I presented this at the 23rd Annual Computer Security Applications Conference (ACSAC). http://www.acsac.org/2007/abstracts/194.html

1. Sania: Syntactic and SemanticAnalysis for Automated Testingagainst SQL Injection Yuji Kosuga, Keio University In cooperation with Miho Hishiyama, Yu Takahama IX Knowledge Inc. Kenji Kono, Miyuki Hanaoka Keio University

3. Issues with Sanitizing Sanitizing is a sufficient measure to prevent SQL injection attacks, but… There are recent reports of SQL injection attacks 28% of all the reported vulnerabilities [Armorize Technologies 2006] 14% of all the reported vulnerabilities [Mitre 2006] What is actually causing these results? Sanitizing program is manually written without any supporting tools Checking for maliciously crafted inputs is not done well enough to detect vulnerabilities

4. Related Approaches SQLCheck [Su and Wassermann ’06] Validate SQL queries by comparing them to a legal model Require the developer to manually insert special markers to discover user inputs in SQL queries SQLrand [Boyd and Keromytis ’04] Assure an SQL keyword injected by an attacker will not be embedded into SQL queries Assume the attackers will not discover the secret key Learning-Based Detection [Valeur et al. ’05] Employ an intrusion detection system (IDS), which is trained using a set of legal SQL queries The IDS quality depends on the quality of the training set

5. Our Approach: Sania Check for SQL injection vulnerabilities in the development and debugging phases Intercept SQL queries as well as HTTP requests By using the SQL queries Automatically generate powerful attacks Assess the security by comparing the syntax of the parse tree of the intended SQL query to those resulting after an attack Sania vs. Paros Sania can find more vulnerabilities and caused fewer false positives

6. Design of Sania Web application Innocent HTTP Request Correct SQL Packets database Attacks client 1. Finding target spots 2. Crafting attacks 3. Tree validation Sania Innocent packets 1. Finding target spots Malicious packets 2. Crafting attacks 3. Tree validation

7. Design of Sania Web application Innocent HTTP Request Correct SQL Packets database client 1. Finding target spots Sania Innocent packets 1. Finding target spots

8. Finding Target Spots Web application query-string 999 999 xxx xxx id= &name= &action=login target target safe SELECT * FROM users WHERE id= AND name= SQL query 999 ‘xxx’ Target spots are vulnerable values that appear on the leaf nodes of the parse tree

9. Design of Sania Web application Innocent HTTP Request Correct SQL Packets database client 1. Finding target spots 2. Crafting attacks Sania Innocent packets 1. Finding target spots 2. Crafting attacks

10. Crafting Attack Requests Web application query-string id=999&name=xxx&action=login target target safe int string int string SELECT * FROM users WHERE id= AND name= SQL query 999 ‘xxx’ Sania recognizes the context of the target spots by analyzing the syntax of the SQL query Non-terminal nodes of SQL parse tree can be classified 95 contexts Sania generates two types of attacks Linear attacks : one target spot at a time Combination attacks : two or more target spots at the same time

11. Linear Attacks Web application target spots attack code id=999 id=999 or 1=1-- int true SELECT * FROM users WHERE id=999or 1=1-- AND name=xxx SQL query comment out Web application target spots attack code name=xxx name=’ or ‘1’=‘1 string SELECT * FROM users WHERE id= 999 AND name=‘’ or ‘1’=‘1’ true SQL query left expr. right expr. Sania generates attack codes according to the context of the target spot

13. parentheses: yes

14. inseredSQL: or ‘1’=‘1 or “1”=“1 or 1=1-- … <rule name="stringRule"> <element name="formerStr" userInput="on"> <code value="" />
</element>
<element name="quote" value="on"/> <element name="parenthesis" value="on"/> <element name="latterStr" userInput="off"> <code value="or '1'='1" /> <code value="or "1"="1"/>
<code value="or 1=1--" /> <code value="or 1=1;--" /> </element> </rule> Attack rules rule context int defaultRule mathRule numberRule defaultRule stringRule string An attack code is dynamically generated using attack rules An attack rule defines Structure of an attack code that will be inserted into a target spot Whether or not quotes and parentheses will be used A list of attack rules are written in XML Easy to add new attack rules

16. Tree Validation SQL query SQL query user input Web application Web application SELECT * FROM… SELECT * FROM… SELECT * FROM… Parse tree generated from an innocent request Properly sanitized parse tree Improperly sanitized parse tree A properly sanitized parse tree has the same syntax An improperly sanitized parse tree has different syntax

17. Implementation 13,000 LOC in Java 21 attack rules (1,800 LOC in XML) for 95 contexts Test results are output in an HTML/XML document RSS feed is also available

18. Demo Testing the Login Page of a Web Application

19. Experiments We evaluated the effectiveness of our technique Subjects E-learning Provided by IX Knowledge Inc. It has been used in an intranet before Bookstore, Portal, Event, Classifieds, Employee Directory Free open-source applications from GotoCode We found they have been used in the real world Comparison with Paros Paros is a web application scanner, which took the 2nd place in web vulnerability scanner ranking in Insecure.Org

20. Comparison of Sania and Paros Targeting User Inputs Sania identifies inputs that appear in SQL queries Paros regards all user inputs as vulnerable Generating Attacks Sania generates its attacks based on syntax of SQL queries Paros applies attack codes to all user inputs Combination attack Sania can attack several spots at the same time Paros can not generate combination attacks Determining Vulnerability Sania compares the syntax of SQL queries Paros compares the content of HTTP responses

21. Evaluation Sania detected more vulnerabilities and gave significantly fewer false positives with fewer trials than Paros

22. False Positives Sania caused 13 false positives Invalid Data The attack code did not meet the length requirements Sania is unaware of the database structure Need to design a way to learn the structure of the database Authentication Failed The password and confirmation fields did not match Sania does not know which user inputs must share the same data Need to include a function that tells Sania which user inputs require the same data input

23. Testing a real product We had a chance to test a production-quality web application just before being shipped Subject: RSS-Dripper Provides RSS information to users based on their previous choices Written in JSP and Java Servlet Work on Struts Results One vulnerability was detected after 33 attacks Vulnerable to a combination attack We confirmed it was truly vulnerable

24. Conclusion Sania’s Technique Used during the development or debugging phases Create powerful attacks based on the context of SQL query Detect vulnerabilities by syntax-comparison of parse trees Sania’s Effectiveness Out-performed the presently highest rated tool that tests for SQL injection attacks Next Steps Implement techniques to reduce false positives Adapt our technique to detect other injection vulnerabilities, such as XSS, XPath Injection, OS Injection attacks