Using web security scanners to detect vulnerabilities in web services
-
Upload
independent -
Category
Documents
-
view
0 -
download
0
Transcript of Using web security scanners to detect vulnerabilities in web services
CISUCDepartment of Informatics EngineeringUniversity of Coimbra
DS
N 2
009
Using Web Security Scanners to Detect Vulnerabilities in Web Services
Marco Vieira, Nuno Antunes, Henrique Madeira
{mvieira, nmsa, henrique}@dei.uc.pt
2
Outline
Contextualization
Research Goals
Methodology
Results
Conclusions and Future Work
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
3
Contextualization
Web services are increasingly becoming a strategic component in a wide range of organizations
Web services are so exposed that any existing vulnerability will most probably be uncovered/exploited
Both providers and consumers need to assess services’ security
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
5
Web Services Security
Security threats Hackers are moving their focus to applications’ code
Traditional security mechanisms (Firewall, IDS, encryption) cannot mitigate these attacks
Vulnerabilities like SQL Injection and XPath Injectionare particularly relevant
Developers must Apply best coding practices
Security testing!
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
6
Vulnerability Examples
public String auth(String login, String pass)
throw SQLException {
String sql = "SELECT * FROM users WHERE "+
"username='" + login + "' AND "+
"password='" + pass + "'";
ResultSet rs = statement.executeQuery(sql);
(…)
}
public void delete(String str) throw SQLException{
String sql = "DELETE FROM table
"WHERE id='" + str + "'";
statement.executeUpdate(sql);
}
' OR 1=1 --
"SELECT * FROM users WHERE username='' OR 1=1 -- ' AND
password=''“;
"DELETE FROM table WHERE id='' OR '' = ''";
' OR ''='
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
7
Software Testing techniques
White-box testing: The analysis of the application’s code
Black-box testing: The analysis of application’s execution searching for
vulnerabilities
Known as penetration testing
Gray-box testing: Approaches that combine black box and white box
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
8
Web Security Scanners
Easy and widely-used way to test applications searching vulnerabilities
Use fuzzing techniques to attack applications
Perform thousands of tests in an automated way
What is the effectiveness of these tools? Can programmers rely on these tools?
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
9
Research Goals
Study the effectiveness of the scanners
Identify common types of vulnerabilities
In the context of web service environments
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
10
Methodology
Apply leading commercial scanners in public web services
300 Web Services tested Randomly selected
4 Scanners used (including two different versions of a brand)
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
11
Experimental Study
Preparation Select services and scanners
Execution Test the services using the scanners
Verification Identify false positives
Analysis Analysis and systematization of results
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
13
Vulnerabilities Found
SQL injection
XPath Injection
Code Execution
Possible Parameter Based Buffer Overflow
Possible Username or Password Disclosure
Possible Server Path Disclosure
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
14
Vulnerability TypesVS1.1 VS1.2 VS2 VS3
# Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS
SQL Injection 217 38 225 38 25 5 35 11
XPath Injection 10 1 10 1 0 0 0 0
Code Execution 1 1 1 1 0 0 0 0
Possible Parameter Based Buffer Overflow
0 0 0 0 0 0 4 3
Possible Username or Password Disclosure
0 0 0 0 0 0 47 3
Possible Server Path Disclosure
0 0 0 0 0 0 17 5
Total 228 40 236 40 25 5 103 22
Overall results analysis
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
17
SQL Injection
VS1.1
VS3VS1.2
172
19
24
6
26
3
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
18
SQL Injection
VS1.1
VS2
VS3VS1.2
171
19
24
5
21
5
2
1
1
3
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
19
SQL Injection
VS1.1
VS2
VS3VS1.2
171
19
24
5
21
5
2
1
1
3
?
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
20
False positive when the error/answer obtained is related to an
application robustness problem.
the same problem occurs when the service is executed with valid inputs
Confirmed Vulnerabilities when is possible to observe that a SQL command was
invalidated by the “injected” values
the “injected” values lead to exceptions raised by the database server
is possible to access unauthorized resources
False Positives examination
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
21
False Positives results
116 116
17 21
1426
8 5
8783
9
0
25
50
75
100
125
150
175
200
225
VS1.1 VS1.2 VS2 VS3
False Positives
Doubtful
Confirmed Vulnerabilities
40%37%
11,6%6,5%
32%
25,7%
14%
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
22
SQL Injection without False Positives
VS1.2
142
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
23
SQL Injection without False Positives
VS1.1
VS1.2
3
127
15
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
24
SQL Injection without False Positives
VS1.1
VS3
VS1.2
24
3
103
15
2
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
25
SQL Injection without False Positives
VS1.1VS2
VS3
VS1.2
21
13
3
1
2
102
15
1
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
26
SQL Injection without False Positives
VS1.1VS2
VS3
VS1.2
21
13
3
1
2
102
15
1
?
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
27
Coverage analysis
Scanner # SQL Injection Vulnerabilities Coverage %
VS1.1 130 87.2%
VS1.2 142 95.3%
VS2 25 16.8%
VS3 26 17.4%
Total 149 100%
Real number of vulnerabilities unavailable It is possible to make a comparative analysis
Overestimated Coverage values!!
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
28
Common Vulnerabilities
149
16
101
1SQL Injection (149)
Possible Server Path Disclosure (16)
XPath Injection (10)
Code Execution (1)
Possible Parameter Based Buffer Overflow (1)
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
29
Conclusions
A large number of vulnerabilities was observed
SQL Injection vulnerabilities are prevalent
Selecting a scanner for web services is a very difficult task Different scanners detect different types of vulnerabilities
High false positives rates
Low coverage rates
Can we do better?
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
30
Preliminary work
Develop a new approach for vulnerabilities detection
Detect SQL Injection and XPath Injection vulnerabilities effectively
Generate workload and attackload
Analyze responses
Analyze vulnerabilities to avoid False positives
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
31
Preliminary Work Results
47 47
17 21
52
1325
4 4
13
9386
0 1
14
0
20
40
60
80
100
120
140
160
180
VS1.1 VS1.2 VS2 VS3 VS.WS
False Positives
Doubtful
Confirmed
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal
32
Innovations introduced
Generation of a more complete workload: A better knowledge of service’s behavior
A complete attackload All attacks used by scanners and other present in
bibliography
Better analysis of service’s responses: Compare with valid requests
Robustness testing applied
Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal