Using Web Security Scanners to Detect Vulnerabilities in Web Services

DSN 2009 Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira,, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt CISUC Department of Informatics Engineering University of Coimbra

Outline Contextualization Research Goals Methodology Results Conclusions and Future Work 2

Contextualization Web services are increasingly becoming a strategic component in a wide range of organizations Web services are so exposed that any existing vulnerability will most probably be uncovered/exploited Both providers and consumers need to assess services security 3

Web Services 4

Web Services Security Security threats Hackers are moving their focus to applications code Traditional security mechanisms (Firewall, IDS, encryption) cannot mitigate these attacks Vulnerabilities like SQL Injection and XPath Injection are particularly relevant Developers must Apply best coding practices Security testing! 5

Vulnerability Examples public String auth(string login, String pass) throw SQLException { String sql = "SELECT * FROM users WHERE "+ "username='" + login + "' AND "+ "password='" + pass + "'"; ' OR 1=1 -- "SELECT ResultSet * FROM rs = users statement.executequery(sql); WHERE username='' OR 1=1 -- ' AND ( ) password='' ; } public void delete(string str) throw SQLException{ String sql = "DELETE FROM table ' OR ''=' "WHERE id='" + str + "'"; statement.executeupdate(sql); } "DELETE FROM table WHERE id='' OR '' = ''"; 6

Software Testing techniques White-box testing: The analysis of the application s code Black-box testing: The analysis of application s execution searching for vulnerabilities Known as penetration testing Gray-box testing: Approaches that combine black box and white box 7

Web Security Scanners Easy and widely-used way to test applications searching vulnerabilities Use fuzzing techniques to attack applications Perform thousands of tests in an automated way What is the effectiveness of these tools? Can programmers rely on these tools? 8

Research Goals Study the effectiveness of the scanners Identify common types of vulnerabilities In the context of web service environments 9

Methodology Apply leading commercial scanners in public web services 300 Web Services tested Randomly selected 4 Scanners used (including two different versions of a brand) 10

Experimental Study Preparation Select services and scanners Execution Test the services using the scanners Verification Identify false positives Analysis Analysis and systematization of results 11

Scanners 12

Vulnerabilities Found SQL injection XPath Injection Code Execution Possible Parameter Based Buffer Overflow Possible Username or Password Disclosure Possible Server Path Disclosure 13

Overall results analysis Vulnerability Types VS1.1 VS1.2 VS2 VS3 # Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS SQL Injection 217 38 225 38 25 5 35 11 XPath Injection 10 1 10 1 0 0 0 0 Code Execution 1 1 1 1 0 0 0 0 Possible Parameter Based Buffer Overflow Possible Username or Password Disclosure Possible Server Path Disclosure 0 0 0 0 0 0 4 3 0 0 0 0 0 0 47 3 0 0 0 0 0 0 17 5 Total 228 40 236 40 25 5 103 22 14

SQL Injection 225 VS1.2 15

SQL Injection VS1.1 19 198 VS1.2 27 16

SQL Injection VS1.1 19 172 26 3 6 VS1.2 24 VS3 17

SQL Injection VS1.1 19 VS2 171 1 21 5 3 1 2 5 VS1.2 24 VS3 18

SQL Injection VS1.1 19 VS2? 171 1 21 1 2 5 3 5 VS1.2 24 VS3 19

False Positives examination False positive when the error/answer obtained is related to an application robustness problem. the same problem occurs when the service is executed with valid inputs Confirmed Vulnerabilities when is possible to observe that a SQL command was invalidated by the injected values the injected values lead to exceptions raised by the database server is possible to access unauthorized resources 20

False Positives results 225 200 175 150 125 87 14 40% 6,5% 83 26 37% 11,6% False Positives Doubtful Confirmed Vulnerabilities 100 75 50 116 116 25 0 32% 25,7% 9 8 5 17 21 VS1.1 VS1.2 VS2 VS3 14% 21

SQL Injection without False Positives 142 VS1.2 22

SQL Injection without False Positives VS1.1 3 127 VS1.2 15 23

SQL Injection without False Positives VS1.1 3 103 24 2 VS3 VS1.2 15 24

SQL Injection without False Positives VS1.1 3 1 2 VS2 102 21 3 1 1 VS3 VS1.2 15 25

SQL Injection without False Positives VS1.1 3 1 2 VS2? 102 21 3 1 1 VS3 VS1.2 15 26

Coverage analysis Real number of vulnerabilities unavailable It is possible to make a comparative analysis Overestimated Coverage values!! Scanner # SQL Injection Vulnerabilities Coverage % VS1.1 130 87.2% VS1.2 142 95.3% VS2 25 16.8% VS3 26 17.4% Total 149 100% 27

Common Vulnerabilities 16 10 1 1 SQL Injection (149) Possible Server Path Disclosure (16) XPath Injection (10) Code Execution (1) 149 Possible Parameter Based Buffer Overflow (1) 28

Conclusions A large number of vulnerabilities was observed SQL Injection vulnerabilities are prevalent Selecting a scanner for web services is a very difficult task Different scanners detect different types of vulnerabilities High false positives rates Low coverage rates Can we do better? 29

Preliminary work Develop a new approach for vulnerabilities detection Detect SQL Injection and XPath Injection vulnerabilities effectively Generate workload and attackload Analyze responses Analyze vulnerabilities to avoid False positives 30

Preliminary Work Results 180 160 140 120 100 93 86 False Positives Doubtful Confirmed 80 14 60 13 25 13 40 0 1 47 47 52 20 4 4 17 21 0 VS1.1 VS1.2 VS2 VS3 VS.WS 31

Innovations introduced Generation of a more complete workload: A better knowledge of service s behavior A complete attackload All attacks used by scanners and other present in bibliography Better analysis of service s responses: Compare with valid requests Robustness testing applied 32

Questions? 33