SecuBat: An Automated Web Vulnerability Detection Framework

Transcription

1 SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher Kruegel and Nenad Jovanovic Secure Systems Lab Vienna University of Technology Austria

2 Outline Motivation Problem Definition Typical Vulnerabilities Automated Attack & Analysis Concepts SecuBat Implementation Related Tools Prototype Results Findings & Case Study 2

3 Motivation Highly increasing number of web applications Developers lack awareness of typical vulnerabilities The Why me? belief Manual vulnerability checking causes much work Automated tool would solve the problems and raise the security level 3

4 Problem Definition Demonstrate how easy an attacker can find soft targets on the web if web vulnerabilities are not fixed Implement a crawling engine for collecting potential targets Find generic and automatically executable attack techniques for the chosen approaches (SQL Injection, Cross-Site Scripting) Find suitable analysis techniques Assemble these parts together into a pluggable vulnerability analysis and detection framework 4

5 Typical Vulnerabilities 1/2 SQL Injection Problem: No input validation before using values to query database Dynamically built SQL query: q = select * from user where mail= + mail + and pw= + pw + Enter values using SQL syntax: mail: or 1=1-- password: or 1=1-- Query has changed its semantics: q = select * from user where mail= or 1=1-- and pw= or 1=1-- Resulting query: q = select * from user 5

6 Typical Vulnerabilities 2/2 - Cross-Site Scripting Injecting HTML/Javascript by attacker displayed & executed in victim s browser Reflected vs. Stored XSS Stealing of user data (Cookies, Credentials ) Example: Redirecting login form to hacker s web server Create exploit URLs & use for authentic Phishing s 6

7 Attack & Analysis Concepts 1/4 - General Open framework for easily implementing & adding new attacks Attack & Analysis modules (Black Box) Runtime configurable Plugins Use common Crawling and Attacking APIs Store analysis results into database 7

8 Attack & Analysis Concepts 2/4 - SQL Injection 1. Attack module prepares new attack & sends it to server (e.g. single quote) 2. Server sends back a response page 3. Analysis module parses response for keywords, builds summary confidence factor q = select * from user where mail= 8

9 Attack & Analysis Concepts 3/4 - XSS Attack 1. Attack module prepares new attack & sends it to server (e.g. Javascript to show a message box) 2. Server sends back a response page 3. Analysis module parses response checking for the occurrence of the injected string (and the executability) 9

10 Attack & Analysis Concepts 4/4 Enhanced Attacks Enhanced XSS attack Uses decimal HTML encoding to bypass input filters Replaces characters, e.g.: => ' Form-Redirecting XSS scenario Checks for potential assets (stealable credentials) Uses an encoded injection string redirecting the found login form to the attacker s server Simulates a real XSS attack, does not only check input validation 10

11 SecuBat Implementation 1/2 11

12 SecuBat Implementation 2/2 Implementation Details C# Data Store: MS SQL Database Requirements MS Windows 2000, XP, 2003 MS.NET Framework 2.0 MS SQL Server 2000/2005 or MSDE/SQL Express

13 Related Tools Acunetix Web Vulnerability Scanner (commercial) + Web server technology detection + Application level attacks: Simple SQL injection, XSS - Closed source, no papers, no details to the public Nessus, Nikto - Rely on repositories of known vulnerabilities NMap, Xprobe... - Port scanners only - Network/OS level, no application level attacks 13

14 Prototype Results Evaluation Run Results (Google search for login ): crawled pages web forms 4 attack types SQL Injection: 6,63% Simple XSS: 4,30% Enhanced XSS: 5,60% Form-Red. XSS: 5,52% 14

15 Findings Critical XSS Vulnerabilities (assets) ebay (Auction access) Austrian Finance Ministry (E-Government access) Geizhals (Price management) Crit.org (Security associated content) Apple (Developer access) 15

16 A Case Study ebay.de Press %74%70%3A%2F%2F%70%72%65%73%73%65%2E%65 %62%61%79%2E%64%65%2F%26%71%75%6F%74%3B %3E... 16

17 Notifications Query recipients using WhoIs service 591 Mails sent 306 recipient unknown 48 detail inquiries after 1 week 17

18 Conclusion Increasing use of web technology needs increasing security effort Rather simple attacks (SQL Injection, XSS Attack) but many vulnerable web sites An automated detection approach can increase your site s security Implementation of an extensible (pluggable) analysis framework ( SecuBat ) First results of a prototype version show proof of concept 18

19 The End 19