Penetration Testing with Improved Input Vector Identification William

Penetration Testing with Improved Input Vector Identification William G. J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia Institute of Technology

Web Application Overview Web Application HTTP Requests DB HTML Pages End Users Web Servlets Server Other Systems 2

Penetration Testing Overview Web Application !@#$ DB HTML Secret Data! White Hat Tester Servlets Other Systems 3

Penetration Testing Phases Information Gathering Information Attack Generation Attacks Web Application Target Selection HTML Analysis Feedback Servlets White Hat Tester Report Response Analysis Responses

Example Web Application Code ! public void service(Http. Servlet. Request req) 1. String action = req. get. Parameter(“user. Action”) 2. if (action. equals(“create. Login”)) 3. String password = req. get. Parameter(“password”) 4. String login. Name = req. get. Parameter(“login”) 5. if (is. Integer(password)) 6. db. execute(“insert into User. Table ” + “(login, password) values (” + login. Name + “, ” + password + “)”) 7. display. Address. Form() 8. else 9. display. Error. Page(“Bad password. ”) 10. else if (action. equals(“provide. Address”)) 11. String login. Name = req. get. Parameter(“login”) 12. String address = req. get. Parameter(“address”) 13. db. execute(“update User. Table set” + “ address =’” + address + “’” + “where login. Name=” + login. Name) 14. else 15. display. Create. Login. Form()

Our Approach Goal: Improve penetration testing by improving information gathering and response analysis. Improvements to penetration testing: 1. Information gathering Static interface analysis 2. Attack Generation Generate realistic test-inputs 3. Response Analysis Produce observable side effect of attack

1) Information Gathering: Interface Analysis Web Application HTML Identify IP Names Interface Compute IP Domains Analysis Interfaces [FSE 2007] Servlets Group IPs Phase 1: Identify Input Parameters (IP) names Phase 2: Compute IP domain information Phase 3: Group IP into distinct interfaces 7

1) Interface Analysis: Identify IP Names user. Action password login address public void service(Http. Servlet. Request req) 1. String action = req. get. Parameter(“user. Action”) 2. if (action. equals(“create. Login”)) { 3. String password = req. get. Parameter(“password”) 4. String login. Name = req. get. Parameter(“login”) 5. if (is. Integer(password)) 6. db. execute(“insert into User. Table ” + “(login, password) values (” + login. Name + “, ” + password + “)”) 7. display. Address. Form() 8. else 9. display. Error. Page(“Bad password. ”) 10. else if (action. equals(“provide. Address”)) 11. String login. Name = req. get. Parameter(“login”) 12. String address = req. get. Parameter(“address”) 13. db. execute(“update User. Table set” + “ address =’” + address + “’” + “where login. Name=” + login. Name) 14. else 15. display. Create. Login. Form()

1) Interface Analysis: Compute IP Domains user. Action: String {“create. Login”, user. Action “provide. Address”} password: String password: Integer login: String login address: String address public void service(Http. Servlet. Request req) 1. String action = req. get. Parameter(“user. Action”) 2. if (action. equals(“create. Login”)) 3. String password = req. get. Parameter(“password”) 4. String login. Name = req. get. Parameter(“login”) 5. if (is. Integer(password)) 6. db. execute(“insert into User. Table ” + “(login, password) values (” + login. Name + “, ” + password + “)”) 7. display. Address. Form() 8. else 9. display. Error. Page(“Bad password. ”) 10. else if (action. equals(“provide. Address”)) 11. String login. Name = req. get. Parameter(“login”) 12. String address = req. get. Parameter(“address”) 13. db. execute(“update User. Table set” + “ address =’” + address + “’” + “where login. Name=” + login. Name) 14. else 15. display. Create. Login. Form()

1) Interface Analysis: Group IPs user. Action: String {“create. Login”, user. Action “provide. Address”} password: String password: Integer login: String login address: String address public void service(Http. Servlet. Request req) 1 1. String action = req. get. Parameter(“user. Action”) 2. if (action. equals(“create. Login”)) { 3. String password = req. get. Parameter(“password”) 2 4. String login. Name = req. get. Parameter(“login”) 5. if (is. Integer(password)) 6. db. execute(“insert into User. Table ” 3 10 + “(login, password) values (” + login. Name + “, ” + password + “)”) 14 11 4 7. display. Address. Form() 8. else 9. display. Error. Page(“Bad password. ”) 10. else if 15 (action. equals(“provide. Address”)) 12 5 11. String login. Name = req. get. Parameter(“login”) 12. String address = req. get. Parameter(“address”) 13. db. execute(“update User. Table set” 6 13 =’” + address 8 + “ address + “’” + “where login. Name=” + login. Name) 14. else 9 7 15. display. Create. Login. Form()

1) Information Gathering: Summary Interface 1 2 3 Parameter Domain Relevant Values user. Action String “create. Login”, “provide. Address” login String password Integer user. Action String login String address String user. Action String “create. Login”, “provide. Address”

2) Attack Generation Interface user. Action login password White Hat Tester IP Domain Information user. Action = ? login = <attack string> password = ? user. Action = create. Login login = <attack string> password = 1234

3) Response Analysis with WASP Response Analysis: 1. Send attack to web application 2. If WASP detects attack 1. 2. Block attack Send out-of-band signal 3. Check for signal on client side WASP: 1. Positive tainting: Identify and mark developer-trusted strings. Propagate taint markings at runtime 2. Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings

3) WASP: Identify Trusted Data public void service(Http. Servlet. Request req) 1. String action = req. get. Parameter(“user. Action”) 2. if (action. equals(“create. Login”)) { 3. String password = req. get. Parameter(“password”) 4. String login. Name = req. get. Parameter(“login”) 5. if (is. Integer(password)) 6. db. execute(“insert into User. Table ” + “(login, password) values (‘” + login. Name + “’, ” + password + “)”) 7. display. Address. Form() 8. else 9. display. Error. Page(“Bad password. ”) 10. else if (action. equals(“provide. Address”)) 11. String login. Name = req. get. Parameter(“login”) 12. String address = req. get. Parameter(“address”) 13. db. execute(“update User. Table set” + “ address =’” + address + “’” + “where login. Name=” + login. Name) 14. else 15. display. Create. Login. Form()

3) WASP: Syntax Aware Evaluation Legitimate Query: Input: login = “GJ”, address = “Home” update user. Table set address = ‘Home’ where login = ‘GJ’ Attempted SQL Injection: Input: login = “GJ’ ; drop table user. Table -- ”, address = “Home” update user. Table set address = ‘Home’ where login = ‘GJ’ ; drop table user. Table -- ’

Empirical Evaluation Goal: Evaluate the usefulness of our approach as compared to a traditional penetration testing approach. Research Questions (RQ): 1. Runtime of analysis 2. Thoroughness of the penetration testing 3. Number of vulnerabilities discovered 16

Implementation: Baseline Approach SQLMap++ SQLMap integrated with OWASP Web. Scarab Spider • Information Gathering OWASP Web. Scarab • Widely used code-base • Actively maintained • Attack Generation SQLMap • Widely used penetration testing tool • Commonly used attack generation heuristics • Response analysis WASP[FSE 2006]

Implementation: Our Approach SDAPT Static and Dynamic Analysis-based Penetration Testing • Analyzes bytecode of Java Enterprise Edition (JEE) based web applications • Interface analysis WAM[FSE 2007] • Attack generation leverages SQLMap • Response analysis WASP[FSE 2006]

Subject Applications Subject LOC Classes Servlets Bookstore 19, 402 28 27 Checkers 5, 415 59 32 Classifieds 10, 702 18 18 Daffodil 18, 706 119 70 Employee Directory 5, 529 11 9 Events 7, 164 13 12 Filelister 8, 671 41 10 Office Talk 4, 670 63 39 Portal 16, 089 28 27

RQ 1: Runtime Analysis Time (s) 10000 SQLMAP++ SDAPT 1000 10 1 Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk • SDAPT ranged from 8 to 40 mins • Positive note: Testing was more thorough Portal

RQ 2: Thoroughness Number of Input Vectors SQLMAP++ 250 SDAPT 200 150 100 50 0 Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Number of Components Portal SQLMAP++ 50 SDAPT 40 30 20 10 0 Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Portal

RQ 3: Number of Vulnerabilities Number of Discovered Vulnerabilities 18 16 SQLMAP++ 14 SDAPT 12 10 Average increase: 246% 8 6 4 2 0 Bookstore Checkers Classifieds Daffodil Empl. Dir. Events Filelister Officetalk Portal

Summary of Results • Improvements to penetration testing • Information gathering with static analysis • Response analysis with dynamic detection • Relatively longer analysis time • More thorough and more vulnerabilities discovered during penetration testing