The Devils Behind Web Application Vulnerabilities Defending against Web Application Vulnerabilities IEEE Computer, February 2012 Nuno Antunes, Marco Vieira {nmsa, mvieira}@dei.uc.pt Postgrad Colloquium Software and Systems Engineering Centre for Informatics and Systems of the University of Coimbra
Outline n Background and Motivation n Developing Secure Code n Detecting Vulnerabilities n Detecting Attacks n What are we doing about it? n Conclusions 2
Security in Web Applications 3
Security Vulnerabilities... n Faults that leave space to an exploitation or a corruption of a system n Web applications are widely exposed n Hackers moved their focus from the network to application s code n Injection and Cross-Site Scripting (XSS) are the two most common vulnerabilities 4
are an important problem... n Create and feed an underground economy n Companies are aware of that: n OWASP Security Spending Benchmarks 2009 shows that investment in security is increasing n However... 5
this is not getting better! n NTA Web Application Security Reports show that Web Security is decreasing n According to WhiteHat Security Website Security Statistics Report, 63% of assessed websites are vulnerable n Something is wrong in the development of web applications! 6
The Solution n a defense-in-depth approach, with overlapping protections, can help secure Web applications [Howard02] 7
Security in Software Development Lifecycle Initialization Speci.ication and Design Implementation Testing Decommissioning Deployment 8
Developing Secure Code n The characteristics of Web applications suggest the use of three distinct lines of defense: n Input validation n Hotspot protection n Output validation 9
Input Validation n Reduce an application s input domain n All inputs are malicious until proven otherwise n Starts with normalization of the inputs n Uses filtering strategies to reject values outside the domain domain can allow malicious data: n e.g. in the case of SQL injection 10
Hotspot Protection n Each type of attack targets a hotspot: n Hotspot: a set of statements that is prone to specific types of vulnerabilities. n This line of defense focuses on protecting only key hotspots n e.g. SQL injection attacks use quotes ( or ): n Character Escaping n Parameterized commands/queries 11
Output Validation n Prevents users from receiving restricted information as: n Internal Exceptions that can lead to other attacks n Credit card numbers n Encoding is a example of output validation n Avoids XSS vulnerabilities 12
Why don t developers follow these practices? n Training and education n Security is boring and uninteresting n Someone else should take care of security n Security limits application functionality 13
Detecting Vulnerabilities n White-box analysis n Black-box testing n Limitations of Vulnerability Detection 14
White-Box Analysis n Analyze the code without actually executing it n Looks for potential vulnerabilities n Among other types of software defects n Requires access to the source code or bytecode n Automated tools provide an automatic way for highlighting possible coding errors Ignore the runtime perspective 15
Black-Box Testing n A specialization of Robustness Testing n Analyzes the program execution in the presence of malicious inputs, searching for vulnerabilities. n Does NOT require access to the source code or bytecode n Automated tools provide an automatic way to search for vulnerabilities n Avoid a large number of manual tests Ignore the internals of the application 16
Limitations of Vulnerability Detection n [Antunes09a] % Coverage % False Positives 17
Detecting Attacks n Consists of identifying deviations from the correct behavior n In runtime n Anomaly detection tools usually require a training phase with non-malicious requests n Signature-based tools look for patterns of a predefined set of rules or signatures 18
Limitations of Attack Detection [Elia10] n Tools only perform well in specific scenarios: n Anomaly-detection better for simpler applications n Signature-based better for complex applications n Achieve low detection coverage n less than 20 percent in many cases n Report many false alarms n as high as 50 percent of the alarms generated n Developers often lack the training required to create adequate configurations 19
What are we doing about it? n New vulnerability detection tools n Penetration Testing [Antunes09b] n Attack Signatures & Interface Monitoring n Runtime Anomaly Detection n Benchmarking vulnerability detection tools n Focused in Web Services 20
Sign-WS [Antunes11] Penetration Testing does not require access to the code Vulnerability detection can only rely on the analysis of the output n Effectiveness is limited by the lack of visibility on the internal behavior of the service n Solution: Using Interface Monitoring together with Attack Signatures n It is possible to obtain the information necessary to improve the Penetration Testing process n without accessing or modifying the internals of the application! 21
Experimental Results Tool Detection Coverage False Positive Rate Sign-WS 74.05% 0.00% VS1 32.28% 54.46% VS2 24.05% 61.22% VS3 1.90% 0.00% 22
CIVS-WS [Antunes09c] n A new Runtime Anomaly Detection Approach n To find SQL/XPath Injection Vulnerabilities n Combine the analysis of services responses with the analysis of the runtime behavior n Two phases: Profiling and Detection n Vulnerabilities are identified by comparing the structure of commands executed in the presence of attacks to the ones learned in the absence of attacks 23
Experimental Evaluation n Using the same set of Web Services Penetration testing Static Code Analysis 70" 60" 50" 40" 30" 20" 10" 0" 0# #False"Posi9ves" #Vulnerabili9es"detected" 5# 1# 65# 31# 22# 0# 6# VS1" VS2" VS3" CIVS.WS" 40" 35" 30" 25" 20" 15" 10" 5" 0" #"False"Posi8ves" 10# #"Vulnerable"Lines" 7# 0# 23# 28# 4# 11# 28# SA1" SA2" SA3" CIVS-WS" Tool False Positives % Coverage % Tool False Positives % Coverage % VS1 14% 47.7% SA1 23% 82.1% VS2 4% 33.8% SA2 26% 100.0% VS3 0% 9.2% SA3 27% 39.3% CIVS-WS 0% 100.0% CIVS-WS 0% 100.0% 24
Benchmarking Vuln. Detection Tools n [Antunes10] n Proposed an approach to benchmark the effectiveness of V. D. tools in web services n Procedures and measures were specified n A concrete benchmark was implemented n Targeting tools able to detect SQL Injection n A benchmarking example was conducted n Results show that the benchmark can be used to assess and compare different tools 25
Benchmarking Vuln. Detection Tools Tool % TP % FP CIVS 79% 0% SA1 55% 7% SA2 100% 36% SA3 14% 67% Results for CIVS-WS and static analysis Results for Penetration Testing Tool % TP % FP VS1 32% 54% VS2 24% 61% VS3 2% 0% VS4 24% 43% Benchmarked Tools Ranking 26
Conclusions n Developers must always consider security: n Use best practices in coding; n security testing; n use attack-detection systems; n Developers need help with training and the tools n Researchers should propose new tools: n New security testing tools n Possibly compile-time fixing of vulnerabilities 27
Questions http://xkcd.com/327/ More about this in: http://eden.dei.uc.pt/~nmsa Nuno Antunes Department of Informatics Engineering University of Coimbra nmsa@dei.uc.pt 28
References n n n n n n n [Antunes09a] Antunes, N. and Vieira, M., Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services, IEEE 15th Pacific Rim International Symposium on Dependable Computing (PRDC 09), Shanghai, China, November 2009. [Antunes09b] Antunes, N. and Vieira, M., Detecting SQL Injection Vulnerabilities in Web Services, Fourth Latin-American Symposium on Dependable Computing (LADC 2009), João Pessoa, Paraíba, Brazil, September 2009. [Antunes09c] Antunes, N. and Laranjeiro, N. and Vieira, M. and Madeira, H., "Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services", IEEE International Conference on Services Computing (SCC 2009), Bangalore, India, September 2009. [Antunes10] Antunes, N. and Vieira, M., Benchmarking Vulnerability Detection Tools for Web Services, IEEE 8th International Conference on Web Services (ICWS 2010), Miami, Florida, USA, July 2010. [Antunes11] Antunes, N. and Vieira, M., Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services, IEEE 8th International Conference on Services Computing (SCC 2011), Washington, D.C., USA, 4-9 July 2011. [Howard02] M. Howard and D.E. Leblanc, Writing Secure Code, Redmond, Washington: Microsoft Press, 2002. [Elia10] I.A. Elia, J. Fonseca, and M. Vieira, Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study, Proc. 21st IEEE Int l Symp. Software Reliability Engineering (ISSRE 2010), IEEE CS, 2010, p. 289-298. 29