Slide 1

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab

Slide 2

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab2

Slide 3

Introduction A novel approach for automatically detecting potential server-side vulnerabilities of parameter-tampering in existing web applications. Advanced Defense Lab3

Slide 4

Introduction Advanced Defense Lab4

Slide 5

Introduction Attack 1: Negative quantities. Resulting in a discount. Attack 2: Charging another users account. A malicious user can purchase products and charge someone elses account. Attack 3: Pattern validation bypass. XSS and SQL injection. Advanced Defense Lab5

Slide 6

Introduction Problem Description : the set of alphabet. I = * x * x * x x * I -> { true, false } Pserver: constraint-checking function on the server. Pclient: constraint-checking function on the client. Pserver(I) = true -> Pclient(I) = true Pserver(I) = true ^ Pclient(I) = false (BUG) Advanced Defense Lab6

Slide 7

Introduction Problem Description Fclient: a logical representation of Pclient. Fserver: a logical representation of Pserver. (hostile) h1,,hn such that Fclient(hi) = false for each i. (benign) b1,,bm such that Fclient(bj) = true for each j. (hostile responses from the server) H1,,Hn (benign responses from the server) B1,,Bm The more similar a hostile response is to the benign responses, the more likely the hostile input was successful. Advanced Defense Lab7

Slide 8

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab8

Slide 9

ARCHITECTURE & CHALLENGES Advanced Defense Lab9

Slide 10

ARCHITECTURE & CHALLENGES Advanced Defense Lab10

Slide 11

ARCHITECTURE & CHALLENGES HTML/JS Analyzer To simulates an environment similar to a JavaScript interpreter in a browser, including the DOM (AJAX not supported). Executes all the init. Code for the web form concretely. Advanced Defense Lab11

Slide 12

ARCHITECTURE & CHALLENGES HTML/JS Analyzer Identifying JS validation code When a form is submitted. Each time the user enters or changes data on the form. Analyzing JS validation code Employing a mixed concrete-symbolic execution approach. Symbolic execution provides coverage of all control paths. Concrete execution enables NoTamper to ignore irrelevant code. Resolving DOM references Constructing the pertinent portion of the DOM. Simulating DOM functions that are used to modify the DOM structure. Advanced Defense Lab12

Slide 13

ARCHITECTURE & CHALLENGES Input Generator Avoiding spurious rejections Checking that all required variables have values of the right type. (Manually overridden) Generating orthogonal hostile inputs Converts Fclient to disjunctive normal form (DNF). Coping with incomplete information Accepting hints (delta) from human that guide the search for hostile and benign inputs. Addressing state changes Providing a optional list of variables required to have unique values. Advanced Defense Lab13

Slide 14

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab14

Slide 15

Implementation Advanced Defense Lab15

Slide 16

IMPLEMENTATION Client Constraint Extraction By collecting all the event handlers (and associated scripts) and generating a single function that invokes all those event handlers. Simulates a small set of core methods getElementById() document.wite() document.innerHTML() Advanced Defense Lab16

Slide 17

IMPLEMENTATION Client Constraint Extraction Advanced Defense Lab17

Slide 18

IMPLEMENTATION Hostile Input Guidance Initial values Numbers Hidden fields (Session identifier) Types The HTML widget associated with ( ) Initial value Occurrence in arithmetic constraints Required variables Analyzing the HTML (e.g., asterisks next to field labels) Drop-down list Unique variables Advanced Defense Lab18

Slide 19

IMPLEMENTATION Input Generation Benign inputs Converts Fclient to DNF Finds one solution per disjunct (or). Hostile inputs !Fclient Advanced Defense Lab19

Slide 20

IMPLEMENTATION Constraint Solving HAMPI[13] HAMPI Advanced Defense Lab20

Slide 21

IMPLEMENTATION Constraint Solving Advanced Defense Lab21

Slide 22

IMPLEMENTATION HTML Response Comparison Advanced Defense Lab22 Compares the servers response against a response that is known to have been generated by benign (valid) inputs. Edit distance Ratcliff/Obsershelp algorithm. Ratcliff/Obsershelp Remove the noise in B1 and B2 and produce C1. Remove the noise in B1 and Hi and produce C2. Compare C1 and C2 and result in difference rank.

Slide 23

IMPLEMENTATION Advanced Defense Lab23 HTML analysis On top of the APIs provided by the HTML Parser. JavaScript analysis Using a modified Narcissus JavaScript engine-based symbolic evaluator. Input Generator HAMPI Opportunity Detector Java-based module relayed HTTTP requests to the test server.

Slide 24

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab24

Slide 25

Evaluation Selected 8 open source applications and 5 live websites. http://opensourcescripts.com Testing Linux Apache web server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM) Ubuntu 9.10 (2.45 Ghz Quad Intel, 2.0 GB RAM) NoTamper Advanced Defense Lab25

Slide 26

Evaluation Advanced Defense Lab26

Slide 27

Evaluation Advanced Defense Lab27

Slide 28

Evaluation Unauthorized money transfers www.selfreliance.com Unlimited shopping rebates www.codemicro.com Fixed within 24 hours Privilege escalation OpenIT By manipulating the userid parameter. Advanced Defense Lab28

Slide 29

Evaluation False Positives Pertaining to the maxlength constraints on form inputs that couldnt be exploited to any serious vulnerability. Rewritten by the server without any observable difference in HTML output. Advanced Defense Lab29

Slide 30

Evaluation Advanced Defense Lab30

Slide 31

Evaluation Advanced Defense Lab31

Slide 32

Evaluation Performance Input Generator Solved 315 formulas in a total of 219 seconds. Giving an average time of 0.7 seconds per input. HTML / JavaScript Run in under a second Opportunity Detector Run in sub-second time for each application. Advanced Defense Lab32

Slide 33

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab33

Slide 34

Related Work NoTamers goals are focusing on discovering vulnerabilities in existing ( legacy ) applications. Advanced Defense Lab34

Slide 35

Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab35

Slide 36

Conclusion NoTampers results highlight a significant gap between the server-side parameter validation that should occur and the server- side validation that does occur in todays web applications. Advanced Defense Lab36