Using web security scanners to detect vulnerabilities in web services

CISUCDepartment of Informatics EngineeringUniversity of Coimbra

DS

N 2

009

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Marco Vieira, Nuno Antunes, Henrique Madeira

{mvieira, nmsa, henrique}@dei.uc.pt

2

Outline

Contextualization

Research Goals

Methodology

Results

Conclusions and Future Work

Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

3

Contextualization

Web services are increasingly becoming a strategic component in a wide range of organizations

Web services are so exposed that any existing vulnerability will most probably be uncovered/exploited

Both providers and consumers need to assess services’ security


4

Web Services


5

Web Services Security

Security threats Hackers are moving their focus to applications’ code

Traditional security mechanisms (Firewall, IDS, encryption) cannot mitigate these attacks

Vulnerabilities like SQL Injection and XPath Injectionare particularly relevant

Developers must Apply best coding practices

Security testing!


6

Vulnerability Examples

public String auth(String login, String pass)

throw SQLException {

String sql = "SELECT * FROM users WHERE "+

"username='" + login + "' AND "+

"password='" + pass + "'";

ResultSet rs = statement.executeQuery(sql);

(…)

}

public void delete(String str) throw SQLException{

String sql = "DELETE FROM table

"WHERE id='" + str + "'";

statement.executeUpdate(sql);

}

' OR 1=1 --

"SELECT * FROM users WHERE username='' OR 1=1 -- ' AND

password=''“;

"DELETE FROM table WHERE id='' OR '' = ''";

' OR ''='


7

Software Testing techniques

White-box testing: The analysis of the application’s code

Black-box testing: The analysis of application’s execution searching for

vulnerabilities

Known as penetration testing

Gray-box testing: Approaches that combine black box and white box


8

Web Security Scanners

Easy and widely-used way to test applications searching vulnerabilities

Use fuzzing techniques to attack applications

Perform thousands of tests in an automated way

What is the effectiveness of these tools? Can programmers rely on these tools?


9

Research Goals

Study the effectiveness of the scanners

Identify common types of vulnerabilities

In the context of web service environments


10

Methodology

Apply leading commercial scanners in public web services

300 Web Services tested Randomly selected

4 Scanners used (including two different versions of a brand)


11

Experimental Study

Preparation Select services and scanners

Execution Test the services using the scanners

Verification Identify false positives

Analysis Analysis and systematization of results


12

Scanners


13

Vulnerabilities Found

SQL injection

XPath Injection

Code Execution

Possible Parameter Based Buffer Overflow

Possible Username or Password Disclosure

Possible Server Path Disclosure


14

Vulnerability TypesVS1.1 VS1.2 VS2 VS3

# Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS

SQL Injection 217 38 225 38 25 5 35 11

XPath Injection 10 1 10 1 0 0 0 0

Code Execution 1 1 1 1 0 0 0 0

Possible Parameter Based Buffer Overflow

0 0 0 0 0 0 4 3

Possible Username or Password Disclosure

0 0 0 0 0 0 47 3

Possible Server Path Disclosure

0 0 0 0 0 0 17 5

Total 228 40 236 40 25 5 103 22

Overall results analysis


15

SQL Injection


VS1.2

225

16

SQL Injection

VS1.1

VS1.2

198

19

27


17

SQL Injection

VS1.1

VS3VS1.2

172

19

24

6

26

3


18

SQL Injection

VS1.1

VS2

VS3VS1.2

171

19

24

5

21

5

2

1

1

3


19

SQL Injection

VS1.1

VS2

VS3VS1.2

171

19

24

5

21

5

2

1

1

3

?


20

False positive when the error/answer obtained is related to an

application robustness problem.

the same problem occurs when the service is executed with valid inputs

Confirmed Vulnerabilities when is possible to observe that a SQL command was

invalidated by the “injected” values

the “injected” values lead to exceptions raised by the database server

is possible to access unauthorized resources

False Positives examination


21

False Positives results

116 116

17 21

1426

8 5

8783

9

0

25

50

75

100

125

150

175

200

225

VS1.1 VS1.2 VS2 VS3

False Positives

Doubtful

Confirmed Vulnerabilities

40%37%

11,6%6,5%

32%

25,7%

14%


22

SQL Injection without False Positives

VS1.2

142


23


VS1.1

VS1.2

3

127

15


24


VS1.1

VS3

VS1.2

24

3

103

15

2


25


VS1.1VS2

VS3

VS1.2

21

13

3

1

2

102

15

1


26


VS1.1VS2

VS3

VS1.2

21

13

3

1

2

102

15

1

?


27

Coverage analysis

Scanner # SQL Injection Vulnerabilities Coverage %

VS1.1 130 87.2%

VS1.2 142 95.3%

VS2 25 16.8%

VS3 26 17.4%

Total 149 100%

Real number of vulnerabilities unavailable It is possible to make a comparative analysis

Overestimated Coverage values!!


28

Common Vulnerabilities

149

16

101

1SQL Injection (149)

Possible Server Path Disclosure (16)

XPath Injection (10)

Code Execution (1)

Possible Parameter Based Buffer Overflow (1)


29

Conclusions

A large number of vulnerabilities was observed

SQL Injection vulnerabilities are prevalent

Selecting a scanner for web services is a very difficult task Different scanners detect different types of vulnerabilities

High false positives rates

Low coverage rates

Can we do better?


30

Preliminary work

Develop a new approach for vulnerabilities detection

Detect SQL Injection and XPath Injection vulnerabilities effectively

Generate workload and attackload

Analyze responses

Analyze vulnerabilities to avoid False positives


31

Preliminary Work Results

47 47

17 21

52

1325

4 4

13

9386

0 1

14

0

20

40

60

80

100

120

140

160

180

VS1.1 VS1.2 VS2 VS3 VS.WS

False Positives

Doubtful

Confirmed


32

Innovations introduced

Generation of a more complete workload: A better knowledge of service’s behavior

A complete attackload All attacks used by scanners and other present in

bibliography

Better analysis of service’s responses: Compare with valid requests

Robustness testing applied


33

Questions?


Using web security scanners to detect vulnerabilities in web services

Documents

Transcript of Using web security scanners to detect vulnerabilities in web services