automated testing for sql injection vulnerabilities: an input mutation approach
DESCRIPTION
TRANSCRIPT
Automated Testing for SQL Injection Vulnerabilities: An Input Mutation
Approach
Dennis Appelt, Cu D. Nguyen, Nadia Alshahwan, Lionel Briand Software Verification and Validation Laboratory Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg 25, July, 2014
Web Apps are at risk
OWASP Top 10 2013
2
A1 – Injec;on
A2 – Broken Authen;ca;on and Session Management
A3 – Cross-‐Site Scrip;ng
A4 – Insecure Object References
…
SQL Injec;on Incidents
3
4
Background
Defini;on
6
SQL Injec;on aNacks target database-‐driven systems by injec;ng SQL code fragments into vulnerable input parameters that are not
properly checked and sani;sed.
Example
1 . $sql = "Select * From hotelList where country =’";!2 . $sql = $sql . $country;!3 . $sql = $sql . ’"’;!3 . $result = mysql_query($sql) or die(mysql_error());!
Example code vulnerable to SQL injec;on:
$country ß Luxembourg
1. SELECT * FROM hotelList WHERE country=’Luxembourg’!
Parameter assignment:
Resul;ng statement:
7
Example
1 . $sql = "Select * From hotelList where country =’";!2 . $sql = $sql . $country;!3 . $sql = $sql . ’"’;!3 . $result = mysql_query($sql) or die(mysql_error());!
Example code vulnerable to SQL injec;on:
$country ß ‘ or 1=1 --
1. SELECT * FROM hotelList WHERE country=’’ OR 1=1 --’!
Parameter assignment:
Resul;ng statement:
8
Automated Tes;ng for SQL Injec;on Vulnerabili;es
An Input Muta;on Approach
9
10
Black-‐Box
11
Focus on Exploitable Vulnerabili;es
12
Automated Test Execu;on
13
Input-‐Muta;on
Approach
Approach -‐ Overview
15
WAF SUT
Monitor
Database
Test generator
XAVIER
DBProxyWSDL
Input samples
Monitor
test reports
Approach – Test Genera;on
16
WAF SUT
Monitor
Database
Test generator
XAVIER
DBProxyWSDL
Input samples
Monitor
test reports
We want to generated test cases that • result in executable SQL statements • bypass the web applica;on firewall
Approach – Test Genera;on
• μ4SQLi – Muta;on approach: manipulate legal test cases to become SQLi aNacks
17
Approach – Test Genera;on
• μ4SQLi – Muta;on approach: manipulate legal test cases to become SQLi aNacks
– 12 muta;on operators grouped in 3 categories • Behavior-‐changing • Syntax-‐repairing • Obfusca;on
18
Approach – Test Genera;on
• μ4SQLi – Muta;on approach: manipulate legal test cases to become SQLi aNacks
– 12 muta;on operators grouped in 3 categories • Behavior-‐changing • Syntax-‐repairing • Obfusca;on
– A large number of test cases can be generated
19
Behavior-‐changing MO
Example of a behavior-‐changing muta;on operator
John Doe’ OR ‘a’=‘a
Malicious Input SELECT * FROM users WHERE name=‘John Doe’ OR ‘a’=‘a’
Execute SUT
Behavior-‐changing
John Doe
Valid Input
Apply MO_or
20
Syntax-‐repairing MO
Example of a syntax-‐repairing muta;on operator
John Doe’ OR ‘a’=‘a
Malicious Input SELECT * FROM users WHERE func(‘John Doe’ OR ‘a’=‘a’)
Execute SUT
Behavior-‐changing
è Incorrect SQL syntax, will not execute
SELECT * FROM users WHERE func(‘$userinput’)
Statement without user input:
21
Syntax-‐repairing MO
Example of a syntax-‐repairing muta;on operator SELECT *
FROM users WHERE func(‘$userinput’)
Statement without user input:
John Doe’) OR ‘a’=‘a’ #
Malicious Input SELECT * FROM users WHERE func(‘John Doe’) OR ‘a’=‘a’ #’)
Execute SUT
Syntax-‐repairing
22
Obfusca;on MO
Example of an obfusca;on muta;on operator
John Doe’/*/OR+‘a’=x’61
Malicious Input SELECT * FROM users WHERE name=‘John Doe’/*/OR+‘a’=x’61’
Execute SUT
Obfusca;on
23
Approach – Test Oracle
24
WAF SUT
Monitor
Database
Test generator
XAVIER
DBProxyWSDL
Input samples
Monitor
test reports
Monitor: -‐ Observes the traffic between SUT and database -‐ Detects if a test case triggered an SQLi vulnerability
Approach – Test Oracle
• Inspects if a SQL statement which has been injected into is executable.
25
SELECT * FROM hotelList WHERE country=’’) OR 1=1 --’!
$country ß ‘) OR 1=1 --
Approach – Test Oracle
• Inspects if a SQL statement which has been injected into is executable.
èANack is not executed
26
SELECT * FROM hotelList WHERE country=’’) OR 1=1 --’!
$country ß ‘) OR 1=1 --
Syntax Error: Missing Opening Parenthesis
Evalua;on
Subjects
28
Applica,on # Opera,ons # Parameters KLoC
Hotel Reserva;on Service 7 21 1.5
SugarCRM 26 87 352
Total 33 108 353.5
Each subject is tested with and without firewall à 4 dis;nct experiment setups
Baseline – Standard ANacks
• Consists of standard aNacks – List of 137 SQLi aNacks – Diverse set of known paNerns
• State-‐of-‐the-‐art tools use such aNacks – E.g. BurpSuite, SoapUI
29
Research Ques;ons
RQ1: Are standard a*acks and mutated a*acks (generated by μ4SQLi) likely to reveal exploitable SQLi vulnerabili?es?
RQ2: With and without the presence of the WAF, which input genera?on technique performs be*er?
30
Variables
31
T – total number of test cases that generate SQL statements that get flagged by the monitor Te – as T but in addi;on flagged SQL statements must be executable
Variables
32
DB SUT ti
s1
s2
sn …
T – total number of test cases that generate SQL statements that get flagged by the monitor Te – as T but in addi;on flagged SQL statements must be executable
Variables
33
DB SUT ti
s1
s2
sn …
T – total number of test cases that generate SQL statements that get flagged by the monitor Te – as T but in addi;on flagged SQL statements must be executable
If at least one statement is flagged, ti reveals a vulnerabilityà increment T If the flagged statement is executable à increment Te
34
Standard ANacks
μ4SQLi
Results
Research Ques;on 1
Are standard a*acks and mutated a*acks (generated by μ4SQLi) likely to reveal exploitable
SQLi vulnerabili?es?
35
Research Ques;on 1
Are standard a*acks and mutated a*acks (generated by μ4SQLi) likely to reveal exploitable
SQLi vulnerabili?es?
36
Answer Both techniques can reveal SQLi vulnerabili?es when no firewall was used. Most vulnerabili?es are highly likely to be detected with at most a
few dozen test cases or less.
Research Ques;on 2
37
With and without the presence of the WAF, which input genera?on technique performs
be*er?
Research Ques;on 2
38
With and without the presence of the WAF, which input genera?on technique performs
be*er?
Answer μ4SQLi generates a higher percentage of tests that can reveal SQLi vulnerabili?es. Further, in the presence of a WAF, μ4SQLi is also capable of
doing so.
Summary
WAF SUT
Monitor
Database
Test generator
XAVIER
DBProxyWSDL
Input samples
Monitor
test reports
WAF SUT
Monitor
Database
Test generator
XAVIER
DBProxyWSDL
Input samples
Monitor
test reports
Backup Slides
Operator Name Descrip,on
Behavior-‐Changing Operators
MO_or Adds an OR-‐clause to the input
MO_and Adds an AND-‐clause to the input
MO_semi Adds semicolon followed by an addi;onal SQL statement
Syntax-‐Repairing Operators
MO_par Appends a parenthesis to a valid input
MO_cmt Adds a comment command (-‐-‐ or #) to an input
MO_qot Adds a single or double quote to an input
Obfusca,on Operators
MO_wsp Changes the encoding of whitespaces
MO_chr Changes the encoding of a character literal
MO_html Changes the encoding of an input to HTML en;ty encoding
MO_per Changes the encoding of an input to percentage encoding
MO_bool Rewrites a boolean expression while preserving it’s truth value
MO_keyw Changes capitaliza;on and inserts comments into SQL keywords
45
Approach – Test Genera;on
<soapenv:Envelope> <soapenv:Header/> <soapenv:Body> <urn:getRoomsByRate>
<minPrice xsi:type="xsd:float">100</minPrice> <maxPrice xsi:type="xsd:float">400</maxPrice> <country xsi:type="xsd:string">"||not 0--</country> <start xsi:type="xsd:integer">1</start>
</urn:getRoomsByRate> </soapenv:Body></soapenv:Envelope>
req_hotelServer_getRoomsByRate.xml
1 <soapenv:Envelope>2 <soapenv:Header/>3 <soapenv:Body>4 <urn:getRoomsByRate>5 <minPrice xsi:type="xsd:float">100</minPrice>6 <maxPrice xsi:type="xsd:float">400</maxPrice>7 <country xsi:type="xsd:string">France</country>8 <start xsi:type="xsd:integer">1</start>9 </urn:getRoomsByRate>
10 </soapenv:Body>11 </soapenv:Envelope>12
Page 1
μ4SQLi
Valid Test Case
SQLi Test Case
46
47
Standard ANacks
μ4SQLi
Results
48
Standard ANacks
μ4SQLi
Results
49
Standard ANacks
μ4SQLi
Results
Results without WAF Subject Parameter Standard AMacks μ4SQLi
%T %Te %T %Te
HotelRS
country 12.41 5.84 40.62 21.80
arrDate 35.04 9.49 42.05 12.50
depDate 35.04 9.49 42.96 12.03
name 35.04 9.49 43.36 12.91
address 35.04 9.49 39.81 11.00
email 35.04 9.49 41.73 11.23
SugarCRM
value 37.23 0 41.48 22.51
ass_user_id 32.85 8.03 42.49 13.91
query1 32.85 3.65 9.82 0.30
query2 54.74 5.84 81.72 33.45
order_by 59.85 10.95 85.98 33.55
rel_mod_qry 47.45 2.92 49.79 0
Results with WAF Subject Parameter Standard AMacks μ4SQLi
%T %Te %T %Te
HotelRS
country 0.73 0 36.84 20.69
arrDate 2.19 0 42.05 12.50
depDate 5.84 0 42.96 12.03
name 6.57 0 43.36 12.91
address 7.30 0 39.81 11.00
email 6.57 0 41.73 11.23
SugarCRM
value 2.19 0 37.42 20.48
ass_user_id 5.11 0 29.35 6.89
query1 0.73 0 8.97 0.20
query2 3.65 0 76.56 31.43
order_by 7.30 0 80.08 31.96
rel_mod_qry 6.57 0 44.82 0