Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Penetration Testing with Improved Input Vector Identification

4,099 views

Published on

Presented at IEEE International Conference on Software Testing Verification and Validation (ICST 2009), Denver, Colorado

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Penetration Testing with Improved Input Vector Identification

  1. 1. Penetration Testing withImproved Input VectorIdentification!William G.J. Halfond, Shauvik RoyChoudhary, and Alessandro Orso!College of Computing!Georgia Institute of Technology!!
  2. 2. 2!Web Application Overview !OtherSystemsWebServerEnd UsersDatabase
  3. 3. 3!Web Application Overview !OtherSystemsEnd UsersWebApplication!HTMLServlets Database
  4. 4. 4!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets Database
  5. 5. 5!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsWebApplication!HTMLServlets Database
  6. 6. 6!Web Application Overview !OtherSystemsEnd UsersHTTP RequestsHTML PagesWebApplication!HTMLServlets Database
  7. 7. 7!Penetration Testing Overview !OtherSystemsWhite HatTesterWebApplication!HTMLServlets Database
  8. 8. 8!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$WebApplication!HTMLServlets Database
  9. 9. 9!Penetration Testing Overview !OtherSystemsWhite HatTester!@#$Secret Data!WebApplication!HTMLServlets Database
  10. 10. Penetration Testing Phases!White HatTesterWebApplication!HTMLServlets InformationGatheringAttackGenerationResponseAnalysisReportTarget!Selection !Analysis!Feedback!Information! Attacks!Responses!
  11. 11. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  12. 12. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  13. 13. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  14. 14. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  15. 15. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!
  16. 16. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!Example Web Application Code!!!
  17. 17. Our Approach!Goal:!Improve penetration testing by improvinginformation gathering and response analysis.!
  18. 18. Our Approach!Improvements to penetration testing:!1.  Information gathering ð Static interface analysis!2.  Attack Generation ð Generate realistic test-inputs!3.  Response Analysis ð Produce observable sideeffect of attack!Goal:!Improve penetration testing by improvinginformation gathering and response analysis.!
  19. 19. Interfaces Interface!Analysis![FSE 2007]!1) Information Gathering: Interface Analysis!19!WebApplication HTML Servlets
  20. 20. Interfaces 1) Information Gathering: Interface Analysis!20!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  21. 21. Interfaces 1) Information Gathering: Interface Analysis!21!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  22. 22. Interfaces 1) Information Gathering: Interface Analysis!22!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  23. 23. Interfaces 1) Information Gathering: Interface Analysis!23!Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!WebApplication HTML Servlets Compute IP Domains Group IPs Identify IP Names
  24. 24. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  25. 25. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userAction
  26. 26. 1) Interface Analysis: Identify IP Names!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginaddressloginpassword
  27. 27. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddresspasswordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  28. 28. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  29. 29. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  30. 30. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  31. 31. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  32. 32. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  33. 33. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  34. 34. 1) Interface Analysis: Compute IP Domains!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:Stringpublic void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) !3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!
  35. 35. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String
  36. 36. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  37. 37. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  38. 38. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  39. 39. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  40. 40. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  41. 41. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  42. 42. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  43. 43. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  44. 44. 1) Interface Analysis: Group IPs!public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (”!+ loginName + “, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!userActionloginloginaddressuserAction:String{“createLogin”,“provideAddress”}passwordpassword:Stringpassword:Integerlogin:Stringlogin:Stringaddress:String114102151112134357698
  45. 45. 1) Information Gathering: Summary!Interface! Parameter! Domain! Relevant Values!1!userAction! String!“createLogin”,“provideAddress”!login! String!password! Integer!2!userAction! String!“createLogin”,“provideAddress”!login! String!address! String!3! userAction! String!“createLogin”,“provideAddress”!
  46. 46. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
  47. 47. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassword
  48. 48. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?
  49. 49. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Domain !Information!
  50. 50. 2) Attack Generation!White HatTesterInterfaceuserActionloginpassworduserAction = ?login = <attack string>password = ?IP Domain !Information!userAction = createLoginlogin = <attack string>password = 1234
  51. 51. 3) Response Analysis with WASP!Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!1.  Block attack!2.  Send out-of-band signal!3.  Check for signal on client side!
  52. 52. 3) Response Analysis with WASP!WASP:!1.  Positive tainting: Identify and markdeveloper-trusted strings. Propagatetaint markings at runtime!2.  Syntax-Aware Evaluation: Check thatall keywords and operators in a querywere formed using marked strings!Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!1.  Block attack!2.  Send out-of-band signal!3.  Check for signal on client side!
  53. 53. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  54. 54. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  55. 55. public void service(HttpServletRequest req) !1. String action = req.getParameter(“userAction”)!2. if (action.equals(“createLogin”)) {!3. String password = req.getParameter(“password”)!4. String loginName = req.getParameter(“login”)!5. if (isInteger(password))!6. db.execute(“insert into UserTable ”!+ “(login, password) values (‘”!+ loginName + “’, ” + password + “)”)!7. displayAddressForm()!8. else !9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”!+ “ address =’” + address + “’”!+ “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!3) WASP: Identify Trusted Data!
  56. 56. 3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  57. 57. update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  58. 58. update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  59. 59. update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  60. 60. update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!update userTable set address = ‘Home’ where login = ‘GJ’!3) WASP: Syntax Aware Evaluation!Legitimate Query:!Attempted SQL Injection:!Input: login = “GJ”, address = “Home”!Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!
  61. 61. Empirical Evaluation!Goal: !Evaluate the usefulness of our approach ascompared to a traditional penetration testingapproach.!!Research Questions (RQ):!1.  Runtime of analysis!2.  Thoroughness of the penetration testing!3.  Number of vulnerabilities discovered!61!
  62. 62. Implementation: Baseline Approach!•  Information Gathering ð OWASP WebScarab!•  Widely used code-base!•  Actively maintained!•  Attack Generation ð SQLMap!•  Widely used penetration testing tool!•  Commonly used attack generation heuristics!•  Response analysis ð WASP[FSE 2006]!SQLMap++ !SQLMap integrated withOWASP WebScarab Spider!
  63. 63. Implementation: Our Approach!•  Analyzes bytecode of Java EnterpriseEdition (JEE) based web applications!•  Interface analysis ð WAM[FSE 2007]!•  Attack generation ð leverages SQLMap!•  Response analysis ð WASP[FSE 2006]!SDAPT!Static and Dynamic Analysis-basedPenetration Testing!
  64. 64. Subject Applications!Subject! LOC! Classes! Servlets!Bookstore! 19,402! 28! 27!Checkers! 5,415! 59! 32!Classifieds! 10,702! 18! 18!Daffodil! 18,706! 119! 70!Employee Directory! 5,529! 11! 9!Events! 7,164! 13! 12!Filelister! 8,671! 41! 10!Office Talk! 4,670! 63! 39!Portal! 16,089! 28! 27!
  65. 65. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!
  66. 66. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!
  67. 67. RQ1: Runtime!1!10!100!1000!10000!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Analysis Time (s)!SQLMAP++!SDAPT!•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!
  68. 68. RQ2: Thoroughness!0!50!100!150!200!250!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Number of Input Vectors! SQLMAP++!SDAPT!0!10!20!30!40!50!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!Number of Components! SQLMAP++!SDAPT!
  69. 69. RQ3: Number of Vulnerabilities!
  70. 70. RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!Number of Discovered Vulnerabilities!SQLMAP++!SDAPT!
  71. 71. RQ3: Number of Vulnerabilities!0!2!4!6!8!10!12!14!16!18!Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!Number of Discovered Vulnerabilities!SQLMAP++!SDAPT!Average increase: 246%!
  72. 72. Summary of Results!•  Improvements to penetration testing!•  Information gathering with static analysis!•  Response analysis with dynamic detection!•  Relatively longer analysis time!•  More thorough and more vulnerabilitiesdiscovered during penetration testing!

×