NoTamper : Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications

NOZZLE: A Defense Against Heap-spraying Code Injection Attacks

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web ApplicationsPrithvi Bisht , Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. VenkatakrishnanUniversity of Illinois at Chicago, USAACM CCS (Oct,2010) A Presentation at Advanced Defense Lab1OutlineIntroductionArchitecture & ChallengesImplementationEvaluationRelated WorkConclusion

Advanced Defense Lab22IntroductionA novel approach for automatically detecting potential server-side vulnerabilities of parameter-tampering in existing web applications.

Advanced Defense Lab3IntroductionAdvanced Defense Lab4

IntroductionAttack 1: Negative quantities.Resulting in a discount.

Attack 2: Charging another users account.A malicious user can purchase products and charge someone elses account.

Attack 3: Pattern validation bypass.XSS and SQL injection.Advanced Defense Lab5Introduction Problem Description: the set of alphabet.I = * x * x * x x *I -> { true , false }Pserver: constraint-checking function on the server.Pclient: constraint-checking function on the client.Pserver(I) = true -> Pclient(I) = truePserver(I) = true ^ Pclient(I) = false (BUG)

Advanced Defense Lab6Introduction Problem DescriptionFclient: a logical representation of Pclient.Fserver: a logical representation of Pserver.(hostile) h1,,hn such that Fclient(hi) = false for each i.(benign) b1,,bm such that Fclient(bj) = true for each j.(hostile responses from the server) H1,,Hn(benign responses from the server) B1,,BmThe more similar a hostile response is to the benign responses, the more likely the hostile input was successful.

Advanced Defense Lab7OutlineIntroductionArchitecture & ChallengesImplementationEvaluationRelated WorkConclusion

Advanced Defense Lab88ARCHITECTURE & CHALLENGESAdvanced Defense Lab9

ARCHITECTURE & CHALLENGESAdvanced Defense Lab10

ARCHITECTURE & CHALLENGESHTML/JS AnalyzerTo simulates an environment similar to a JavaScript interpreter in a browser, including the DOM (AJAX not supported).Executes all the init. Code for the web form concretely.Advanced Defense Lab11ARCHITECTURE & CHALLENGESHTML/JS AnalyzerIdentifying JS validation codeWhen a form is submitted.Each time the user enters or changes data on the form.Analyzing JS validation codeEmploying a mixed concrete-symbolic execution approach.Symbolic execution provides coverage of all control paths.Concrete execution enables NoTamper to ignore irrelevant code.Resolving DOM referencesConstructing the pertinent portion of the DOM.Simulating DOM functions that are used to modify the DOM structure.Advanced Defense Lab12ARCHITECTURE & CHALLENGESInput GeneratorAvoiding spurious rejectionsChecking that all required variables have values of the right type. (Manually overridden)Generating orthogonal hostile inputsConverts Fclient to disjunctive normal form (DNF).Coping with incomplete informationAccepting hints (delta) from human that guide the search for hostile and benign inputs.Addressing state changesProviding a optional list of variables required to have unique values.Advanced Defense Lab13OutlineIntroductionArchitecture & ChallengesImplementationEvaluationRelated WorkConclusion

Advanced Defense Lab1414ImplementationAdvanced Defense Lab15

IMPLEMENTATIONClient Constraint ExtractionBy collecting all the event handlers (and associated scripts) and generating a single function that invokes all those event handlers.Simulates a small set of core methodsgetElementById()document.wite()document.innerHTML()Advanced Defense Lab16IMPLEMENTATIONClient Constraint ExtractionAdvanced Defense Lab17

IMPLEMENTATIONHostile Input GuidanceInitial valuesNumbersHidden fields (Session identifier)TypesThe HTML widget associated with ()Initial valueOccurrence in arithmetic constraintsRequired variablesAnalyzing the HTML (e.g., asterisks next to field labels)Drop-down listUnique variablesAdvanced Defense Lab18IMPLEMENTATIONInput GenerationBenign inputsConverts Fclient to DNFFinds one solution per disjunct (or).

Hostile inputs!FclientAdvanced Defense Lab19

IMPLEMENTATIONConstraint SolvingHAMPI[13]Advanced Defense Lab20

IMPLEMENTATIONConstraint SolvingAdvanced Defense Lab21

IMPLEMENTATIONHTML Response ComparisonAdvanced Defense Lab22Compares the servers response against a response that is known to have been generated by benign (valid) inputs.

Edit distanceRatcliff/Obsershelp algorithm.

Remove the noise in B1 and B2 and produce C1.Remove the noise in B1 and Hi and produce C2.Compare C1 and C2 and result in difference rank.IMPLEMENTATIONAdvanced Defense Lab23HTML analysisOn top of the APIs provided by the HTML Parser.JavaScript analysis Using a modified Narcissus JavaScript engine-based symbolic evaluator.Input GeneratorHAMPIOpportunity DetectorJava-based module relayed HTTTP requests to the test server.OutlineIntroductionArchitecture & ChallengesImplementationEvaluationRelated WorkConclusion

Advanced Defense Lab2424EvaluationSelected 8 open source applications and 5 live websites.http://opensourcescripts.comTestingLinux Apache web server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM)Ubuntu 9.10 (2.45 Ghz Quad Intel, 2.0 GB RAM) NoTamper

Advanced Defense Lab25EvaluationAdvanced Defense Lab26

EvaluationAdvanced Defense Lab27

EvaluationUnauthorized money transferswww.selfreliance.comUnlimited shopping rebateswww.codemicro.comFixed within 24 hoursPrivilege escalationOpenITBy manipulating the userid parameter.Advanced Defense Lab28EvaluationFalse PositivesPertaining to the maxlength constraints on form inputs that couldnt be exploited to any serious vulnerability.

Rewritten by the server without any observable difference in HTML output.Advanced Defense Lab29EvaluationAdvanced Defense Lab30

EvaluationAdvanced Defense Lab31

EvaluationPerformanceInput GeneratorSolved 315 formulas in a total of 219 seconds.Giving an average time of 0.7 seconds per input.

HTML / JavaScriptRun in under a second

Opportunity DetectorRun in sub-second time for each application.

Advanced Defense Lab32OutlineIntroductionArchitecture & ChallengesImplementationEvaluationRelated WorkConclusion

Advanced Defense Lab3333Related WorkNoTamers goals are focusing on discovering vulnerabilities in existing ( legacy ) applications.Advanced Defense Lab34OutlineIntroductionArchitecture & ChallengesImplementationEvaluationRelated WorkConclusion

Advanced Defense Lab3535ConclusionNoTampers results highlight a significant gap between the server-side parameter validation that should occur and the server-side validation that does occur in todays web applications.Advanced Defense Lab36