Penetration Testing with Improved Input Vector Identification

Penetration Testing with Improved Input Vector

Identification!

William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso!

College of Computing!Georgia Institute of Technology!

Web Application Overview !

Other Systems

Web Server

End Users

Database

Other Systems

End Users

Web Application!

Servlets

Database

Other Systems

End Users

HTTP Requests

Web Application!

Servlets

Database

Other Systems

End Users

HTTP Requests

Web Application!

Servlets

Database

Other Systems

End Users

HTTP Requests

HTML Pages

Web Application!

Servlets

Database

Penetration Testing Overview !

Other Systems

White Hat Tester

Web Application!

Servlets

Database

Other Systems

White Hat Tester

Web Application!

Servlets

Database

Other Systems

White Hat Tester

Secret Data!

Web Application!

Servlets

Database

Penetration Testing Phases!

White Hat Tester

Web Application!

Servlets

Information Gathering

Attack Generation

Response Analysis Report

Target!Selection !

Analysis!Feedback!

Information! Attacks!

Responses!

public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) ! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!

Example Web Application Code!

Our Approach!

Goal:!Improve penetration testing by improving information gathering and response analysis.!

Our Approach!

Improvements to penetration testing:!1.  Information gathering ð Static interface analysis!2.  Attack Generation ð Generate realistic test-inputs!3.  Response Analysis ð Produce observable side

effect of attack!

Goal:!Improve penetration testing by improving information gathering and response analysis.!

Interfaces Interface!Analysis!

[FSE 2007]!

1) Information Gathering: Interface Analysis!

Web Application

Servlets

Interfaces

Web Application

Servlets

Compute IP Domains

Group IPs

Identify IP Names

Interfaces

Phase 1: Identify Input Parameters (IP) names!Phase 2: Compute IP domain information!Phase 3: Group IP into distinct interfaces!

Web Application

Servlets

Compute IP Domains

Group IPs

Identify IP Names

Interfaces

Web Application

Servlets

Compute IP Domains

Group IPs

Identify IP Names

Interfaces

Web Application

Servlets

Compute IP Domains

Group IPs

Identify IP Names

1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!

userAction

1) Interface Analysis: Identify IP Names! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!

userAction

address

password

1) Interface Analysis: Compute IP Domains!

userAction

address

password

userAction

address

userAction:String {“createLogin”, “provideAddress”}

password

userAction

address

password

userAction

address

password

userAction

address

password password:String

userAction

address

password password:String

userAction

address

password password:String password:Integer

userAction

address

login:String

address:String

1) Interface Analysis: Group IPs! public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (”! + loginName + “, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

userAction

address

login:String

address:String

1) Information Gathering: Summary!

Interface! Parameter! Domain! Relevant Values!

1!userAction! String! “createLogin”,

“provideAddress”!login! String!password! Integer!

2!userAction! String! “createLogin”,

“provideAddress”!login! String!address! String!

3! userAction! String! “createLogin”, “provideAddress”!

2) Attack Generation!

White Hat Tester

Interface

userAction login password

White Hat Tester

Interface

White Hat Tester

Interface

userAction = ? login = <attack string> password = ?

White Hat Tester

Interface

IP Domain !Information!

White Hat Tester

Interface

IP Domain !Information!

userAction = createLogin login = <attack string> password = 1234

3) Response Analysis with WASP!Response Analysis:!

1.  Send attack to web application!2.  If WASP detects attack!

1.  Block attack!2.  Send out-of-band signal!

3.  Check for signal on client side!

3) Response Analysis with WASP!

WASP:!1.  Positive tainting: Identify and mark

developer-trusted strings. Propagate taint markings at runtime!

2.  Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings!

Response Analysis:!1.  Send attack to web application!2.  If WASP detects attack!

1.  Block attack!2.  Send out-of-band signal!

3.  Check for signal on client side!

public void service(HttpServletRequest req) ! 1. String action = req.getParameter(“userAction”)! 2. if (action.equals(“createLogin”)) {! 3. String password = req.getParameter(“password”)! 4. String loginName = req.getParameter(“login”)! 5. if (isInteger(password))! 6. db.execute(“insert into UserTable ”! + “(login, password) values (‘”! + loginName + “’, ” + password + “)”)! 7. displayAddressForm()! 8. else ! 9. displayErrorPage(“Bad password.”)!10. else if (action.equals(“provideAddress”)) !11. String loginName = req.getParameter(“login”)!12. String address = req.getParameter(“address”)!13. db.execute(“update UserTable set”! + “ address =’” + address + “’”! + “where loginName=” + loginName)!14. else!15. displayCreateLoginForm()!

3) WASP: Identify Trusted Data!

3) WASP: Syntax Aware Evaluation!

Legitimate Query:!

Attempted SQL Injection:!

Input: login = “GJ”, address = “Home”!

Input: login = “GJ’ ; drop table userTable -- ”, address = “Home”!

update userTable set address = ‘Home’ where login = ‘GJ’!

Legitimate Query:!

update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!

Legitimate Query:!

update userTable set address = ‘Home’ where !!login = ‘GJ’ ; drop table userTable -- ’!

Legitimate Query:!

Empirical Evaluation!

Goal: !Evaluate the usefulness of our approach as compared to a traditional penetration testing approach.!!

Research Questions (RQ):!1.  Runtime of analysis!2.  Thoroughness of the penetration testing!3.  Number of vulnerabilities discovered!

Implementation: Baseline Approach!

•  Information Gathering ð OWASP WebScarab!•  Widely used code-base!•  Actively maintained!

•  Attack Generation ð SQLMap!•  Widely used penetration testing tool!•  Commonly used attack generation heuristics!

•  Response analysis ð WASP[FSE 2006]!

SQLMap++ ! SQLMap integrated with OWASP WebScarab Spider!

Implementation: Our Approach!

•  Analyzes bytecode of Java Enterprise Edition (JEE) based web applications!

•  Interface analysis ð WAM[FSE 2007]!

•  Attack generation ð leverages SQLMap!•  Response analysis ð WASP[FSE 2006]!

SDAPT! Static and Dynamic Analysis-based Penetration Testing!

Subject Applications!

Subject! LOC! Classes! Servlets!Bookstore! 19,402! 28! 27!

Checkers! 5,415! 59! 32!

Classifieds! 10,702! 18! 18!

Daffodil! 18,706! 119! 70!

Employee Directory! 5,529! 11! 9!

Events! 7,164! 13! 12!

Filelister! 8,671! 41! 10!

Office Talk! 4,670! 63! 39!

Portal! 16,089! 28! 27!

RQ1: Runtime!

10000!

Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir! Events! Filelister! Officetalk! Portal!

Analysis Time (s)!

SQLMAP++!SDAPT!

RQ1: Runtime!

10000!

Analysis Time (s)!

SQLMAP++!SDAPT!

•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!

RQ1: Runtime!

10000!

Analysis Time (s)!

SQLMAP++!SDAPT!

•  SDAPT ranged from 8 to 40 mins!•  Positive note: Testing was more thorough!

RQ2: Thoroughness!

Number of Input Vectors! SQLMAP++!SDAPT!

Number of Components! SQLMAP++!SDAPT!

RQ3: Number of Vulnerabilities!

Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!

Number of Discovered Vulnerabilities!

SQLMAP++!

SDAPT!

RQ3: Number of Vulnerabilities!

Bookstore! Checkers! Classifieds! Daffodil! Empl. Dir.! Events! Filelister! Officetalk! Portal!

Number of Discovered Vulnerabilities!

SQLMAP++!

SDAPT!

Average increase: 246%!

Summary of Results!

•  Improvements to penetration testing!•  Information gathering with static analysis!•  Response analysis with dynamic detection!

•  Relatively longer analysis time!•  More thorough and more vulnerabilities

discovered during penetration testing!

Penetration Testing with Improved Input Vector Identification

Technology

IMPROVED OSTEOGENIC VECTOR FOR NON-VIRAL GENE THERAPYeprints.whiterose.ac.uk/96825/1/Improved osteogenic vector for non... · expert algorithm. Additionally, a highly truncated articial

SPE-184878 Improved Hydraulic Fracturing Perforation ...fraciq).pdfSPE-184878 Improved Hydraulic Fracturing Perforation Efficiency Observed With Constant Entry Hole and Constant Penetration

Improved Tumor Penetration and Single-Cell ...tumor penetration; ref. 15). These results are consistent with tumor penetration playing a major role in efﬁcacy independent of the

An efficient and improved method for virus-induced gene ......VIGS in sorghum. Results An improved, simple and efficient method to deliver virus into sorghum BMV-based VIGS vector

Improved Alpha-Tested Magnification for Vector Textures and

PENETRATION TESTING - Perspective Risk · PDF fileA PROVIDER OF PENETRATION TESTING SERVICES? ... Invariably, penetration testing means that the penetration testers will

QUALITY REPLACEMENT TURBOCHARGER PARTS Improved … · As the global car industry faces increased scrutiny following the Volkswagen emissions scandal, there is no ... penetration

Better Together - Digital Impact Alliance · Better Together CONTENTS Acknowledgments ... literacy supported by better coverage and mobile penetration, mobile money services’ improved

Development of an improved RNA interference vector system ...journals.tubitak.gov.tr/biology/issues/biy-14-38-1/biy-38-1-5-1304-4.pdf · Development of an improved RNA interference

Improved Near Real-Time Hurricane Ocean Vector Winds Retrieval using QuikSCAT

Epitope prediction improved by multitask support vector

Construction and molecular characterisation of an improved chloroplast transformation vector

IMPROVED LEARNING OF STRUCTURAL SUPPORT VECTOR …

Penetration Testing with Improved Input Vector Identification

Framework of an Improved Distance Vector Routing Protocol ...ia-e.org/siteadmin/upload/1872IAE0215017.pdf · Framework of an Improved Distance-Vector Routing Protocol Mechanism for

formworks-plus: improved pre-processor for vector analysis software

An Improved Virtual Space Vector Modulation Scheme …download.xuebalib.com/39eXvBGNan2.pdfIEEE TRANSACTIONS ON POWER ELECTRONICS, VOL. 32, NO. 10, OCTOBER 2017 7419 An Improved Virtual

Increasing Wind Energy Penetration t hrough Improved Forecasting

IMPROVED MODELING TOOLS DEVELOPMENT FOR HIGH PENETRATION · PDF fileFINAL PROJECT REPORT ... Improved Modeling Tools Development for High Penetration Solar. ... for the GHI point sensor

Improved Fisher Vector for Large Scale Image