leveraging user interactions for in-depth testing of web application sean mcallister secure system...
TRANSCRIPT
Leveraging User Interactions for In-Depth Testing of Web Application
Sean McAllisterSecure System Lab, Technical University Vienna, Austria Engin Kirda Institute Eurecom, France Christopher Kruegel University of California, Santa Barbara
Presented by..
Mahdi Nasrullah Al-Ameen
Research Problem ::
Detecting Vulnerabilities in Web Applications using Black-Box Vulnerability Scanner.
Vulnerabilities :: Cross-site Scripting (XSS Vulnerabilities) SQL Injection
Vulnerabilities :: Cross-site Scripting (XSS Vulnerabilities) :
It allows an attacker to embed malicious JavaScript, VBScript, HTML into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.
Hacker Victim Your Web Page
Infect with ScriptVisit
Inject Script
Black Box Vulnerability Scanner ::
Runs the application and monitors its executions.
By providing a variety of malformed input values, the goal is to find cases in which the application misbehaves or crashes.
Limitations of the Current Black Box Vulnerability Scanners ::
Often fail to test a substantial fraction of a web application’s logic ..
Especially when this logic is invoked from pages that can only be reached ..after filling out complex forms that check the correctness of the provided values.
Contributions of the Paper ::
To address the limitations of existing tools ..the paper has proposed several techniques ..that allow the scanner to reach “deeper” into the application ..thus detecting more entry points ..which can then be tested or fuzzed ..using existing databases of malformed input values.
Contributions of the Paper ::
Guided Fuzzing : Leverages previously recorded user input to fill out forms with values that are likely valid.
Extended Guided Fuzzing : Guided Fuzzing is further extended by using each step to explore a program more comprehensively.
Stateful Fuzzing : Mitigates potentially undesirable side effects that may occur during implementing Extended Guided Fuzzing.
Layout of the Presentation ::
High Level Idea of Proposed Fuzzing Techniques
Overview of Experimental Results
Comparison with Related Works
Limitations of the Paper
My Suggestions
Guided Fuzzing :: Increasing Testing Depth
Phase I: Collecting Input ::
Using a Proxy between Web Client and the Web Server to log inputs that are sent to the Web Applications.
Recording incoming inputs at the Server side by means of Web Server Log Files.
Guided Fuzzing ::
Phase II: Replaying Input ::
Assume, the Scanner has reached Step 2 using previously recorded inputs at Step 1.
Fuzzer component is invoked at Step 2 (uses database of malformed values).
Previously recorded input values stored for Step 2 are used to advance to Step 3.
Guided Fuzzing ::
Terminating Condition:
Test Case is exhausted.
Previously recorded input is no longer valid.
Guided Fuzzing ::
Limitations:
For each step only a single entry point is analyzed.
Extended Guided Fuzzing :: Increasing Testing Breadth
For each step, all the entry points are explored - for fuzzing the complete site .. that is reachable from the current page.
Increases the number of entry points a scanner can test.
Extended Guided Fuzzing :: Increasing Testing Breadth
Limitations :
Inputs, sent by the fuzzer .. may change the state of the applications such that the remaining steps can no longer be executed.
Stateful Fuzzing ::
A Snapshot of the current state of the Application is taken.
Then the Fuzzer is allowed to run .. that may cause significant changes to the states of the Application.
After each Fuzzing step, the application is restored to the previously taken Snapshot.
At this point the Application is in the expected state and can advance one step.
After that .. the process is repeated-that is .. a Snapshot is taken and the Fuzzer is invoked.
Stateful Fuzzing ::
To be able to capture the state of an Application and subsequently restore it : whenever an Object is modified or deleted, a copy of this object is saved.
Stateful Fuzzing ::
Mapping of URLs to Functions:
Finding the set of URLs that all invoke the same function within the application.
User Input, collected for one of these forms .. can be reused for other forms as well (when no user input is recorded for these forms).
Stateful Fuzzing :: Mapping of URLs to Functions:
Record the name of the function, the requested URL maps to.
When an unknown URL is found, query .. which function is invoked by this URL.
Search .. if this function is previously called by another URL.
If this is the case, examine name-value pairs associated with this other URL.
For each of those names .. find a form element on the current page that has the same name.
When a similar name is found .. the corresponding stored value is supplied.
Overview of the Experimental Results
Application 1: Blogging Application
Detected Unique Vulnerabilities:
Guided Fuzzing: 1Extended Fuzzing: 1Stateful Fuzzing: 1
Other Scanners: 0(Spider, Burp Spider, w3af, Acunetix)
Overview of the Experimental Results
Application 2: Online Shopping Application
Detected Unique Vulnerabilities :
Guided Fuzzing: 9Extended Fuzzing: 1Stateful Fuzzing: 9
Other Scanners: 1 (w3af, Acunetix)
Overview of the Experimental Results
Application 2: Online Shopping Application
Locations :
Guided Fuzzing: 22Extended Fuzzing: 25Stateful Fuzzing: 32
Other Scanners:
Spider: 18Burp Spider: 22W3af: 21Acunetix 22
Discussion on the Experimental Results ::
The Authors have claimed..
All vulnerabilities that are found in the experiments were previously unknown.
Fuzzing Techniques consistently find more (or at least same amount) of bugs than other open source and commercial scanners.
Related Work ::
Secubat : A web Vulnerability Scanner
Can detect XSS and SQL Injection Vulnerabilities.
Limitations:
Cannot fill out forms.
Suffers from the problem of test coverage.
Related Work ::
WinRunner : A web Vulnerability Scanner
Allows a human tester to record user inputs. Replays these inputs while testing.
Limitations:
Not fully Automated.
Limitations of the Paper ::
Experiments are done only for XSS Vulnerabilities.
Through experiments no Comparison is shown with Static Source Code Analysis Tools.
No Comparison is shown with the Tool that uses Human Tester.
Scopes of Improvements : My Suggestions ::
To prove the effectiveness of the Proposed Scanner..
Experiments to find out SQL Injection Vulnerabilities should be done.
Experiments should be done for Social Networking Web Application.
Experiments should accommodate comparisons with the tools that use Human Tester.
qUEsTIONs ?
Thank you…