• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection - ACSAC 2007
 

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection - ACSAC 2007

on

  • 2,305 views

I presented this at the 23rd Annual Computer Security Applications Conference (ACSAC).

I presented this at the 23rd Annual Computer Security Applications Conference (ACSAC).
http://www.acsac.org/2007/abstracts/194.html

Statistics

Views

Total Views
2,305
Views on SlideShare
1,938
Embed Views
367

Actions

Likes
0
Downloads
1
Comments
0

12 Embeds 367

http://blog.yujikosuga.com 226
http://posterous.com 61
http://yujikosuga.posterous.com 29
http://yujikosuga.blogspot.com 26
http://feeds.feedburner.com 6
http://www.slideshare.net 6
http://www.linkedin.com 4
http://www.slashdocs.com 3
http://flavors.me 2
https://www.linkedin.com 2
http://webcache.googleusercontent.com 1
http://draft.blogger.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection - ACSAC 2007 Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection - ACSAC 2007 Presentation Transcript

    • Sania: Syntactic and SemanticAnalysis for Automated Testingagainst SQL Injection
      Yuji Kosuga, Keio University
      In cooperation with
      Miho Hishiyama, Yu Takahama
      IX Knowledge Inc.
      Kenji Kono, Miyuki Hanaoka
      Keio University
    • What is an SQL Injection Attack?
      A security exploit for web applications that uses webpages with dynamic content
      An attacker can add arbitrary SQL commands
      that will be executed against the database
      query = “SELECT * FROM account WHERE name = '”
      + request.getParameter(“name”)  
        + “' AND password = '”
      + request.getParameter(“pass”) + “'”;
      ' OR 'a'= 'a
      TRUE
      SELECT * FROM account WHERE
      name = 'badguy'AND password = '' OR 'a'= 'a'
      left expr.
      right expr.
      database
      • Attackers can obtain all data in the account table
    • Preventing Attacks: Sanitizing
      ex.Escape a character that can change
      the syntax of SQL query
      ' OR 'a'= 'a
      replace( request.getParameter(“pass”), “'” , “' ”);
      SELECT * FROM account WHERE
      name = 'badguy' AND password = ’'OR 'a'='a'
      left expr.
      right expr.
      database
      Database recognizes 'OR'a'='aas ' OR 'a' = 'a
      • If a value is input that does not use single-quotes…
      555 OR 1=1
      SELECT * FROM account WHERE id=555
      Consideration of the context of the user inputs is necessary
    • Issues with Sanitizing
      Sanitizing is a sufficient measure to prevent SQL injection attacks, but…
      There are recent reports of SQL injection attacks
      28% of all the reported vulnerabilities [Armorize Technologies 2006]
      14% of all the reported vulnerabilities [Mitre 2006]
      What is actually causing these results?
      Sanitizing program is manually written without any supporting tools
      Checking for maliciously crafted inputs is not done well enough to detect vulnerabilities
    • Related Approaches
      SQLCheck [Su and Wassermann ’06]
      Validate SQL queries by comparing them to a legal model
      Require the developer to manually insert special markers to discover user inputs in SQL queries
      SQLrand [Boyd and Keromytis ’04]
      Assure an SQL keyword injected by an attacker will not be embedded into SQL queries
      Assume the attackers will not discover the secret key
      Learning-Based Detection [Valeur et al. ’05]
      Employ an intrusion detection system (IDS), which is trained using a set of legal SQL queries
      The IDS quality depends on the quality of the training set
    • Our Approach: Sania
      Check for SQL injection vulnerabilities in the development and debugging phases
      Intercept SQL queries as well as HTTP requests
      By using the SQL queries
      Automatically generate powerful attacks
      Assess the security by comparing the syntax of the parse tree
      of the intended SQL query to those resulting after an attack
      Sania vs. Paros
      Sania can find more
      vulnerabilities and caused
      fewer false positives
    • Design of Sania
      Web application
      Innocent
      HTTP Request
      Correct
      SQL Packets
      database
      Attacks
      client
      1. Finding target spots
      2. Crafting attacks
      3. Tree validation
      Sania
      Innocent packets
      1. Finding target spots
      Malicious packets
      2. Crafting attacks
      3. Tree validation
    • Design of Sania
      Web application
      Innocent
      HTTP Request
      Correct
      SQL Packets
      database
      client
      1. Finding target spots
      Sania
      Innocent packets
      1. Finding target spots
    • Finding Target Spots
      Web application
      query-string
      999
      999
      xxx
      xxx
      id= &name= &action=login
      target
      target
      safe
      SELECT * FROM users WHERE id= AND name=
      SQL query
      999
      ‘xxx’
      Target spots are vulnerable values that appear on the leaf nodes of the parse tree
    • Design of Sania
      Web application
      Innocent
      HTTP Request
      Correct
      SQL Packets
      database
      client
      1. Finding target spots
      2. Crafting attacks
      Sania
      Innocent packets
      1. Finding target spots
      2. Crafting attacks
    • Crafting Attack Requests
      Web application
      query-string
      id=999&name=xxx&action=login
      target
      target
      safe
      int
      string
      int
      string
      SELECT * FROM users WHERE id= AND name=
      SQL query
      999
      ‘xxx’
      Sania recognizes the context of the target spots by analyzing the syntax of the SQL query
      Non-terminal nodes of SQL parse tree can be classified 95 contexts
      Sania generates two types of attacks
      Linear attacks : one target spot at a time
      Combination attacks : two or more target spots at the same time
    • Linear Attacks
      Web application
      target spots
      attack code
      id=999
      id=999 or 1=1--
      int
      true
      SELECT * FROM users WHERE id=999or 1=1-- AND name=xxx
      SQL query
      comment out
      Web application
      target spots
      attack code
      name=xxx
      name=’ or ‘1’=‘1
      string
      SELECT * FROM users WHERE id= 999 AND name=‘’ or ‘1’=‘1’
      true
      SQL query
      left expr.
      right expr.
      Sania generates attack codes according to the context of the target spot
    • Generating an Attack Code
      stringRule
      • userInput:
      blank

      • quote: yes
      • parentheses: yes
      • inseredSQL:
      or ‘1’=‘1
      or “1”=“1
      or 1=1--

      <rule name="stringRule">
      <element name="formerStr" userInput="on">
      <code value="" />
      </element>
      <element name="quote" value="on"/>
      <element name="parenthesis" value="on"/>
      <element name="latterStr" userInput="off">
      <code value="or '1'='1" />
      <code value="or "1"="1"/>
      <code value="or 1=1--" />
      <code value="or 1=1;--" />
      </element>
      </rule>
      Attack rules
      rule
      context
      int
      defaultRule
      mathRule
      numberRule
      defaultRule
      stringRule
      string
      An attack code is dynamically generated using attack rules
      An attack rule defines
      Structure of an attack code that will be inserted into a target spot
      Whether or not quotes and parentheses will be used
      A list of attack rules are written in XML
      Easy to add new attack rules
    • Combination Attacks
      Web application
      query-string
      syntax ofANDstatement
      name=xxx&pass=zzz
      target
      target
      WHEREname=‘xxx’AND password=‘zzz’
      left expr.
      right expr.
      innocent session
      query-string
      syntax ofORstatement
      name=&pass=OR 1=1--
      WHEREname=‘’ AND password=’OR 1=1--’
      left expr.
      right expr.
      attack session
      • The first target spot →
      • The second target spot → OR 1=1--
    • Design of Sania
      Web application
      Innocent
      HTTP Request
      Correct
      SQL Packets
      database
      Attacks
      client
      1. Finding target spots
      2. Crafting attacks
      3. Tree validation
      Sania
      Innocent packets
      1. Finding target spots
      2. Crafting attacks
      Malicious packets
      3. Tree validation
    • Tree Validation
      SQL query
      SQL query
      user input
      Web application
      Web application
      SELECT * FROM…
      SELECT * FROM…
      SELECT * FROM…
      Parse tree generated
      from an innocent request
      Properly sanitized
      parse tree
      Improperly sanitized
      parse tree
      A properly sanitized parse tree has the same syntax
      An improperly sanitized parse tree has different syntax
    • Implementation
      13,000 LOC in Java
      21 attack rules (1,800 LOC in XML) for 95 contexts
      Test results are output in an HTML/XML document
      RSS feed is also available
    • Demo
      Testing the Login Page of a Web Application
    • Experiments
      We evaluated the effectiveness of our technique
      Subjects
      E-learning
      Provided by IX Knowledge Inc.
      It has been used in an intranet before
      Bookstore, Portal, Event, Classifieds, Employee Directory
      Free open-source applications from GotoCode
      We found they have been used in the real world
      Comparison with Paros
      Paros is a web application scanner, which took the 2nd place
      in web vulnerability scanner ranking in Insecure.Org
    • Comparison of Sania and Paros
      Targeting User Inputs
      Sania identifies inputs that appear in SQL queries
      Paros regards all user inputs as vulnerable
      Generating Attacks
      Sania generates its attacks based on syntax of SQL queries
      Paros applies attack codes to all user inputs
      Combination attack
      Sania can attack several spots at the same time
      Paros can not generate combination attacks
      Determining Vulnerability
      Sania compares the syntax of SQL queries
      Paros compares the content of HTTP responses
    • Evaluation
      Sania detected more vulnerabilities and gave significantly fewer false positives with fewer trials than Paros
    • False Positives
      Sania caused 13 false positives
      Invalid Data
      The attack code did not meet the length requirements
      Sania is unaware of the database structure
      Need to design a way to learn the structure of the database
      Authentication Failed
      The password and confirmation fields did not match
      Sania does not know which user inputs must share the same data
      Need to include a function that tells Sania which user inputs require the same data input
    • Testing a real product
      We had a chance to test a production-quality web application just before being shipped
      Subject: RSS-Dripper
      Provides RSS information to users based on their previous choices
      Written in JSP and Java Servlet
      Work on Struts
      Results
      One vulnerability was detected after 33 attacks
      Vulnerable to a combination attack
      We confirmed it was truly vulnerable
    • Conclusion
      Sania’s Technique
      Used during the development or debugging phases
      Create powerful attacks based on the context of SQL query
      Detect vulnerabilities by syntax-comparison of parse trees
      Sania’s Effectiveness
      Out-performed the presently highest rated tool that tests for SQL injection attacks
      Next Steps
      Implement techniques to reduce false positives
      Adapt our technique to detect other injection vulnerabilities, such as XSS, XPath Injection, OS Injection attacks