Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities

Adam Doupe
Adam DoupeAssistant Professor at Arizona State University
Fear the EAR: Discovering
and Mitigating Execution After
   Redirect Vulnerabilities
          Adam Doupé, Bryce Boe,
   Christopher Kruegel, and Giovanni Vigna

    University of California, Santa Barbara

            CCS 2011 – 10/19/11
Motivation
• Everyone uses web applications

• Web applications are written by humans
  – They have flaws
  – Input sanitization flaws (XSS, SQLi) are most
    prevalent

• Logic flaws are harder to detect than input
  sanitization flaws
                    Doupé - 10/19/11
HTTP Redirects

GET /user/info HTTP/1.1
Host: example.com

HTTP/1.1 302 Moved
Location: http://example.com/login


GET /login HTTP/1.1
Host: example.com



         Doupé - 10/19/11
Execution After Redirect: Overview
• Developer issues a redirect assuming
  execution will halt
  – Redirect used as a goto
  – This is how it appears from the browser’s
    perspective


• However, code continues to execute


                    Doupé - 10/19/11
Execution After Redirect: Example
class TopicsController < ApplicationController
  def update
    @topic = Topic.find(params[:id])
    if not current_user.is_admin?
      redirect_to(“/”)
    end
    @topic.update_attributes(params[:topic])
    flash[:notice] = “Topic updated!”
  end
end



                   Doupé - 10/19/11
EAR History
• 17 Common Vulnerabilities and Exposures
  (CVE)
  – Starting in 2007
  – Difficult to find – no consistent category
• Blog post about Cake PHP 2006
  – Resulted in a bug filed and documentation
    changed
• Prior work on logic flaws
  – Found EAR in J2EE web application
• No one recognized it as a systemic logic flaw
  amongst web applications
                       Doupé - 10/19/11
EAR Security Challenge
• Attempt to observe familiarity to EARs
• Added EAR challenge to the 2010 iCTF
• Results
  – 34 / 72 teams accessed page that redirected
    them and leaked information
  – 12 of the 34 discovered and exploited the
    vulnerability
• Conclusion: teams not very familiar

                    Doupé - 10/19/11
Types of EARs
• Benign
  – No confidentiality or integrity violated


• Vulnerable
  – Allows for the unauthorized modification of the
    application state or discloses unauthorized
    data



                      Doupé - 10/19/11
EAR: Information Leakage
<?php
$current_user = get_current_user();
if (!$current_user->is_admin())
{
   header(“Location: /”);
}
echo “457-55-5462”;
?>

               Doupé - 10/19/11
EAR: Nested Example
class UsersController < ApplicationController
   def ensure_admin
      unless current_user.is_admin?
         redirect_to(“/”)
         return
      end
   end
   def delete
      ensure_admin()
      @user = User.find(params[:id])
      @user.delete()
      flash[:notice] = “User Deleted”
   end
end
                      Doupé - 10/19/11
Outline

• Overview of Execution After Redirects

• EAR Detection Algorithm

• Results

• Prevention



                  Doupé - 10/19/11
EAR Detection: Overview
• Static source code analysis
  – Attempt to find code that can possibly be
    executed after a redirect
  – Distinguish between benign and vulnerable




                    Doupé - 10/19/11
EAR Detection: Overview

1. Build CFG

2. Find redirection methods

3. Prune infeasible paths

4. Detect EARs

5. Classify as vulnerable

                   Doupé - 10/19/11
EAR Detection: Build Control Flow
            Graph
• CFG built using prior work
  – Diamondback Ruby parser by Furr et al.
     • Simplifies Ruby into easier-to-analyze format
     • Compiles Ruby into a subset called Ruby
       Intermediate Language (RIL)
  – CFG can be incomplete
     • eval
     • Ruby’s dynamic nature



                       Doupé - 10/19/11
EAR Detection: Build CFG
class UsersController < ApplicationController
  def ensure_logged_in
    unless current_user
      redirect_to(“/”) and return true
    end
    @logged_in_users += 1
    return false
  end
  def delete_all
    unless ensure_logged_in()
      return
    User.delete(:all)
  end
end
                      Doupé - 10/19/11
EAR Detection: Build CFG
       _tmp_ =
                                                               ensure_logged_in
  ensure_logged_in()
                                                     false                          true
                                                                 current_user
                               true                                false
                                            redirect_to(“/”)
                                                                      @logged_in_users
                             return true                                   += 1

                                                                           return false

false                 true
             _tmp_

                     User.delete(:all)

return nil              return nil
                                         Doupé - 10/19/11
EAR Detection: Find Redirection
            Methods
• Find all program paths in the CFG that call
  the Ruby on Rails method redirect_to
• Inter-procedural analysis
  – Methods that call redirect_to are added to
    interesting_methods
  – All methods that call an interesting_method
    are added to interesting_methods
  – Rinse and repeat until a fixpoint is reached


                    Doupé - 10/19/11
EAR Detection: Find Redirect
        _tmp_ =
                Methods
                                                               ensure_logged_in
  ensure_logged_in()
                                                     false                          true
                                                                 current_user
                               true                                false
                                            redirect_to(“/”)
                                                                      @logged_in_users
                             return true                                   += 1

                                                                           return false

false                 true
             _tmp_

                     User.delete(:all)

return nil              return nil
                                         Doupé - 10/19/11
EAR Detection: Prune Infeasible
     _tmp_ =
                Paths
                                                               ensure_logged_in
  ensure_logged_in()
                                                     false                          true
                                                                 current_user
                               true                                false
                                            redirect_to(“/”)
                                                                      @logged_in_users
                             return true                                   += 1

                                                                           return false

false                 true
             _tmp_

                     User.delete(:all)

return nil              return nil
                                         Doupé - 10/19/11
EAR Detection: Detect EARs
       _tmp_ =
                                                               ensure_logged_in
  ensure_logged_in()
                                                     false                          true
                                                                 current_user
                               true                                false
                                            redirect_to(“/”)
                                                                      @logged_in_users
                             return true                                   += 1

                                                                           return false

false                 true
             _tmp_

                     User.delete(:all)

return nil              return nil
                                         Doupé - 10/19/11
EAR Detection: Classify as
           Vulnerable
• Simple heuristic
  – Name of methods that modify database
  – Search for these on path




                     Doupé - 10/19/11
Results
• 18,127 Ruby on Rails projects from
  GitHub



• 1,173 projects contained 3,944 EARs
  – 3,089 Benign EARs
  – 855 Vulnerable EARs


                   Doupé - 10/19/11
EAR Email Notification
• 624 project maintainers notified
• 107 responded
  – 49 confirmed the EAR we reported
  – 26 told us that the app was demo or toy
  – 3 pointed out false positives
  – 6 NOFIX
  – Rest thanked us but did not offer confirmation


                     Doupé - 10/19/11
Detection Effectiveness
• Manual verification of all vulnerable EARs
  – 485 True vulnerable (56.7%)
  – 325 False positives (vulnerable) (38.0%)
  – 45 False positives (EARs) (5.3%)
• Manual verification of 200 random benign
  EARs
  – 13 False positives (EARs) (6.5%)
  – 0 False negatives (vulnerable)

                    Doupé - 10/19/11
True Positive Example
class BanksController < ApplicationController
  def redirect_to_login
    redirect_to(“/login”) and return
  end
  def create
    if not current_user.is_admin?
      redirect_to_login() and return
    end
    @bank = Bank.create(params[:bank])
  end
end

                   Doupé - 10/19/11
False Positive Example
class UsersController < ApplicationController
  def update
    if request.get?
      redirect_to(“/users”)
    end
    if request.post?
      @user = User.find(params[:id])
      @user.update_attributes(params[:user])
    end
  end
end

                   Doupé - 10/19/11
EAR Detection: Limitations
• False negatives
  – eval, send


• False positives
  – Infeasible paths
  – No type analysis
     • Vulnerable EARs



                       Doupé - 10/19/11
Framework Susceptibility
• Analyzed 9 web frameworks
  – Rails, Grails, Django, ASP.NET MVC, Zend
    Framework, CakePHP, CodeIgniter, J2EE,
    Struts
• Susceptible
  – Ruby on Rails
  – Grails
  – J2EE
  – Struts

                    Doupé - 10/19/11
Prevention
• Secure design
  – Django, ASP.NET MVC
• Terminate process or thread
  – ASP.NET, CakePHP, Zend, CodeIgniter
• Patched Ruby on Rails
  – Exception handling




                    Doupé - 10/19/11
Contributions
• Described a relatively unknown web
  application vulnerability called Execution
  After Redirect (EAR)
• Developed an algorithm to statically detect
  EARs in Ruby on Rails applications
• Discovered many vulnerabilities in real-
  world open-source Ruby on Rails
  applications

                   Doupé - 10/19/11
Questions?




Code: http://github.com/adamdoupe/find_ear_rails

Email:   adoupe@cs.ucsb.edu
Twitter: @adamdoupe

                    Doupé - 10/19/11
1 of 31

Recommended

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness by
Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational AwarenessHit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness
Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational AwarenessAdam Doupe
847 views34 slides
водород by
водородводород
водородСтојан Ѓоревски
2K views8 slides
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ... by
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...Adam Doupe
2.6K views83 slides
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners by
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
4.6K views25 slides
Writing Groups in Computer Science Research Labs by
Writing Groups in Computer Science Research LabsWriting Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsAdam Doupe
667 views9 slides
Study: The Future of VR, AR and Self-Driving Cars by
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
870.1K views28 slides

More Related Content

Recently uploaded

Future of Indian ConsumerTech by
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTechKapil Khandelwal (KK)
24 views68 slides
Democratising digital commerce in India-Report by
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-ReportKapil Khandelwal (KK)
20 views161 slides
virtual reality.pptx by
virtual reality.pptxvirtual reality.pptx
virtual reality.pptxG036GaikwadSnehal
18 views15 slides
"Running students' code in isolation. The hard way", Yurii Holiuk by
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk Fwdays
24 views34 slides
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
43 views35 slides
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
72 views29 slides

Recently uploaded(20)

"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays24 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc72 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software317 views
The Forbidden VPN Secrets.pdf by Mariam Shaba
The Forbidden VPN Secrets.pdfThe Forbidden VPN Secrets.pdf
The Forbidden VPN Secrets.pdf
Mariam Shaba20 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker48 views
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe by Simone Puorto
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
Simone Puorto13 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays33 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely29 views

Featured

Getting into the tech field. what next by
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
5.7K views22 slides
Google's Just Not That Into You: Understanding Core Updates & Search Intent by
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
6.4K views99 slides
How to have difficult conversations by
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
5K views19 slides
Introduction to Data Science by
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
82.3K views51 slides
Time Management & Productivity - Best Practices by
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
169.7K views42 slides
The six step guide to practical project management by
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
36.6K views27 slides

Featured(20)

Getting into the tech field. what next by Tessa Mero
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero5.7K views
Google's Just Not That Into You: Understanding Core Updates & Search Intent by Lily Ray
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray6.4K views
Time Management & Productivity - Best Practices by Vit Horky
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
Vit Horky169.7K views
The six step guide to practical project management by MindGenius
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius36.6K views
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright... by RachelPearson36
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson3612.7K views
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present... by Applitools
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools55.5K views
12 Ways to Increase Your Influence at Work by GetSmarter
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
GetSmarter401.7K views
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G... by DevGAMM Conference
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
DevGAMM Conference3.6K views
Barbie - Brand Strategy Presentation by Erica Santiago
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
Erica Santiago25.1K views
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well by Saba Software
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Saba Software25.2K views
Introduction to C Programming Language by Simplilearn
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
Simplilearn8.4K views
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr... by Palo Alto Software
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
Palo Alto Software88.4K views
9 Tips for a Work-free Vacation by Weekdone.com
9 Tips for a Work-free Vacation9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation
Weekdone.com7.2K views
How to Map Your Future by SlideShop.com
How to Map Your FutureHow to Map Your Future
How to Map Your Future
SlideShop.com275.1K views
Beyond Pride: Making Digital Marketing & SEO Authentically LGBTQ+ Inclusive -... by AccuraCast
Beyond Pride: Making Digital Marketing & SEO Authentically LGBTQ+ Inclusive -...Beyond Pride: Making Digital Marketing & SEO Authentically LGBTQ+ Inclusive -...
Beyond Pride: Making Digital Marketing & SEO Authentically LGBTQ+ Inclusive -...
AccuraCast3.4K views

Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities

  • 1. Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara CCS 2011 – 10/19/11
  • 2. Motivation • Everyone uses web applications • Web applications are written by humans – They have flaws – Input sanitization flaws (XSS, SQLi) are most prevalent • Logic flaws are harder to detect than input sanitization flaws Doupé - 10/19/11
  • 3. HTTP Redirects GET /user/info HTTP/1.1 Host: example.com HTTP/1.1 302 Moved Location: http://example.com/login GET /login HTTP/1.1 Host: example.com Doupé - 10/19/11
  • 4. Execution After Redirect: Overview • Developer issues a redirect assuming execution will halt – Redirect used as a goto – This is how it appears from the browser’s perspective • However, code continues to execute Doupé - 10/19/11
  • 5. Execution After Redirect: Example class TopicsController < ApplicationController def update @topic = Topic.find(params[:id]) if not current_user.is_admin? redirect_to(“/”) end @topic.update_attributes(params[:topic]) flash[:notice] = “Topic updated!” end end Doupé - 10/19/11
  • 6. EAR History • 17 Common Vulnerabilities and Exposures (CVE) – Starting in 2007 – Difficult to find – no consistent category • Blog post about Cake PHP 2006 – Resulted in a bug filed and documentation changed • Prior work on logic flaws – Found EAR in J2EE web application • No one recognized it as a systemic logic flaw amongst web applications Doupé - 10/19/11
  • 7. EAR Security Challenge • Attempt to observe familiarity to EARs • Added EAR challenge to the 2010 iCTF • Results – 34 / 72 teams accessed page that redirected them and leaked information – 12 of the 34 discovered and exploited the vulnerability • Conclusion: teams not very familiar Doupé - 10/19/11
  • 8. Types of EARs • Benign – No confidentiality or integrity violated • Vulnerable – Allows for the unauthorized modification of the application state or discloses unauthorized data Doupé - 10/19/11
  • 9. EAR: Information Leakage <?php $current_user = get_current_user(); if (!$current_user->is_admin()) { header(“Location: /”); } echo “457-55-5462”; ?> Doupé - 10/19/11
  • 10. EAR: Nested Example class UsersController < ApplicationController def ensure_admin unless current_user.is_admin? redirect_to(“/”) return end end def delete ensure_admin() @user = User.find(params[:id]) @user.delete() flash[:notice] = “User Deleted” end end Doupé - 10/19/11
  • 11. Outline • Overview of Execution After Redirects • EAR Detection Algorithm • Results • Prevention Doupé - 10/19/11
  • 12. EAR Detection: Overview • Static source code analysis – Attempt to find code that can possibly be executed after a redirect – Distinguish between benign and vulnerable Doupé - 10/19/11
  • 13. EAR Detection: Overview 1. Build CFG 2. Find redirection methods 3. Prune infeasible paths 4. Detect EARs 5. Classify as vulnerable Doupé - 10/19/11
  • 14. EAR Detection: Build Control Flow Graph • CFG built using prior work – Diamondback Ruby parser by Furr et al. • Simplifies Ruby into easier-to-analyze format • Compiles Ruby into a subset called Ruby Intermediate Language (RIL) – CFG can be incomplete • eval • Ruby’s dynamic nature Doupé - 10/19/11
  • 15. EAR Detection: Build CFG class UsersController < ApplicationController def ensure_logged_in unless current_user redirect_to(“/”) and return true end @logged_in_users += 1 return false end def delete_all unless ensure_logged_in() return User.delete(:all) end end Doupé - 10/19/11
  • 16. EAR Detection: Build CFG _tmp_ = ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 17. EAR Detection: Find Redirection Methods • Find all program paths in the CFG that call the Ruby on Rails method redirect_to • Inter-procedural analysis – Methods that call redirect_to are added to interesting_methods – All methods that call an interesting_method are added to interesting_methods – Rinse and repeat until a fixpoint is reached Doupé - 10/19/11
  • 18. EAR Detection: Find Redirect _tmp_ = Methods ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 19. EAR Detection: Prune Infeasible _tmp_ = Paths ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 20. EAR Detection: Detect EARs _tmp_ = ensure_logged_in ensure_logged_in() false true current_user true false redirect_to(“/”) @logged_in_users return true += 1 return false false true _tmp_ User.delete(:all) return nil return nil Doupé - 10/19/11
  • 21. EAR Detection: Classify as Vulnerable • Simple heuristic – Name of methods that modify database – Search for these on path Doupé - 10/19/11
  • 22. Results • 18,127 Ruby on Rails projects from GitHub • 1,173 projects contained 3,944 EARs – 3,089 Benign EARs – 855 Vulnerable EARs Doupé - 10/19/11
  • 23. EAR Email Notification • 624 project maintainers notified • 107 responded – 49 confirmed the EAR we reported – 26 told us that the app was demo or toy – 3 pointed out false positives – 6 NOFIX – Rest thanked us but did not offer confirmation Doupé - 10/19/11
  • 24. Detection Effectiveness • Manual verification of all vulnerable EARs – 485 True vulnerable (56.7%) – 325 False positives (vulnerable) (38.0%) – 45 False positives (EARs) (5.3%) • Manual verification of 200 random benign EARs – 13 False positives (EARs) (6.5%) – 0 False negatives (vulnerable) Doupé - 10/19/11
  • 25. True Positive Example class BanksController < ApplicationController def redirect_to_login redirect_to(“/login”) and return end def create if not current_user.is_admin? redirect_to_login() and return end @bank = Bank.create(params[:bank]) end end Doupé - 10/19/11
  • 26. False Positive Example class UsersController < ApplicationController def update if request.get? redirect_to(“/users”) end if request.post? @user = User.find(params[:id]) @user.update_attributes(params[:user]) end end end Doupé - 10/19/11
  • 27. EAR Detection: Limitations • False negatives – eval, send • False positives – Infeasible paths – No type analysis • Vulnerable EARs Doupé - 10/19/11
  • 28. Framework Susceptibility • Analyzed 9 web frameworks – Rails, Grails, Django, ASP.NET MVC, Zend Framework, CakePHP, CodeIgniter, J2EE, Struts • Susceptible – Ruby on Rails – Grails – J2EE – Struts Doupé - 10/19/11
  • 29. Prevention • Secure design – Django, ASP.NET MVC • Terminate process or thread – ASP.NET, CakePHP, Zend, CodeIgniter • Patched Ruby on Rails – Exception handling Doupé - 10/19/11
  • 30. Contributions • Described a relatively unknown web application vulnerability called Execution After Redirect (EAR) • Developed an algorithm to statically detect EARs in Ruby on Rails applications • Discovered many vulnerabilities in real- world open-source Ruby on Rails applications Doupé - 10/19/11
  • 31. Questions? Code: http://github.com/adamdoupe/find_ear_rails Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe Doupé - 10/19/11