Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Transcription

1 Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal {cnl, mvieira, Internal Report, 2009!

2 Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal {cnl, mvieira, Abstract. Web services represent a powerful interface for back end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non vulnerable web services is still a difficult task. In fact, securityrelated concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC App benchmark, showing to be 100% effective in stopping attacks, non intrusive and very easy to use. Keywords: Web services, vulnerabilities, security attacks, SQL Injection, XPath Injection, code instrumentation. 1 Introduction Web services are now widely used to support many businesses, linking suppliers and clients in sectors such as banking and financial services, transportation, or automotive manufacturing, among others. Web services are self describing components that can be used by other software across the web in a platform independent manner, and are supported by standard protocols such as SOAP (Simple Object Access Protocol), WSDL (Web Services Description Language) and UDDI (Universal Description, Discovery, and Integration) [6]. In a service based environment, providers offer a set of services that frequently access a back end database and can be explored and used by service consumers. The web service technology provides a clear service interface for consumers, and this is frequently used to enable the aggregation of services in compositions. These compositions, frequently designated as business processes, are essentially a collection of services working together towards an objective [8]. The composition workflow (i.e., the sequencing and coordination of calls to component services) obviously introduces a degree of dependency between services, where a security failure in a component may compromise the whole composition.

3 A recent McKinsey report indicates web services and SOA as one of the most important trends in modern software development [20]. However, the wide use and exposure of web services results in any existing security vulnerability being most probably uncovered and exploited by hackers. In fact, command injection attacks (e.g., SQL or XPath injection) are frequent types of attacks in the web environment [24]. These attacks take advantage of improperly coded applications to change queries sent to a database, enabling, for instance, access to critical data. Vulnerabilities allowing SQL Injection and XPath injection attacks are particularly relevant in web services [30], as their exposure is high and they frequently use a data persistence solution [29] based either in a traditional relational database or in a XML database. Currently major database vendors and several open source efforts provide XML databases (e.g., Oracle XML DB, SQL Server 2008, Apache Xindice, etc.) and typically, the access to this type of databases uses XPath expressions. While the goal of XPath Injection is to maliciously explore any existing vulnerabilities in XPath expressions used by an application (for instance to access an XML database), SQL Injection tries to change the SQL statements in a similar manner [24]. Different techniques for the identification of security vulnerabilities have been proposed in the past [24], namely: Static vulnerability scanning: consists in analyzing the source code of the application looking for potential vulnerabilities. It is a white box approach that can be done manually or by using automated code analysis. Penetration testing: widely used technique that tries to disclose security vulnerabilities in web applications (including web services). The testing tool stresses the application from the point of view of the attacker ( black box approach) and tries to penetrate it by issuing a huge amount of interactions. Although web services are increasingly being used in complex business critical systems, current development support tools do not provide practical ways to protect applications against security attacks. In this paper, we present a phased approach that is able to: 1) learn the profile of regular client requests by transforming requests into invariant statements; 2) protect web service applications from SQL/XPath injection attacks by matching incoming requests with the valid set of codes previously learned. Note that this work focuses on source code vulnerabilities and not any specific security mechanisms, such as authentication and data encryption. In summary, our approach consists of the following major phases: Service assessment: An optional phase that characterizes the web service code in terms of security vulnerabilities. Penetration testing and static code analysis are used to identify any existing security vulnerabilities (e.g., web services code prone to SQL/XPath Injection); Statement learning: Consists of learning the profile of valid, non malicious data access statements. We provide automatable workload generation approach to create a set of invocations able to exercise the web service code, reaching as much data access statements as possible, and enriching the set of invariant statements learned by our framework; Service protection: The generation of a protective service wrapper that uses the outcome of the learning phase (a set of valid statements) to prevent the success of SQL/XPath injection attacks. All incoming requests are hashed 2

4 domains. As expected, no problem was identified, providing a strong indicator that our framework did not change the application s normal behavior. Additionally, we executed a final test to assess the performance impact related to the execution of the security system. As we were expecting small values, for the security improvement, we tested the worst case scenario found in the TPC App services and executed invocations using that worst case scenario. The security mechanism took on average 0,052 ms (± 0,029) to execute, less than 0,3% of the total time for the fastest executing service. In order to obtain such low measurements we used a Java method that provides nanosecond precision (but however does not guarantee nanosecond accuracy). In summary, our learning mechanism was able to stop all security attacks with a negligible overhead. This is a very significant result, as besides effectively securing the target application, it implied absolutely no extra effort from the developers that implemented the original services. 5 Conclusion Previous works on web application security have shown that SQL/XPath Injection attacks are extremely relevant in web service applications. This paper presents an approach for improving web services security. The proposed approach consists of learning the profile of valid data access statements (SQL and XPath) and using this profile to later prevent the execution of malicious client requests. The approach was illustrated using two different TPC App implementations. Various security issues were disclosed and corrected without additional development effort. In fact, while introducing an extremely low performance overhead, our approach proved to be 100% effective, as it was able to abort all attacks attempted in our experiments. During the whole experimental process, no extra complexity was added to the source code. In fact, as source code is not needed, the mechanism can also be used to easily protect legacy services, which would otherwise require a difficult to implement and hard to maintain procedure. These facts make it an extremely useful tool for developers and service administrators. References 1. Acunetix Web Vulnerability Scanner, scanner/ 2. Atlassian Clover Code Coverage Analysis, 3. Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. Proceedings of the 6th international conference on Generative programming and component engineering, Salzburg, Austria: ACM, pp (2007) 4. BrupSuite, 5. Cobertura, 6. Curbera, F. et al.: Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI. Internet Computing, IEEE, vol. 6, pp (2002) 7. Databene benerator, benerator 14

5 8. Erl, T.: Service Oriented Architecture: Concepts, Technology, and Design, Prentice Hall Professional Technical Reference (2005) 9. Fagan, M.: Design and code inspections to reduce errors in program development. Software pioneers: contributions to software engineering, Springer Verlag, Inc., pp (2002) 10. FORTIFY Gamja, Halfond, W., Orso, A.: Preventing SQL injection attacks using AMNESIA. 28th international conference on Software engineering, Shanghai, China: ACM, pp : Hovemeyer, D., Pugh, W. : Finding bugs is easy. ACM SIGPLAN Notices, vol. 39, pp (2004) 14. HP WebInspect, IBM Rational AppScan, 01.ibm.com/software/awdtools/appscan/ 16. Kiczales, G. et al.: Aspect Oriented Programming. 11th European Conf. on Objectoriented Programming (1997) 17. Laranjeiro, N., Vieira, M., Madeira, H.: EDEL and Security Improvement for Web Services. security tool.zip (2009) 18. Laranjeiro, N., Vieira, M.: Improving Web Services Robustness. Technical Report, icws robustness submitted.pdf (2009) 19. Livshits, V., Lam, M.: Finding security vulnerabilities in java applications with static analysis. Proceedings of the 14th conference on USENIX Security Symposium Volume 14, Baltimore, MD: USENIX Association, pp (2005) 20. McKinsey&Company: Enterprise Software Customer Survey (2008) 21. Ounce, Pixy, Red Hat Middleware: JBoss Application Server, Stuttard, D., Pinto, M.: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. Wiley, ISBN 10: , (2007) 25. Sun Microsystems Inc.: JAX WS Reference Implementation, ws.dev.java.net/ 26. The Eclipse Foundation: The AspectJ Project. (2008) 27. Thomas, S., Williams, L., Xie, T.: On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology, v. 51, pp (2009) 28. Thomas, S., Williams, L.: Using Automated Fix Generation to Secure SQL Statements, Third International Workshop on Software Engineering for Secure Systems (2007) 29. Transaction Processing Performance Council: TPC BenchmarkTM App (Application Server) Standard Specification, Version 1.1, (2005) 30. Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. Intl. Conf. on Dependable Systems and Networks, Estoril, Lisbon (2009) 31. W3C: W3C XML Schema, (2008) 32. W3C: XQuery 1.0 and XPath 2.0 Functions and Operators, (2008) 15