Enemy of the State: A State-Aware Black-Box Web ... · Web App Scanner Code % True Vuln Unique Vuln PhpBB v2 state 38.34 3 1 PhpBB v2 w3af 1.04 1 0 PhpBB v2 skipfish 5.10 2 0 SCARF

Enemy of the State: A State-Aware Black-Box Web

Vulnerability Scanner

Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna

University of California, Santa Barbara

USENIX 2012 – 8/10/12

Web Applications Have Bugs

Doupé - 8/10/12

White-Box

Doupé - 8/10/12

Black-Box

Doupé - 8/10/12

Commercial Tools

Doupé - 8/10/12

Black-Box Vulnerability Scanners Crawling

Doupé - 8/10/12

GET /index.php

Black-Box Vulnerability Scanners Crawling

Doupé - 8/10/12

GET /view.php?id=1

Black-Box Vulnerability Scanners Fuzzing

Doupé - 8/10/12

GET /view.php?id= <script>alert(1)</script>

The Shotgun Approach

Doupé - 8/10/12


The Shotgun Approach

Doupé - 8/10/12


What if this request changed the state of the application? Logged the user out?

Simple Web Application

Doupé - 8/10/12

view.php

index.php login.php

view.php

Must access login.php before view.php

Internal State Graph

Doupé - 8/10/12

state_1

index.php / A

state_0 login.php / B

index.php / C

view.php / D

Mealy Machine

Doupé - 8/10/12

state_1

index.php / A

state_0 login.php / B

index.php / C

view.php / D

Must fuzz in different states

Inferring the State

Doupé - 8/10/12

index.php

A

login.php

B

index.php

C

view.php

D

Inferring the State

Doupé - 8/10/12

index.php

A

login.php

B

index.php

C

view.php

D

Made identical request and got

different response. State has changed!

Necessary Steps to Inferring the State

•  Cluster similar pages (using links) – Links changing means what a user can do to

the application has changed •  Determine state-changing request

– Which request in the list changed the state? •  Collapse similar states

– How to know if, when we detect a state change, we return to a previous state?

Doupé - 8/10/12

Cluster Similar Pages

Doupé - 8/10/12


Doupé - 8/10/12

<a, index.php, home> <a, profile.php, id=1> <form, POST, logout.php>



<a, index.php, home> <form, POST, add.php> <a, review.php, check>


Doupé - 8/10/12




<a, index.php, home> <form, POST, add.php> <a, review.php, check>

Determine State-Changing Request

Request Response GET index.php A GET blah.php B POST login.php C GET account.php D GET index.php E

Doupé - 8/10/12

Use a heuristic that favors new requests over old requests,

POST requests over GET requests, and

requests that always change the state over

those that never change the state.

Collapse Similar States

•  Graph coloring – States as nodes

– Edge between two states when they cannot be the same

– Greedy coloring algorithm

Doupé - 8/10/12


Doupé - 8/10/12

state_0

state_4

state_1

state_2

state_3


Doupé - 8/10/12

logged out

state_4

state_1

state_2

state_3


Doupé - 8/10/12

logged out

state_4

logged in

state_2

state_3


Doupé - 8/10/12

logged out

state_4

logged in

logged out

state_3


Doupé - 8/10/12

logged out

state_4

logged in

logged out

logged in


Doupé - 8/10/12

logged out

logged out

logged in

logged out

logged in


Doupé - 8/10/12

logged out logged in

State-Aware Fuzzing def fuzz_state_changing( fuzz_request ): make_request( fuzz_request ) if state_has_changed(): if state_is_reversible(): make_requests_to_revert_state() if not back_in_previous_state(): reset_and_put_in_previous_state() else: reset_and_put_in_previous_state() Doupé - 8/10/12

Evaluation—Scanners

•  skipfish •  w3af •  state-aware-crawler •  wget

Doupé - 8/10/12

Evaluation—Applications Web Application Lines of Code Gallery 26,622 PhpBB v2 16,034 PhpBB v3 110,186 SCARF 798 Vanilla Forums 43,880 WackoPicko v2 900 WordPress v2 17,995 WordPress v3 71,698

Doupé - 8/10/12

Code Coverage Results

Doupé - 8/10/12

16.2%

241.9%

14.5% 15.8%

101.2%

12.5% 11.0%

194.8%

-18.3% -50%

0%

50%

100%

150%

200%

250%

300%

Gallery

WackoPicko v2 WordPress v2

Perc

enta

ge C

ode

Cov

erag

e Im

prov

emen

t ove

r wge

t

Selected Applications

state-aware-scanner

w3af

skipfish

Code Coverage Results

Doupé - 8/10/12

16.2%

241.9%

14.5% 15.8%

101.2%

12.5% 11.0%

194.8%

-18.3% -50%

0%

50%

100%

150%

200%

250%

300%

Gallery

WackoPicko v2 WordPress v2

Perc

enta

ge C

ode

Cov

erag

e Im

prov

emen

t ove

r wge

t

Selected Applications

state-aware-scanner

w3af

skipfish

Web App Scanner Code % True Vuln

Unique Vuln

PhpBB v2 state 38.34 3 1 PhpBB v2 w3af 1.04 1 0 PhpBB v2 skipfish 5.10 2 0 SCARF state 67.03 1 1 SCARF w3af 55.66 0 0 SCARF skipfish 21.55 0 0 Vanilla state 30.89 0 0 Vanilla w3af 1.06 0 0 Vanilla skipfish -2.32 15 2 WackoPicko state 241.86 5 1 WackoPicko w3af 101.15 5 1 WackoPicko skipfish 194.77 3 1

Doupé - 8/10/12

385

397

POST /cart/action.php?action=purchase

400

GET /users/logout.php

200

231


261

POST /comments/add_comment.php

970

GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9

GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15

1055

894


1240



1157




899


290

GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15

325


POST /cart/action.php?action=delete

417


350

POST /users/login.phpPOST /users/register.php

169

POST /comments/add_comment.php POST /cart/action.php?action=purchase




904


794

813



147


780






1641


1248


1328


1256


543


549




424




1536




857


879



884


1615


1389




889



874


1756




1669



1725






0

91

POST /passcheck.php

93


523

471

POST /passcheck.php



726

POST /passcheck.php

POST /users/login.phpPOST /users/register.php POST /passcheck.php



POST /passcheck.php






907

GET /users/logout.phpPOST /users/login.phpPOST /users/register.php








1735




1769



1782




Doupé - 8/10/12

385

397


400


200

231


261


970



1055

894


1240



1157




899


290


325



417


350


169

POST /comments/add_comment.php POST /cart/action.php?action=purchase




904


794

813



147


780






1641


1248


1328


1256


543


549




424




1536




857


879



884


1615


1389




889



874


1756




1669



1725






0

91

POST /passcheck.php

93


523

471

POST /passcheck.php



726

POST /passcheck.php

POST /users/login.phpPOST /users/register.php POST /passcheck.php



POST /passcheck.php






907

GET /users/logout.phpPOST /users/login.phpPOST /users/register.php








1735




1769



1782




Doupé - 8/10/12

ENEMY OF THE STATE: A STATE-AWARE BLACK-BOX WEB VULNERABILITY SCANNER

Adam Doupé Email: [email protected] Twitter: @adamdoupe

Doupé - 8/10/12

Documents

Enemy of the State: A State-Aware Black-Box Web ... · Web App Scanner Code % True Vuln Unique Vuln PhpBB v2 state 38.34 3 1 PhpBB v2 w3af 1.04 1 0 PhpBB v2 skipfish 5.10 2 0 SCARF