Agile Software Development

6 downloads 556 Views 478KB Size Report
Using Web Security. Scanners to Detect. Vulnerabilities in Web. Services. Marco Vieira, Nuno Antunes, Henrique Madeira. {mvieira, nmsa, henrique}@dei.uc.pt ...
Using Web Security Scanners to Detect Vulnerabilities in Web Services

DSN 2009

Marco Vieira, Nuno Antunes, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt

CISUC Department of Informatics Engineering University of Coimbra

Outline 

Contextualization



Research Goals



Methodology



Results



Conclusions and Future Work

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

2

Contextualization 

Web services are increasingly becoming a strategic component in a wide range of organizations



Web services are so exposed that any existing vulnerability will most probably be uncovered/exploited



Both providers and consumers need to assess services’ security

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

3

Web Services

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

4

Web Services Security 

Security threats  





Hackers are moving their focus to applications’ code Traditional security mechanisms (Firewall, IDS, encryption) cannot mitigate these attacks Vulnerabilities like SQL Injection and XPath Injection are particularly relevant

Developers must 

 Nuno Antunes

Apply best coding practices Security testing! DSN 2009, June 29 - July 2, Estoril, Portugal

5

Vulnerability Examples public String auth(String login, String pass) throw SQLException { String sql = "SELECT * FROM users WHERE "+ "username='" + login + "' AND "+ "password='" + pass + "'";

' OR 1=1 --

ResultSet rs = users statement.executeQuery(sql); "SELECT * FROM WHERE username='' OR 1=1 -- ' AND (…) password=''“; }

public void delete(String str) throw SQLException{ String sql = "DELETE FROM table ' OR ''=' "WHERE id='" + str + "'"; statement.executeUpdate(sql); "DELETE FROM table WHERE id='' OR '' = ''"; }

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

6

Software Testing techniques 

White-box testing: 



Black-box testing:  



The analysis of the application’s code

The analysis of application’s execution searching for vulnerabilities Known as penetration testing

Gray-box testing: 

Nuno Antunes

Approaches that combine black box and white box DSN 2009, June 29 - July 2, Estoril, Portugal

7

Web Security Scanners 

Easy and widely-used way to test applications searching vulnerabilities



Use fuzzing techniques to attack applications



Perform thousands of tests in an automated way



What is the effectiveness of these tools? 

Nuno Antunes

Can programmers rely on these tools? DSN 2009, June 29 - July 2, Estoril, Portugal

8

Research Goals



Study the effectiveness of the scanners



Identify common types of vulnerabilities



In the context of web service environments

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

9

Methodology 

Apply leading commercial scanners in public web services



300 Web Services tested 



Randomly selected

4 Scanners used (including two different versions of a brand)

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

10

Experimental Study 

Preparation 



Execution 



Test the services using the scanners

Verification 



Select services and scanners

Identify false positives

Analysis 

Nuno Antunes

Analysis and systematization of results

DSN 2009, June 29 - July 2, Estoril, Portugal

11

Scanners

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

12

Vulnerabilities Found 

SQL injection



XPath Injection



Code Execution



Possible Parameter Based Buffer Overflow



Possible Username or Password Disclosure



Possible Server Path Disclosure

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

13

Overall results analysis

Vulnerability Types

VS1.1

VS1.2

VS2

VS3

# Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS SQL Injection

217

38

225

38

25

5

35

11

XPath Injection

10

1

10

1

0

0

0

0

Code Execution

1

1

1

1

0

0

0

0

Possible Parameter Based Buffer Overflow

0

0

0

0

0

0

4

3

Possible Username or Password Disclosure

0

0

0

0

0

0

47

3

Possible Server Path Disclosure

0

0

0

0

0

0

17

5

Total

228

40

236

40

25

5

103

22

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

14

SQL Injection

225

VS1.2 Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

15

SQL Injection VS1.1

19

198

VS1.2 Nuno Antunes

27

DSN 2009, June 29 - July 2, Estoril, Portugal

16

SQL Injection VS1.1

19

172 26 3

VS1.2 Nuno Antunes

24

6

VS3

DSN 2009, June 29 - July 2, Estoril, Portugal

17

SQL Injection VS1.1

19 VS2 2

1 171

21 1

5 3

VS1.2 Nuno Antunes

24

5

VS3

DSN 2009, June 29 - July 2, Estoril, Portugal

18

SQL Injection VS1.1

19

? VS2 2

1 171

21 1

5 3

VS1.2 Nuno Antunes

24

5

VS3

DSN 2009, June 29 - July 2, Estoril, Portugal

19

False Positives examination 

False positive when  



the error/answer obtained is related to an application robustness problem. the same problem occurs when the service is executed with valid inputs

Confirmed Vulnerabilities when   

Nuno Antunes

is possible to observe that a SQL command was invalidated by the “injected” values the “injected” values lead to exceptions raised by the database server is possible to access unauthorized resources DSN 2009, June 29 - July 2, Estoril, Portugal

20

False Positives results 225 False Positives

200 175

40% 87

83

37%

Doubtful Confirmed Vulnerabilities

150 125

14

6,5%

26

11,6%

100

25,7%

75 50

116

32%

25 0 VS1.1

Nuno Antunes

14%

116

VS1.2

8 17

9 5 21

VS2

VS3

DSN 2009, June 29 - July 2, Estoril, Portugal

21

SQL Injection without False Positives

142

VS1.2

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

22

SQL Injection without False Positives

VS1.1

3

127

VS1.2

Nuno Antunes

15

DSN 2009, June 29 - July 2, Estoril, Portugal

23

SQL Injection without False Positives

VS1.1

3

103

24

2

VS3

VS1.2

Nuno Antunes

15

DSN 2009, June 29 - July 2, Estoril, Portugal

24

SQL Injection without False Positives

VS1.1

3

VS2 2 1 21 1

102

3

1 VS3

VS1.2

Nuno Antunes

15

DSN 2009, June 29 - July 2, Estoril, Portugal

25

SQL Injection without False Positives

VS1.1

3

VS2

?

2 1 21 1

102

3

1 VS3

VS1.2

Nuno Antunes

15

DSN 2009, June 29 - July 2, Estoril, Portugal

26

Coverage analysis 

Real number of vulnerabilities unavailable 



It is possible to make a comparative analysis

Overestimated Coverage values!!

Nuno Antunes

Scanner

# SQL Injection Vulnerabilities

Coverage %

VS1.1

130

87.2%

VS1.2

142

95.3%

VS2

25

16.8%

VS3

26

17.4%

Total

149

100%

DSN 2009, June 29 - July 2, Estoril, Portugal

27

Common Vulnerabilities

10 16

1

SQL Injection (149)

1

Possible Server Path Disclosure (16) XPath Injection (10) Code Execution (1) 149

Possible Parameter Based Buffer Overflow (1)

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

28

Conclusions 

A large number of vulnerabilities was observed



SQL Injection vulnerabilities are prevalent



Selecting a scanner for web services is a very difficult task   



Different scanners detect different types of vulnerabilities High false positives rates Low coverage rates

Can we do better?

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

29

Preliminary work 

Develop a new approach for vulnerabilities detection 

Detect SQL Injection and XPath Injection vulnerabilities effectively



Generate workload and attackload



Analyze responses



Analyze vulnerabilities to avoid False positives

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

30

Preliminary Work Results 180

False Positives

160

Doubtful

140

Confirmed

120 100

93

86

80 60

13

25

40 20

47

47

4 17

1 4 21

VS1.1

VS1.2

VS2

VS3

0

Nuno Antunes

14 13

0

DSN 2009, June 29 - July 2, Estoril, Portugal

52

VS.WS

31

Innovations introduced 

Generation of a more complete workload: 



A complete attackload 



A better knowledge of service’s behavior

All attacks used by scanners and other present in bibliography

Better analysis of service’s responses:  

Nuno Antunes

Compare with valid requests Robustness testing applied DSN 2009, June 29 - July 2, Estoril, Portugal

32

Questions?

Nuno Antunes

DSN 2009, June 29 - July 2, Estoril, Portugal

33