Using Web Security Scanners to Detect Vulnerabilities in Web Services

Transcription

1 DSN 2009 Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira,, Henrique Madeira {mvieira, nmsa, CISUC Department of Informatics Engineering University of Coimbra

2 Outline Contextualization Research Goals Methodology Results Conclusions and Future Work 2

3 Contextualization Web services are increasingly becoming a strategic component in a wide range of organizations Web services are so exposed that any existing vulnerability will most probably be uncovered/exploited Both providers and consumers need to assess services security 3

4 Web Services 4

5 Web Services Security Security threats Hackers are moving their focus to applications code Traditional security mechanisms (Firewall, IDS, encryption) cannot mitigate these attacks Vulnerabilities like SQL Injection and XPath Injection are particularly relevant Developers must Apply best coding practices Security testing! 5

6 Vulnerability Examples public String auth(string login, String pass) throw SQLException { String sql = "SELECT * FROM users WHERE "+ "username='" + login + "' AND "+ "password='" + pass + "'"; ' OR 1=1 -- "SELECT ResultSet * FROM rs = users statement.executequery(sql); WHERE username='' OR 1=1 -- ' AND ( ) password='' ; } public void delete(string str) throw SQLException{ String sql = "DELETE FROM table ' OR ''=' "WHERE id='" + str + "'"; statement.executeupdate(sql); } "DELETE FROM table WHERE id='' OR '' = ''"; 6

7 Software Testing techniques White-box testing: The analysis of the application s code Black-box testing: The analysis of application s execution searching for vulnerabilities Known as penetration testing Gray-box testing: Approaches that combine black box and white box 7

8 Web Security Scanners Easy and widely-used way to test applications searching vulnerabilities Use fuzzing techniques to attack applications Perform thousands of tests in an automated way What is the effectiveness of these tools? Can programmers rely on these tools? 8

9 Research Goals Study the effectiveness of the scanners Identify common types of vulnerabilities In the context of web service environments 9

10 Methodology Apply leading commercial scanners in public web services 300 Web Services tested Randomly selected 4 Scanners used (including two different versions of a brand) 10

11 Experimental Study Preparation Select services and scanners Execution Test the services using the scanners Verification Identify false positives Analysis Analysis and systematization of results 11

12 Scanners 12

13 Vulnerabilities Found SQL injection XPath Injection Code Execution Possible Parameter Based Buffer Overflow Possible Username or Password Disclosure Possible Server Path Disclosure 13

14 Overall results analysis Vulnerability Types VS1.1 VS1.2 VS2 VS3 # Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS SQL Injection XPath Injection Code Execution Possible Parameter Based Buffer Overflow Possible Username or Password Disclosure Possible Server Path Disclosure Total

15 SQL Injection 225 VS1.2 15

16 SQL Injection VS VS

17 SQL Injection VS VS VS3 17

18 SQL Injection VS VS VS VS3 18

19 SQL Injection VS VS2? VS VS3 19

20 False Positives examination False positive when the error/answer obtained is related to an application robustness problem. the same problem occurs when the service is executed with valid inputs Confirmed Vulnerabilities when is possible to observe that a SQL command was invalidated by the injected values the injected values lead to exceptions raised by the database server is possible to access unauthorized resources 20

21 False Positives results % 6,5% % 11,6% False Positives Doubtful Confirmed Vulnerabilities % 25,7% VS1.1 VS1.2 VS2 VS3 14% 21

22 SQL Injection without False Positives 142 VS1.2 22

23 SQL Injection without False Positives VS VS

24 SQL Injection without False Positives VS VS3 VS

25 SQL Injection without False Positives VS VS VS3 VS

26 SQL Injection without False Positives VS VS2? VS3 VS

27 Coverage analysis Real number of vulnerabilities unavailable It is possible to make a comparative analysis Overestimated Coverage values!! Scanner # SQL Injection Vulnerabilities Coverage % VS % VS % VS % VS % Total % 27

28 Common Vulnerabilities SQL Injection (149) Possible Server Path Disclosure (16) XPath Injection (10) Code Execution (1) 149 Possible Parameter Based Buffer Overflow (1) 28

29 Conclusions A large number of vulnerabilities was observed SQL Injection vulnerabilities are prevalent Selecting a scanner for web services is a very difficult task Different scanners detect different types of vulnerabilities High false positives rates Low coverage rates Can we do better? 29

30 Preliminary work Develop a new approach for vulnerabilities detection Detect SQL Injection and XPath Injection vulnerabilities effectively Generate workload and attackload Analyze responses Analyze vulnerabilities to avoid False positives 30

31 Preliminary Work Results False Positives Doubtful Confirmed VS1.1 VS1.2 VS2 VS3 VS.WS 31

32 Innovations introduced Generation of a more complete workload: A better knowledge of service s behavior A complete attackload All attacks used by scanners and other present in bibliography Better analysis of service s responses: Compare with valid requests Robustness testing applied 32

33 Questions? 33