Upload
chepimanca
View
216
Download
0
Embed Size (px)
Citation preview
8/9/2019 gutesman-gfuzz
1/44
gFuzz: An instrumented Web application
fuzzing environment
Ezequiel D. Gutesman
CorelabsCore Security Technologies
8/9/2019 gutesman-gfuzz
2/44
Objectives
( )Present a working tool prototype to test the.security of a given web application The tool tests
( ) :for SQL injection attacks
'From the attacker s perspective
&Intended to be included in QA process security.audits Bringing precise information about potential.security flaws Not limited to security experts
( )Has high er accuracy than plain fuzzing and
automated static analysis by themselves
:Technique
Fuzzing
Instrumentation
8/9/2019 gutesman-gfuzz
3/44
Agenda
( !)quick Web application security overview
- -SQL injection attacks inside out
Fuzzing and gFuzz
Detecting An Ali Es with gFuzz Reporting
Demo
Future work
m
8/9/2019 gutesman-gfuzz
4/44
Agenda
( !)uick Web application security overview - -SQL injection attacks inside out
Fuzzing and gFuzz
Detecting An AliEs with gFuzz Reporting
Demo
Future work
m
8/9/2019 gutesman-gfuzz
5/44
Why Web Applications?
-Common entry point for back end system
and database access
Widely used
Easy to develop
Scripting languages
Inexperienced programmers are not
-security aware
( + )Difficult to fuzz validate errors with low
false positive rate
8/9/2019 gutesman-gfuzz
6/44
Web application (in)security
XSS
Malicious File execution
Insecure Direct Object Reference
CSRF
Information Leakage and Errorhandling
. ,Broken auth session management
Top Vulnerabilities (From OWASP Top 10 - 2007)
Injection Vulns (particularly SQL)
8/9/2019 gutesman-gfuzz
7/44
Consequences (SQL-injection)
Data theft
Data unavailability
Data alteration
Money losses
And much more
8/9/2019 gutesman-gfuzz
8/44
Agenda
( !)quick Web application security overview
- -QL injection attacks inside out Fuzzing and gFuzz
Detecting An AliEs with gFuzz Reporting
Demo
Future work
m
8/9/2019 gutesman-gfuzz
9/44
SQL injection facts
It isan injection attack
( )It happens when malicious input sent by an-attacker reaches the back end DBMS engine
The attacker can execute queries which .were supposedly not allowed
Are widely known inside the securitycommunity
,Yet developers still fail in avoiding them
8/9/2019 gutesman-gfuzz
10/44
Web application (in)security
User-supplied data
Direct usage to query database
The SQL injection problem: Basic idea
8/9/2019 gutesman-gfuzz
11/44
Supplying data
SELECT * FROM clients WHERE id =3
$_POST[id] 3
client.id client.name
3 John Doe
CLIENT
SERVER
8/9/2019 gutesman-gfuzz
12/44
Supplying [offensive] data
SELECT * FROM clients WHERE id =0 or 1=1
$_POST[id] 0 or 1=1
client.id client.name
1 George W3 John Doe
4 Martin Green
5 Joshua B
76 Ellen Grant
8 Mark Twain
CLIENTCLIENT
SERVER
8/9/2019 gutesman-gfuzz
13/44
Countermeasure technologies
(& - )Web Application firewalls IDS IPS
Static code analysis tools
Dynamic code analysis tools
Scanners
Code audits
8/9/2019 gutesman-gfuzz
14/44
Agenda
( !)quick Web application security overview
- -SQL injection attacks inside out
Fuzzing nd gFuzz Detecting An AliEs with gFuzz Reporting
Demo
Future work
m
8/9/2019 gutesman-gfuzz
15/44
Fuzzing (general)
Detect input vectors
Sub
mit
specially
-
crafted
/random
data
Monito
rfo
r
exceptio
ns
Refine/ classify
Crawling /
Spidering
Heuristics
8/9/2019 gutesman-gfuzz
16/44
8/9/2019 gutesman-gfuzz
17/44
gFuzz's approach
Fuzzing
Character-grained taint analysis
(aka. Core GRASP)
Grammar-based analysis
+
+
A LOT of information!
8/9/2019 gutesman-gfuzz
18/44
Agenda
( !)quick Web application security overview
- -SQL injection attacks inside out
Fuzzing and gFuzz
etecting A O Ali s with gFuzz Reporting
Demo
Future work
m
8/9/2019 gutesman-gfuzz
19/44
Character-grained taint analysis
-Run time instrumentation
-It paints attacker controlledcharacters as tainted and propagates
.taint information during execution
CLIENT SERVER
0 or 1=1 0 or 1=1
8/9/2019 gutesman-gfuzz
20/44
Character-grained taint analysis (cont)
Scripting language Interpreter (PHP)
DBMS
$_POST
SELECT * FROM clients WHERE id = 0 or 1=1
SELECT * FROM clientsWHERE user like 'john'AND password = password('aaa')OR 1 = 1; --)
8/9/2019 gutesman-gfuzz
21/44
Character-grained taint analysis & gFuzz
Data is marked from untrusted
( . ., , )sources e g GET POST
Taint marks are propagated betweenstring operations during execution
GRASP sends information about(executed queries to gFuzz from!)inside the interpreter
8/9/2019 gutesman-gfuzz
22/44
gFuzz entry sent by GRASP
/location/of/the/executed/file/userlogin.php:40
0
SELECT name,email FROM users WHERE username=bob and password=foo
.............................................XXX................XXX.
8/9/2019 gutesman-gfuzz
23/44
gFuzz entry sent by GRASP
/location/of/the/executed/file/userlogin.php:40
0
SELECT name,email FROM users WHERE username=bob and password=foo
.............................................XXX................XXX.
8/9/2019 gutesman-gfuzz
24/44
Grammatical analysis of SQL queries
SELECT
username email FROM
users
WHERE
SELECT name,email FROM users
WHERE username=bob and password=foo
= =
and
username bob password foo
8/9/2019 gutesman-gfuzz
25/44
Grammatical analysis + taint marks
SELECT
username email FROM
users
WHERE
SELECT name,email FROM users
WHERE username=bob and password=foo
= =
and
username bob password foo
8/9/2019 gutesman-gfuzz
26/44
Evil inputs...
G
8/9/2019 gutesman-gfuzz
27/44
Grammatical analysis
SELECT
username email FROM
users
WHERE
SELECT name,email FROM users
WHERE username=evil and password=none' or 1=1;--
= =
and
username evil password none
or
=
1 1
G ti l l i t i t k
8/9/2019 gutesman-gfuzz
28/44
Grammatical analysis + taint marks
SELECT
username email FROM
users
WHERE
SELECT name,email FROM users
WHERE username=evil and password=none' or 1=1;--
= =
and
username evil password none
or
=
1 1
Alt th
8/9/2019 gutesman-gfuzz
29/44
SQL Gramar
SQL Parsers
& helpers
GUI
Fuzzer
Altogether
Web server gFuzz
GRASP
enabled
PHP
Apache
WSAttack
Verification
logic
HTTP Request
HTTP Response
Executed Queries
/location/of/the/executed/file/userlogin.php:400
Att k ifi ti it
8/9/2019 gutesman-gfuzz
30/44
Attack verification - witnesses
The fuzzer sends witness requests
Not always possible ( ):How to choose witness strings heuristic
SELECT *
FROM users
WHEREusername = ' '
AND
password = ' '
SELECT *
FROM users
WHEREusername =
AND
password =
SELECT *
FROM usersWHERE
username = ' '
AND
password = ' '
SELECT *
FROM usersWHERE
username =
AND
password =
12345
12345
12345
12345
someString
someString
someString
someString
Att k ifi ti it
8/9/2019 gutesman-gfuzz
31/44
Attack verification - witnesses
.This is related to fuzz logic But must betaken into account for witnesses
8/9/2019 gutesman-gfuzz
32/44
Attack verification - witnesses
:Conclusion
It is not always possibleto submit a
itness .query
Cl if i
8/9/2019 gutesman-gfuzz
33/44
Classifying
For each query received
,If it had a witness perform grammaticalanalysis to compare structural differences
, 'Otherwise check if there s a terminalnode with parent and brother fully
controlled
Report with instrumentation info
Q l ifi ti
8/9/2019 gutesman-gfuzz
34/44
Query classification
:armless Valid query and noterminal nodes are fully (brothers and
)parent controlled by the attackerSELECT
username email FROM
users
WHERE
= =
and
username bob password foo
Q er classification
8/9/2019 gutesman-gfuzz
35/44
Query classification
:arning -The query is not grammar(compliant and could not be
):analyzed
SELECT name,email FROM users
WHERE username='bob'
and password='''
SELECT name,email FROM users
WHERE username='bob'
and password='''
Could result in a successful attack orunexploitable error (this case IS exploitable)
Query classification
8/9/2019 gutesman-gfuzz
36/44
Query classification
:uccessful Attack the attacker can,control a terminal node its brothers
:and its parent
or
=
1 1
SELECT name,emailFROM usersWHERE username='bob'and
password='none'or 1=1; --'
Agenda
8/9/2019 gutesman-gfuzz
37/44
Agenda
( !)quick Web application security overview
- -SQL injection attacks inside out
Fuzzing and gFuzz
Detecting An AliEs with gFuzz Reporting Demo Future work
m
Reporting
8/9/2019 gutesman-gfuzz
38/44
Reporting
Gfuzz
analysis
Grasp
analysis &
fuzz method
Executed query (controlled chars in red)
with analysis info (background)
Fuzz
string
Fuzz
vector
Input / URL
parameterTarget
8/9/2019 gutesman-gfuzz
39/44
Demo
About the prototype
8/9/2019 gutesman-gfuzz
40/44
About the prototype
,The fuzzing logic is very simple canbe significantly improved
-92SQL grammar is standard ANSI SQL.and only for selects Can be extended( . ., , , , ...)e g INSERT UPDATE nested SELECTS
,In Python BSD license
?Any volunteers wishing to help
Future
8/9/2019 gutesman-gfuzz
41/44
Future
/Improve SQL support attack
detection
Improve fuzzing engine
3Create an audit module for w af!framework ( :// 3 . .http w af sourceforge net)
Add XSS detection
!Bounded to GRASP support for XSS (Any?)volunteer to help
!Improve run time
http://w3af.sourceforge.net/8/9/2019 gutesman-gfuzz
42/44
Thanks!
Useful data
8/9/2019 gutesman-gfuzz
43/44
Useful data
Corelabs research site:
http://corelabs.coresecurity.com
CORE Grasp for PHP (original version):
http://grasp.coresecurity.com
contact:
Acknowledgments
http://corelabs.coresecurity.com/http://grasp.coresecurity.com/http://grasp.coresecurity.com/http://corelabs.coresecurity.com/8/9/2019 gutesman-gfuzz
44/44
Acknowledgments
Pictures from
:// . .http www sxc hu :// . .http www openclipart org
:// . .http www flickr com
People who helped ebastin Cufre Ariel Waissbein
Pedro Varangot
Fernando Russ
Aureliano Calvo
http://www.sxc.hu/http://www.sxc.hu/http://www.openclipart.org/http://www.openclipart.org/http://www.flickr.com/http://www.flickr.com/http://www.flickr.com/http://www.openclipart.org/http://www.sxc.hu/