Automated and Effective Testing of Web Services for XML Injection Attacks
1. .lusoftware verification & validation
VVS
Automated and Effective Testing of Web
Services for XML Injection Attacks
Sadeeq Jan, Cu D. Nguyen, Lionel Briand
Interdisciplinary Centre for Security, Reliability and Trust (SnT)
University of Luxembourg
ISSTA’16
The International Symposium on Software Testing and Analysis
Saarland University, Saarbrücken, Germany. July 18-20, 2016
2. XML Injection
2
• Bypassing authentication
• Privilege escalation
• Information disclosure
• Generating errors/system crash
Impact
Definition
Injecting malicious content into XML files/messages to
manipulate/compromise the logic of an application/
service
3. 3
XML Injection Example
Create new account
<user>
<username>Tom</username>
<password>m1U9q10</password>
<role>user</role>
<mail>a@b.com</mail>
</user>
<user>
<username>admin</username>
<password>s4n3p81</password>
<role>Administrator</role>
<mail>sv-admin@gmail.com</mail>
</user>
…..
......
<user>
<username>Tom</username>
<password>m1U9q10</password>
<role>user</role>
<mail>a@b.com</mail>
</user>
XML
Database
4. XML Injection Example "
(Privilege Escalation)
<user>
<username>Tom</username>
<password>m1U9q10</password>
<role>user</role>
<mail>abc</mail>
<role>Administrator</role>
<mail>a@b.com</mail>
</user>
Web Form
Generated XML Message
abc</mail><role>Administrator<role>
<mail>a@b.com
4
5. .........
.........
<complexType name="UserType">
<all>
<element name="username" type="tns:StringUserType"
maxOccurs="1" minOccurs="1" />
<element name="password" type="tns:StringPassType"
maxOccurs="1" minOccurs="1"/>
<element name="role" type="tns:Int1000Type"
maxOccurs="1" minOccurs="1"/>
<element name="mail" type="tns:EmailType"
maxOccurs="1" minOccurs="1" />
</all>
</complexType>
.........
.........
5
<user>
<username>Tom</username>
<password>m1U9q10</password>
<role>user</role>
<mail>abc</mail>
<role>Administrator</role>
<mail>a@b.com</mail>
</user>
Well-formed but not valid
XML Schema
violates cardinality =1 constraint of
‘role’ element in XML Schema
<element name="role" type="tns:Int1000Type"
maxOccurs="1" minOccurs="1"/>
XML Injection in presence of constraints
7. • Generate invalid XML files/messages
• Result in large number of false positives
• No dedicated testing tool for XML Injection attacks
Limitations of State-Of-The-Art Tools
7
8. • A novel automated testing approach and tool
(SOLMI)
• Generates valid but malicious XML files/messages
• Covers wide range of XML Injection attacks
• Evaluation of the approach on an industrial financial
system
Contributions of This Work
8
9. 9
• Type 1: Deforming
• Type 2: Random closing tags
• Type 3: Replicating
• Type 4: Replacing
Taxonomy of XML Injection Attacks
15. SOLMI Approach
15
Generalizable approach: Injection Grammar can be replaced for testing other types of vulnerabilities
SUT
XML
Validator
(e.g.
Gateway/
Firewall)
Schema
Constraints
Security
Policies
XML
T1
T2
Tn
Mutation
XML Messages
(Tests)
Type 1 - 2
Web
Services
XML
XML
XML
Constraint
Solving
Injection
Grammar
Type 3 - 4
16. Mutation Operators
Attack
Mut. Operator
Description
Type 1
Deforming
MO_der_meta
Inserts an XML meta-character into the selected
element of the input XML message
MO_der_att
Removes a quote from the value of a selected
attribute of an element
Type 2
Random
closing tags
MO_clo
Adds </test> into the content of a selected XML
element of the message
Type 3
Replicating
MO_replica
Replicates an XML element, injects it with a new
content and place it at the location right after the
selected element
Type 4
Replacing
MO_replace
Replicates an XML element, obtains a new content,
comments out the selected element, and injects the
new one at its location
16
17. Injection Grammar
17
Generate attack strings for elements in XML (e.g. SQL Injection attack strings
based on the grammar)
SQL Injection Grammar *
* D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST),
2015 IEEE 8th International Conference on, pages 1–10, April 2015.
18. 18
Test Generation Process
(for Type 3-4)
Select Element
Tests Gen.
Completed?
End
No
Yes
Extract constraints from the
XML Schema
Solve Constraints, generate
attack string using Constraint Solver
Mutate Element with the attack
string
XML Element
Schema Constraints
Attack String
Ti
Transform constraints to the
Solver’s input language
Injection
Grammar
Start
XML
Schema
19. 19
Test Generation Process
(for Type 3-4)
Select Element
Tests Gen.
Completed?
End
No
Yes
Extract constraints from the
XML Schema
Solve Constraints, generate
attack string using Constraint Solver
Mutate Element with the attack
string
XML Element
Schema Constraints
Attack String
Ti
Transform constraints to the
Solver’s input language
Injection
Grammar
Start
XML
Schema
20. 20
Test Generation Process
(for Type 3-4)
Select Element
Tests Gen.
Completed?
End
No
Yes
Extract constraints from the
XML Schema
Solve Constraints, generate
attack string using Constraint Solver
Mutate Element with the attack
string
XML Element
Schema Constraints
Attack String
Ti
Transform constraints to the
Solver’s input language
Injection
Grammar
Start
XML
Schema
21. 21
Test Generation Process
(for Type 3-4)
Select Element
Tests Gen.
Completed?
End
No
Yes
Extract constraints from the
XML Schema
Solve Constraints, generate
attack string using Constraint Solver
Mutate Element with the attack
string
XML Element
Schema Constraints
Attack String
Ti
Transform constraints to the
Solver’s input language
Injection
Grammar
Start
XML
Schema
22. 22
Test Generation Process
(for Type 3-4)
Select Element
Tests Gen.
Completed?
End
No
Yes
Extract constraints from the
XML Schema
Solve Constraints, generate
attack string using Constraint Solver
Mutate Element with the attack
string
XML Element
Schema Constraints
Attack String
Ti
Transform constraints to the
Solver’s input language
Injection
Grammar
Start
XML
Schema
23. 23
Test Generation Process
(for Type 3-4)
Select Element
Tests Gen.
Completed?
End
No
Yes
Extract constraints from the
XML Schema
Solve Constraints, generate
attack string using Constraint Solver
Mutate Element with the attack
string
XML Element
Schema Constraints
Attack String
Ti
Transform constraints to the
Solver’s input language
Injection
Grammar
Start
XML
Schema
24. 24
Test Generation Process
(for Type 3-4)
Select Element
Tests Gen.
Completed?
End
No
Yes
Extract constraints from the
XML Schema
Solve Constraints, generate
attack string using Constraint Solver
Mutate Element with the attack
string
XML Element
Schema Constraints
Attack String
Ti
Transform constraints to the
Solver’s input language
Injection
Grammar
Start
XML
Schema
25. <transaction>
<UserName>Mike123</UserName>
<BankCode>0111</BankCode>
<RequestId>R19228381</RequestId>
<CardNumber>1234567891234<CardNumber>
</transaction>
….....
<xs:element name=“RequestId”
type="cw:stringLen1_11"/>
</xs:simpleType>
<xs:simpleType name="stringLen1_11">
<xs:minLength value=”4"/>
<xs:maxLength value=”11"/>
<pattern value="[a-zA-Z0-9s]*"/>
</xs:restriction>
</xs:simpleType>
….....
XML File
Transform Constraint to
Solver’s input language
Schema Constraint for element ‘RequestId’
Generated Content for
the XML element
(Attack Payload)
OR True
Examples of malicious content rejected by the solver:
- OR 1=1
à
violates the regular expression
- Drop table RequestIDs
à
violates maximum
length constraints
Injection
Grammar
Mutation
(type 4)
<transaction>
<UserName>Mika123</UserName>
<BankCode>0111</BankCode>
<!–
</BankCode>
<RequestId>R19228381</RequestId>
<CardNumber>
-->
<RequestId>OR True</RequestId>
<CardNumber>1234567891234<CardNumber>
</transaction>
Resulting XML Message (Test of Type 4)
Concrete Example of Test Generation "
(for Type 4)
Extract associated constraints for
selected element
25
String Constraint
Solver
27. Objectives & Tools for evaluation
Objectives
• To evaluate the effectiveness and cost (time) of our
proposed approach
• To compare our proposed approach with the state-
of-the-art tools
Tools
• ReadyAPI
• SOLMI
27
28. Subject Application
28
XML Gateway (Axway XML Gateway) that protects 44 Web Services
of a credit card processing company
Web Service 1
Web Service 2
Web Service N
XML
Schemas
XML Threat
Policy
Backend
Service
Interface 1
Service
Interface
Service
Interface N
XML GatewayInternet
Service
Interface 1
Service
Interface
Service
Interface N
XML Gateway
29. 29
Architecture of SOLMI
Constraint Solver
Hampi
XML
Processor
Schema
Processor
Injection Grammar (SQL)
Test Generator
Mutation
Strategies
Test Cases
SUT
Test
Executor
Monitor/
Oracle
Transformer
30. Results
30
MO Operator
# Tests (T)
% Bypassing Tests (Tp)
Test Generation Time (s)
ReadyAPI
Malformed
XML
4430
2.37
< 1 min
SOLMI
MO-meta
1772
0
0.64
MO-close
443
0
0.35
MO_der_att
NA
NA
NA
MO-replica
3236
0
2929.99
(49 mins)
MO-replace
3236
78.86
2998.97
(50 mins)
31. Results
31
MO Operator
# Tests (T)
% Bypassing Tests (Tp)
Test Generation Time (s)
ReadyAPI
Malformed
XML
4430
2.37
< 1 min
SOLMI
MO-meta
1772
0
0.64
MO-close
443
0
0.35
MO_der_att
NA
NA
NA
MO-replica
3236
0
2929.99
(49 mins)
MO-replace
3236
78.86
2998.97
(50 mins)
32. Results
32
MO Operator
# Tests (T)
% Bypassing Tests (Tp)
Test Generation Time (s)
ReadyAPI
Malformed
XML
4430
2.37
< 1 min
SOLMI
MO-meta
1772
0
0.64
MO-close
443
0
0.35
MO_der_att
NA
NA
NA
MO-replica
3236
0
2929.99
(49 mins)
MO-replace
3236
78.86
2998.97
(50 mins)
33. Results
33
MO Operator
# Tests (T)
% Bypassing Tests (Tp)
Test Generation Time (s)
ReadyAPI
Malformed
XML
4430
2.37
< 1 min
SOLMI
MO-meta
1772
0
0.64
MO-close
443
0
0.35
MO_der_att
NA
NA
NA
MO-replica
3236
0
2929.99
(49 mins)
MO-replace
3236
78.86
2998.97
(50 mins)
34. Results
34
MO Operator
# Tests (T)
% Bypassing Tests (Tp)
Test Generation Time (s)
ReadyAPI
Malformed
XML
4430
2.37
< 1 min
SOLMI
MO-meta
1772
0
0.64
MO-close
443
0
0.35
MO_der_att
NA
NA
NA
MO-replica
3236
0
2929.99
(49 mins)
MO-replace
3236
78.86
2998.97
(50 mins)
35. Results
35
MO Operator
# Tests (T)
% Bypassing Tests (Tp)
Test Generation Time (s)
ReadyAPI
Malformed
XML
4430
2.37
< 1 min
SOLMI
MO-meta
1772
0
0.64
MO-close
443
0
0.35
MO_der_att
NA
NA
NA
MO-replica
3236
0
2929.99
(49 mins)
MO-replace
3236
78.86
2998.97
(50 mins)
36. 36
• Test strategy that randomly injects XML meta-
characters or closing tags (state-of-the-art tools)
are unlikely to be effective
• SOLMI approach is highly effective and the test
generation time is practically reasonable
• SOLMI is generalizable to other types of attacks
Conclusion