testing with Improved Input Vector Identification

3,956 views
3,921 views

Published on

Presented at IEEE International Conference on Software Testing Verification and Validation (ICST 2009), Denver, Colorado

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,956
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Penetration Testing with Improved Input Vector Identification

  1. 1. Penetration Testing withImproved Input VectorIdentification!William G.J. Halfond, Shauvik RoyChoudhary, and Alessandro Orso!College of Computing!Georgia Institute of Technology!!
  2. 2. 2!Web Application Overview !OtherSystemsWebServerEnd UsersDatabase
  3. 3. 3!Web Application Overview !OtherSystemsEnd UsersWebApplication!HTMLServlets Database
  4. 4. 4!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets Database
  5. 5. 5!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets Database
  6. 6. 6!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsHTML PagesWebApplication!HTMLServlets Database
  7. 7. 7!Penetration Testing Overview !OtherSystemsWhite HatTesterWebApplication!HTMLServlets Database
  8. 8. 8!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$WebApplication!HTMLServlets Database
  9. 9. 9!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$Secret Data!WebApplication!HTMLServlets Database
  10. 10. Penetration Testing Phases!White HatTesterWebApplication!HTMLServlets InformationGatheringAttackGenerationResponseAnalysisReportTarget!Selection !Analysis!Feedback!Information! Attacks!Responses!
  11. 11. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  12. 12. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  13. 13. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  14. 14. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  15. 15. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  16. 16. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!!!
  17. 17. Our Approach!Goal:!Improve penetration testing by improvinginformation gathering and response analysis.!
  18. 18. Our Approach!Improvements to penetration testing:!1.  Information gathering ð Static interface analysis!2.  Attack Generation ð Generate realistic test-inputs!3.  Response Analysis ð Produce observable sideeffect of attack!Goal:!Improve penetration testing by improvinginformation gathering and response analysis.!
  19. 19. Interfaces Interface!Analysis![FSE 2007]!1) Information Gathering: Interface Analysis!19!WebApplication HTML Servlets
  20. 20. Interfaces 1) Information Gathering: Interface Analysis!20!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  21. 21. Interfaces 1) Information Gathering: Interface Analysis!21!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  22. 22. Interfaces 1) Information Gathering: Interface Analysis!22!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  23. 23. Interfaces 1) Information Gathering: Interface Analysis!23!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  24. 24. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  25. 25. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userAction
  26. 26. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginaddressloginpassword
  27. 27. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddresspasswordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  28. 28. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  29. 29. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  30. 30. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  31. 31. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  32. 32. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  33. 33. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  34. 34. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  35. 35. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String
  36. 36. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  37. 37. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  38. 38. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  39. 39. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  40. 40. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  41. 41. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  42. 42. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  43. 43. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  44. 44. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  45. 45. 1) Information Gathering: Summary!Interface! Parameter! Domain! Relevant Values!1!userAction! String!“createLogin”,“provideAddress”!login! String!password! Integer!2!userAction! String!“createLogin”,“provideAddress”!login! String!address! String!3! userAction! String!“createLogin”,“provideAddress”!
  46. 46. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
  47. 47. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
  48. 48. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?
  49. 49. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Domain !Information!
  50. 50. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Domain !Information!userAction = createLoginlogin = <attack string>password = 1234
  51. 51. 3) Response Analysis with WASP!Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!1.  Block attack!2.  Send out-of-band signal!3.  Check for signal on client side!
  52. 52. 3) Response Analysis with WASP!WASP:!1.  Positive tainting: Identify and markdeveloper-trusted strings. Propagatetaint markings at runtime!2.  Syntax-Aware Evaluation: Check thatall keywords and operators in a querywere formed using marked strings!Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!1.  Block attack!2.  Send out-of-band signal!3.  Check for signal on client side!
  53. 53. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  54. 54. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  55. 55. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  56. 56. 3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  57. 57. update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  58. 58. update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  59. 59. update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  60. 60. update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  61. 61. Empirical Evaluation!Goal: !Evaluate the usefulness of our approach ascompared to a traditional penetration testingapproach.!!Research Questions (RQ):!1.  Runtime of analysis!2.  Thoroughness of the penetration testing!3.  Number of vulnerabilities discovered!61!
  62. 62. Implementation: Baseline Approach!•  Information Gathering ð OWASP WebScarab!•  Widely used code-base!•  Actively maintained!•  Attack Generation ð SQLMap!•  Widely used penetration testing tool!•  Commonly used attack generation heuristics!•  Response analysis ð WASP[FSE 2006]!SQLMap++ !SQLMap integrated withOWASP WebScarab Spider!
  63. 63. Implementation: Our Approach!•  Analyzes bytecode of Java EnterpriseEdition (JEE) based web applications!•  Interface analysis ð WAM[FSE 2007]!•  Attack generation ð leverages SQLMap!•  Response analysis ð WASP[FSE 2006]!SDAPT!Static and Dynamic Analysis-basedPenetration Testing!
  64. 64. Subject Applications!Subject! LOC! Classes! Servlets!Bookstore! 19,402! 28! 27!Checkers! 5,415! 59! 32!Classifieds! 10,702! 18! 18!Daffodil! 18,706! 119! 70!Employee Directory! 5,529! 11! 9!Events! 7,164! 13! 12!Filelister! 8,671! 41! 10!Office Talk! 4,670! 63! 39!Portal! 16,089! 28! 27!
  65. 65. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!
  66. 66. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!
  67. 67. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!
  68. 68. RQ2: Thoroughness!0!50!100!150!200!250!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Number of Input Vectors! SQLMAP++!SDAPT!0!10!20!30!40!50!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Number of Components! SQLMAP++!SDAPT!
  69. 69. RQ3: Number of Vulnerabilities!
  70. 70. RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!Number of Discovered Vulnerabilities!SQLMAP++!SDAPT!
  71. 71. RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!Number of Discovered Vulnerabilities!SQLMAP++!SDAPT!Average increase: 246%!
  72. 72. Summary of Results!•  Improvements to penetration testing!•  Information gathering with static analysis!•  Response analysis with dynamic detection!•  Relatively longer analysis time!•  More thorough and more vulnerabilitiesdiscovered during penetration testing!

×