Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection - ACSAC 2007


Published on

I presented this at the 23rd Annual Computer Security Applications Conference (ACSAC).

Published in: Technology
  • Be the first to comment

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection - ACSAC 2007

  1. 1. Sania: Syntactic and SemanticAnalysis for Automated Testingagainst SQL Injection<br />Yuji Kosuga, Keio University <br />In cooperation with<br />Miho Hishiyama, Yu Takahama<br />IX Knowledge Inc.<br />Kenji Kono, Miyuki Hanaoka<br />Keio University<br />
  2. 2. What is an SQL Injection Attack?<br />A security exploit for web applications that uses webpages with dynamic content<br />An attacker can add arbitrary SQL commands <br /> that will be executed against the database<br />query = “SELECT * FROM account WHERE name = &apos;”<br /> + request.getParameter(“name”)  <br />  + “&apos; AND password = &apos;”<br />+ request.getParameter(“pass”) + “&apos;”;<br />&apos; OR &apos;a&apos;= &apos;a<br />TRUE<br /> SELECT * FROM account WHERE<br /> name = &apos;badguy&apos;AND password = &apos;&apos; OR &apos;a&apos;= &apos;a&apos;<br />left expr.<br />right expr.<br />database<br /><ul><li> Attackers can obtain all data in the account table</li></li></ul><li>Preventing Attacks: Sanitizing<br />ex.Escape a character that can change <br /> the syntax of SQL query<br />&apos; OR &apos;a&apos;= &apos;a<br />replace( request.getParameter(“pass”), “&apos;” , “&apos; ”);<br />SELECT * FROM account WHERE <br /> name = &apos;badguy&apos; AND password = ’&apos;OR &apos;a&apos;=&apos;a&apos;<br />left expr.<br />right expr.<br />database<br />Database recognizes &apos;OR&apos;a&apos;=&apos;aas &apos; OR &apos;a&apos; = &apos;a<br /><ul><li>If a value is input that does not use single-quotes…</li></ul>555 OR 1=1<br />SELECT * FROM account WHERE id=555<br />Consideration of the context of the user inputs is necessary<br />
  3. 3. Issues with Sanitizing<br />Sanitizing is a sufficient measure to prevent SQL injection attacks, but…<br />There are recent reports of SQL injection attacks<br />28% of all the reported vulnerabilities [Armorize Technologies 2006] <br />14% of all the reported vulnerabilities [Mitre 2006]<br />What is actually causing these results?<br />Sanitizing program is manually written without any supporting tools <br />Checking for maliciously crafted inputs is not done well enough to detect vulnerabilities<br />
  4. 4. Related Approaches<br />SQLCheck [Su and Wassermann ’06]<br />Validate SQL queries by comparing them to a legal model<br />Require the developer to manually insert special markers to discover user inputs in SQL queries<br />SQLrand [Boyd and Keromytis ’04]<br />Assure an SQL keyword injected by an attacker will not be embedded into SQL queries<br />Assume the attackers will not discover the secret key<br />Learning-Based Detection [Valeur et al. ’05]<br />Employ an intrusion detection system (IDS), which is trained using a set of legal SQL queries<br />The IDS quality depends on the quality of the training set<br />
  5. 5. Our Approach: Sania<br />Check for SQL injection vulnerabilities in the development and debugging phases<br />Intercept SQL queries as well as HTTP requests<br />By using the SQL queries<br />Automatically generate powerful attacks<br />Assess the security by comparing the syntax of the parse tree <br /> of the intended SQL query to those resulting after an attack<br />Sania vs. Paros<br />Sania can find more <br /> vulnerabilities and caused <br /> fewer false positives<br />
  6. 6. Design of Sania<br />Web application<br />Innocent <br />HTTP Request<br />Correct<br />SQL Packets<br />database<br />Attacks<br />client<br />1. Finding target spots<br />2. Crafting attacks<br />3. Tree validation<br />Sania<br />Innocent packets<br />1. Finding target spots<br />Malicious packets<br />2. Crafting attacks<br />3. Tree validation<br />
  7. 7. Design of Sania<br />Web application<br />Innocent <br />HTTP Request<br />Correct<br />SQL Packets<br />database<br />client<br />1. Finding target spots<br />Sania<br />Innocent packets<br />1. Finding target spots<br />
  8. 8. Finding Target Spots<br />Web application<br />query-string<br />999<br />999<br />xxx<br />xxx<br />id= &name= &action=login<br />target<br />target<br />safe<br /> SELECT * FROM users WHERE id= AND name=<br />SQL query<br />999<br />‘xxx’<br />Target spots are vulnerable values that appear on the leaf nodes of the parse tree<br />
  9. 9. Design of Sania<br />Web application<br />Innocent <br />HTTP Request<br />Correct<br />SQL Packets<br />database<br />client<br />1. Finding target spots<br />2. Crafting attacks<br />Sania<br />Innocent packets<br />1. Finding target spots<br />2. Crafting attacks<br />
  10. 10. Crafting Attack Requests<br />Web application<br />query-string<br />id=999&name=xxx&action=login<br />target<br />target<br />safe<br />int<br />string<br />int<br />string<br /> SELECT * FROM users WHERE id= AND name=<br />SQL query<br />999<br />‘xxx’<br />Sania recognizes the context of the target spots by analyzing the syntax of the SQL query<br />Non-terminal nodes of SQL parse tree can be classified 95 contexts<br />Sania generates two types of attacks<br />Linear attacks : one target spot at a time<br />Combination attacks : two or more target spots at the same time<br />
  11. 11. Linear Attacks<br />Web application<br />target spots<br />attack code<br />id=999<br />id=999 or 1=1--<br />int<br />true<br /> SELECT * FROM users WHERE id=999or 1=1-- AND name=xxx<br />SQL query<br />comment out<br />Web application<br />target spots<br />attack code<br />name=xxx<br />name=’ or ‘1’=‘1<br />string<br /> SELECT * FROM users WHERE id= 999 AND name=‘’ or ‘1’=‘1’<br />true<br />SQL query<br />left expr.<br />right expr.<br />Sania generates attack codes according to the context of the target spot<br />
  12. 12. Generating an Attack Code<br />stringRule<br /><ul><li>userInput: </li></ul> blank<br /> …<br /><ul><li> quote: yes
  13. 13. parentheses: yes
  14. 14. inseredSQL: </li></ul> or ‘1’=‘1<br /> or “1”=“1<br /> or 1=1--<br /> …<br />&lt;rule name=&quot;stringRule&quot;&gt;<br /> &lt;element name=&quot;formerStr&quot; userInput=&quot;on&quot;&gt;<br /> &lt;code value=&quot;&quot; /&gt; <br /> &lt;/element&gt; <br /> &lt;element name=&quot;quote&quot; value=&quot;on&quot;/&gt;<br /> &lt;element name=&quot;parenthesis&quot; value=&quot;on&quot;/&gt;<br /> &lt;element name=&quot;latterStr&quot; userInput=&quot;off&quot;&gt;<br /> &lt;code value=&quot;or &apos;1&apos;=&apos;1&quot; /&gt;<br /> &lt;code value=&quot;or &quot;1&quot;=&quot;1&quot;/&gt; <br /> &lt;code value=&quot;or 1=1--&quot; /&gt;<br /> &lt;code value=&quot;or 1=1;--&quot; /&gt;<br /> &lt;/element&gt;<br />&lt;/rule&gt;<br />Attack rules<br />rule<br />context<br />int<br />defaultRule<br />mathRule<br />numberRule<br />defaultRule<br />stringRule<br />string<br />An attack code is dynamically generated using attack rules<br />An attack rule defines<br />Structure of an attack code that will be inserted into a target spot<br />Whether or not quotes and parentheses will be used<br />A list of attack rules are written in XML<br />Easy to add new attack rules<br />
  15. 15. Combination Attacks<br />Web application<br />query-string<br />syntax ofANDstatement<br />name=xxx&pass=zzz<br />target<br />target<br />WHEREname=‘xxx’AND password=‘zzz’<br />left expr.<br />right expr.<br />innocent session<br />query-string<br />syntax ofORstatement<br />name=&pass=OR 1=1--<br />WHEREname=‘’ AND password=’OR 1=1--’<br />left expr.<br />right expr.<br />attack session<br /><ul><li>The first target spot →
  16. 16. The second target spot → OR 1=1--</li></li></ul><li>Design of Sania<br />Web application<br />Innocent <br />HTTP Request<br />Correct<br />SQL Packets<br />database<br />Attacks<br />client<br />1. Finding target spots<br />2. Crafting attacks<br />3. Tree validation<br />Sania<br />Innocent packets<br />1. Finding target spots<br />2. Crafting attacks<br />Malicious packets<br />3. Tree validation<br />
  17. 17. Tree Validation<br />SQL query<br />SQL query<br />user input<br />Web application<br />Web application<br />SELECT * FROM…<br />SELECT * FROM…<br />SELECT * FROM…<br />Parse tree generated<br /> from an innocent request<br />Properly sanitized <br />parse tree<br />Improperly sanitized <br />parse tree<br />A properly sanitized parse tree has the same syntax<br />An improperly sanitized parse tree has different syntax<br />
  18. 18. Implementation<br />13,000 LOC in Java<br />21 attack rules (1,800 LOC in XML) for 95 contexts<br />Test results are output in an HTML/XML document<br />RSS feed is also available<br />
  19. 19. Demo<br />Testing the Login Page of a Web Application<br />
  20. 20. Experiments<br />We evaluated the effectiveness of our technique<br />Subjects<br />E-learning<br />Provided by IX Knowledge Inc.<br />It has been used in an intranet before<br />Bookstore, Portal, Event, Classifieds, Employee Directory<br />Free open-source applications from GotoCode<br />We found they have been used in the real world<br />Comparison with Paros<br />Paros is a web application scanner, which took the 2nd place<br /> in web vulnerability scanner ranking in Insecure.Org<br />
  21. 21. Comparison of Sania and Paros<br />Targeting User Inputs<br />Sania identifies inputs that appear in SQL queries<br />Paros regards all user inputs as vulnerable<br />Generating Attacks<br />Sania generates its attacks based on syntax of SQL queries<br />Paros applies attack codes to all user inputs<br />Combination attack<br />Sania can attack several spots at the same time<br />Paros can not generate combination attacks <br />Determining Vulnerability<br />Sania compares the syntax of SQL queries<br />Paros compares the content of HTTP responses<br />
  22. 22. Evaluation<br />Sania detected more vulnerabilities and gave significantly fewer false positives with fewer trials than Paros<br />
  23. 23. False Positives<br />Sania caused 13 false positives<br />Invalid Data<br />The attack code did not meet the length requirements<br />Sania is unaware of the database structure<br />Need to design a way to learn the structure of the database<br />Authentication Failed<br />The password and confirmation fields did not match<br />Sania does not know which user inputs must share the same data<br />Need to include a function that tells Sania which user inputs require the same data input<br />
  24. 24. Testing a real product<br />We had a chance to test a production-quality web application just before being shipped<br />Subject: RSS-Dripper<br />Provides RSS information to users based on their previous choices<br />Written in JSP and Java Servlet<br />Work on Struts<br />Results<br />One vulnerability was detected after 33 attacks<br />Vulnerable to a combination attack<br />We confirmed it was truly vulnerable <br />
  25. 25. Conclusion<br />Sania’s Technique<br />Used during the development or debugging phases<br />Create powerful attacks based on the context of SQL query<br />Detect vulnerabilities by syntax-comparison of parse trees<br />Sania’s Effectiveness<br />Out-performed the presently highest rated tool that tests for SQL injection attacks<br />Next Steps<br />Implement techniques to reduce false positives <br />Adapt our technique to detect other injection vulnerabilities, such as XSS, XPath Injection, OS Injection attacks<br />