NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications Prithvi Bisht , Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw
Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago,
USA ACM CCS (Oct,2010) Prithvi Bisht, Timothy Hinrichs, Nazari
Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of
Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at
Advanced Defense Lab
Slide 2
Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab2
Slide 3
Introduction A novel approach for automatically detecting
potential server-side vulnerabilities of parameter-tampering in
existing web applications. Advanced Defense Lab3
Slide 4
Introduction Advanced Defense Lab4
Slide 5
Introduction Attack 1: Negative quantities. Resulting in a
discount. Attack 2: Charging another users account. A malicious
user can purchase products and charge someone elses account. Attack
3: Pattern validation bypass. XSS and SQL injection. Advanced
Defense Lab5
Slide 6
Introduction Problem Description : the set of alphabet. I = * x
* x * x x * I -> { true, false } Pserver: constraint-checking
function on the server. Pclient: constraint-checking function on
the client. Pserver(I) = true -> Pclient(I) = true Pserver(I) =
true ^ Pclient(I) = false (BUG) Advanced Defense Lab6
Slide 7
Introduction Problem Description Fclient: a logical
representation of Pclient. Fserver: a logical representation of
Pserver. (hostile) h1,,hn such that Fclient(hi) = false for each i.
(benign) b1,,bm such that Fclient(bj) = true for each j. (hostile
responses from the server) H1,,Hn (benign responses from the
server) B1,,Bm The more similar a hostile response is to the benign
responses, the more likely the hostile input was successful.
Advanced Defense Lab7
Slide 8
Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab8
Slide 9
ARCHITECTURE & CHALLENGES Advanced Defense Lab9
Slide 10
ARCHITECTURE & CHALLENGES Advanced Defense Lab10
Slide 11
ARCHITECTURE & CHALLENGES HTML/JS Analyzer To simulates an
environment similar to a JavaScript interpreter in a browser,
including the DOM (AJAX not supported). Executes all the init. Code
for the web form concretely. Advanced Defense Lab11
Slide 12
ARCHITECTURE & CHALLENGES HTML/JS Analyzer Identifying JS
validation code When a form is submitted. Each time the user enters
or changes data on the form. Analyzing JS validation code Employing
a mixed concrete-symbolic execution approach. Symbolic execution
provides coverage of all control paths. Concrete execution enables
NoTamper to ignore irrelevant code. Resolving DOM references
Constructing the pertinent portion of the DOM. Simulating DOM
functions that are used to modify the DOM structure. Advanced
Defense Lab12
Slide 13
ARCHITECTURE & CHALLENGES Input Generator Avoiding spurious
rejections Checking that all required variables have values of the
right type. (Manually overridden) Generating orthogonal hostile
inputs Converts Fclient to disjunctive normal form (DNF). Coping
with incomplete information Accepting hints (delta) from human that
guide the search for hostile and benign inputs. Addressing state
changes Providing a optional list of variables required to have
unique values. Advanced Defense Lab13
Slide 14
Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab14
Slide 15
Implementation Advanced Defense Lab15
Slide 16
IMPLEMENTATION Client Constraint Extraction By collecting all
the event handlers (and associated scripts) and generating a single
function that invokes all those event handlers. Simulates a small
set of core methods getElementById() document.wite()
document.innerHTML() Advanced Defense Lab16
IMPLEMENTATION Hostile Input Guidance Initial values Numbers
Hidden fields (Session identifier) Types The HTML widget associated
with ( ) Initial value Occurrence in arithmetic constraints
Required variables Analyzing the HTML (e.g., asterisks next to
field labels) Drop-down list Unique variables Advanced Defense
Lab18
Slide 19
IMPLEMENTATION Input Generation Benign inputs Converts Fclient
to DNF Finds one solution per disjunct (or). Hostile inputs
!Fclient Advanced Defense Lab19
Slide 20
IMPLEMENTATION Constraint Solving HAMPI[13] HAMPI Advanced
Defense Lab20
IMPLEMENTATION HTML Response Comparison Advanced Defense Lab22
Compares the servers response against a response that is known to
have been generated by benign (valid) inputs. Edit distance
Ratcliff/Obsershelp algorithm. Ratcliff/Obsershelp Remove the noise
in B1 and B2 and produce C1. Remove the noise in B1 and Hi and
produce C2. Compare C1 and C2 and result in difference rank.
Slide 23
IMPLEMENTATION Advanced Defense Lab23 HTML analysis On top of
the APIs provided by the HTML Parser. JavaScript analysis Using a
modified Narcissus JavaScript engine-based symbolic evaluator.
Input Generator HAMPI Opportunity Detector Java-based module
relayed HTTTP requests to the test server.
Slide 24
Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab24
Slide 25
Evaluation Selected 8 open source applications and 5 live
websites. http://opensourcescripts.com Testing Linux Apache web
server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM) Ubuntu 9.10 (2.45 Ghz
Quad Intel, 2.0 GB RAM) NoTamper Advanced Defense Lab25
Slide 26
Evaluation Advanced Defense Lab26
Slide 27
Evaluation Advanced Defense Lab27
Slide 28
Evaluation Unauthorized money transfers www.selfreliance.com
Unlimited shopping rebates www.codemicro.com Fixed within 24 hours
Privilege escalation OpenIT By manipulating the userid parameter.
Advanced Defense Lab28
Slide 29
Evaluation False Positives Pertaining to the maxlength
constraints on form inputs that couldnt be exploited to any serious
vulnerability. Rewritten by the server without any observable
difference in HTML output. Advanced Defense Lab29
Slide 30
Evaluation Advanced Defense Lab30
Slide 31
Evaluation Advanced Defense Lab31
Slide 32
Evaluation Performance Input Generator Solved 315 formulas in a
total of 219 seconds. Giving an average time of 0.7 seconds per
input. HTML / JavaScript Run in under a second Opportunity Detector
Run in sub-second time for each application. Advanced Defense
Lab32
Slide 33
Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab33
Slide 34
Related Work NoTamers goals are focusing on discovering
vulnerabilities in existing ( legacy ) applications. Advanced
Defense Lab34
Slide 35
Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab35
Slide 36
Conclusion NoTampers results highlight a significant gap
between the server-side parameter validation that should occur and
the server- side validation that does occur in todays web
applications. Advanced Defense Lab36