automatic creation of sql injection and cross-site scripting attacks 2nd-order xss attacks 1st-order...
TRANSCRIPT
![Page 1: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/1.jpg)
Automatic Creation of SQL Injection and
Cross-Site Scripting Attacks
2nd-order XSS attacks
1st-order XSS attacks
SQLI attacks
Adam Kiezun, Philip J. Guo, Karthick Jayaraman, Michael D. Ernst
International Conference on Software EngineeringMay 20, 2009
PHPSourceCode
![Page 2: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/2.jpg)
Overview
Problem: Finding security vulnerabilities (SQLI and
XSS) in Web applications
Approach:1. Automatically generate inputs2. Dynamically track taint3. Mutate inputs to produce exploits
Results:60 unique new vulnerabilities in 5 PHP applications,
first to create 2nd-order XSS, no false positives
![Page 3: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/3.jpg)
PHP Web applications
Web browserPHP on
webserver
Database
PHP application
$_GET[]
$_POST[]
http://www.example.com/register.php?name=Bob&age=25
<HTML>…
<script>…
URL
HTMLData
SQL
![Page 4: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/4.jpg)
Example: Message board (add mode)if ($_GET['mode'] == "add") addMessageForTopic();else if ($_GET[‘mode’] ==
“display”)
displayAllMessagesForTopic();
else die(“Error: invalid mode”);
function addMessageForTopic() { $my_msg = $_GET['msg']; $my_topicID = $_GET['topicID']; $my_poster = $_GET['poster'];
$sqlstmt = ” INSERT INTO messages VALUES('$my_msg’ , '$my_topicID') ";
$result = mysql_query($sqlstmt); echo "Thanks for posting,
$my_poster";}
$_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = “Bob”
Thanks for posting, Bob
![Page 5: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/5.jpg)
Example: Message board (display mode)if ($_GET['mode'] == "add") addMessageForTopic();else if ($_GET[‘mode’] ==
“display”)
displayAllMessagesForTopic();
else die(“Error: invalid mode”);
function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM
messages WHERE topicID='$my_topicID’ ";
$result = mysql_query($sqlstmt);
while($row = mysql_fetch_assoc($result)) {
echo "Message: " . $row['msg'];}}
$_GET[]: mode = “display” topicID = 42
Message: hi there
![Page 6: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/6.jpg)
SQL injection attack
function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM
messages WHERE topicID='$my_topicID’ ";
$result = mysql_query($sqlstmt);
while($row = mysql_fetch_assoc($result)) {
echo "Message: " . $row['msg'];}}
$_GET[]: mode = “display” topicID = 1' OR '1'='1
SELECT msg FROM messages WHERE topicID='1' OR '1'='1'
if ($_GET['mode'] == "add") addMessageForTopic();else if ($_GET[‘mode’] ==
“display”)
displayAllMessagesForTopic();
else die(“Error: invalid mode”);
![Page 7: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/7.jpg)
First-order XSS attackif ($_GET['mode'] == "add") addMessageForTopic();
$_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = MALICIOUS
function addMessageForTopic() { $my_poster = $_GET['poster']; […] echo "Thanks for posting,
$my_poster";}
Example MALICIOUS input:“uh oh<script>alert(‘XSS’)</script>”
Thanks for posting, uh oh
![Page 8: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/8.jpg)
Second-order XSS attack
addMessageForTopic()
PHP application
Database
Attacker’s input
Example MALICIOUS input:“uh oh<script>alert(‘XSS’)</script>”
$_GET[]: mode = “add” msg = MALICIOUS topicID = 42 poster = “Villain”
![Page 9: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/9.jpg)
Second-order XSS attack
addMessageForTopic()
PHP application
Database
Attacker’s input
Victim’s input
$_GET[]: mode = “display” topicID = 42
displayAllMessagesForTopic()
Message: uh oh
echo()
Example MALICIOUS input:“uh oh<script>alert(‘XSS’)</script>”
$_GET[]: mode = “add” msg = MALICIOUS topicID = 42 poster = “Villain”
![Page 10: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/10.jpg)
Architecture
InputGenerator
Attack Generator/Chec
ker
inputs
taint sets
Concrete + Symbolic Database
Malicious inputs
Ardilla
Taint Propagator
PHPSourceCode
![Page 11: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/11.jpg)
Input generationInput
Generator
inputs
Goal: Create a set of concrete inputs (_$GET[] & _$POST[])
We use Apollo generator (Artzi et al. ’08), based on concolic execution
PHPSourceCode
![Page 12: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/12.jpg)
Input generation: concolic execution
InputGenerato
r
$_GET[]: mode = “add” msg = “1” topicID = 1 poster = “1”
$_GET[]: mode = “1” msg = “1” topicID = 1 poster = “1”
$_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1”
if ($_GET['mode'] == "add") addMessageForTopic();else if ($_GET[‘mode’] ==
“display”) displayAllMessagesForTopic();else die(“Error: invalid mode”);
PHPSourceCode
inputs
![Page 13: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/13.jpg)
Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement
SELECT msg FROM messages WHERE topicID='$my_topicID‘
$_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1”
function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages
WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt);
![Page 14: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/14.jpg)
Taint propagation
Concrete + Symbolic Database
inputsGoal: Determine which input variables affect each potentially dangerous value
Sensitive sinks: mysql_query(), echo(), print()
Technique: Execute and track data-flow from input variables to sensitive sinks
inputs
PHPSourceCode
taint sets
Taint Propagat
or
![Page 15: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/15.jpg)
Taint propagation: data-flow
Taint Propagat
or
Concrete + Symbolic Database
taint sets
inputsEach value has a taint set, which contains input variables whose values flow into it
inputs
function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages
WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /*
{‘topicID’} */
Taint propagation• Assignments: $my_poster = $_GET[“poster”]• String concatenation: $full_n = $first_n . $last_n• PHP built-in functions: $z = foo($x, $y)• Database operations (for 2nd-order XSS)
PHPSourceCode
Taint setSensitive sink
![Page 16: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/16.jpg)
Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement
SELECT msg FROM messages WHERE topicID='$my_topicID‘
2. Collect taint sets for values in sensitive sinks: { ’topicID’ }
function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages
WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /*
{‘topicID’} */
Taint setSensitive sink
![Page 17: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/17.jpg)
Attack generation and checking
Attack Generator/Checker
Malicious inputs
taint setsGoal: Generate attacks for each sensitive sink
Technique: Mutate inputs into candidate attacks• Replace tainted input variables with shady strings
developed by security professionals:• e.g., “1’ or ‘1’=‘1”, “<script>code</script>”
PHPSourceCode
Alternative: String constraint solver (Kiezun et al. ’09)
inputs
![Page 18: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/18.jpg)
Attack generation and checking
Given a program, an input i, and taint sets
Attack Generator/Checker
Malicious inputs
taint setsinputs
if mutated_res DIFFERS FROM res: report mutated_input as attack
for each var that reaches any sensitive sink: res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input)
PHPSourceCode
Attack generation
Attack checking
![Page 19: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/19.jpg)
Attack generation: mutating inputs
$_GET[]: mode = “display” topicID = 1
$_GET[]: mode = “display” topicID = 1' OR '1'='1
res = exec(program, i)for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack
![Page 20: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/20.jpg)
Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement
SELECT msg FROM messages WHERE topicID='$my_topicID‘
2. Collect taint sets for values in sensitive sinks: { ’topicID’ }
3. Generate attack candidate by picking a shady string
$_GET[]: mode = “display” topicID = 1
$_GET[]: mode = “display” topicID = 1' OR '1'='1
![Page 21: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/21.jpg)
Attack checking: diffing outputs
res = exec(program, i)for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack
What is a significant difference?• For SQLI: compare SQL parse tree structure• For XSS: compare HTML for additional script-inducing elements (<script></script>)
Avoids false positives from input sanitizing and filtering
![Page 22: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/22.jpg)
Example: SQL injection attack
1. Generate inputs until program reaches an SQL statement
SELECT msg FROM messages WHERE topicID='$my_topicID‘
2. Collect taint sets for values in sensitive sinks: { ’topicID’ }
3. Generate attack candidate by picking a shady string
4. Check by mutating input and comparing SQL parse trees: innocuous: SELECT msg FROM messages WHERE topicID=‘1’
mutated: SELECT msg FROM messages WHERE topicID=‘1’ OR ‘1’=‘1’
5. Report an attack since SQL parse tree structure differs
![Page 23: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/23.jpg)
Experimental results
Vulnerability Kind
Sensitive sinks
Reached sensitive sinks
Unique attacks
SQLI 366 91 231st-order XSS 274 97 292nd-order XSS 274 66 8
Total: 60
Name Type LOC SourceForge Downloads
SchoolMate School administration 8,181 6,765
WebChess Online chess 4,722 38,457
FaqForge Document creator 1,712 15,355
EVE activity tracker Game player tracker 915 1,143
geccBBlite Bulletin board 326 366
Main limitation: input generator
![Page 24: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/24.jpg)
Comparison with previous workDefensive coding:
+ : can completely solve problem if done properly- : must re-write existing code
Static analysis:
+ : can potentially prove absence of errors- : false positives, does not produce concrete attacks
Dynamic monitoring:
+ : can prevent all attacks- : runtime overhead, false positives affect app. behavior
Random fuzzing:
+ : easy to use, produces concrete attacks- : creates mostly invalid inputs
![Page 25: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,](https://reader030.vdocuments.site/reader030/viewer/2022033100/56649db05503460f94a9f0d7/html5/thumbnails/25.jpg)
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks• Contributions
– Automatically create SQLI and XSS attacks– First technique for 2nd-order XSS
• Technique– Dynamically track taint through both program
and database– Input mutation and output comparison
• Implementation and evaluation– Found 60 new vulnerabilities, no false positives