Using Web Security. Scanners to Detect. Vulnerabilities in Web. Services. Marco Vieira, Nuno Antunes, Henrique Madeira. {mvieira, nmsa, henrique}@dei.uc.pt ...
Using Web Security Scanners to Detect Vulnerabilities in Web Services
DSN 2009
Marco Vieira, Nuno Antunes, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt
CISUC Department of Informatics Engineering University of Coimbra
Outline
Contextualization
Research Goals
Methodology
Results
Conclusions and Future Work
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
2
Contextualization
Web services are increasingly becoming a strategic component in a wide range of organizations
Web services are so exposed that any existing vulnerability will most probably be uncovered/exploited
Both providers and consumers need to assess services’ security
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
3
Web Services
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
4
Web Services Security
Security threats
Hackers are moving their focus to applications’ code Traditional security mechanisms (Firewall, IDS, encryption) cannot mitigate these attacks Vulnerabilities like SQL Injection and XPath Injection are particularly relevant
Developers must
Nuno Antunes
Apply best coding practices Security testing! DSN 2009, June 29 - July 2, Estoril, Portugal
5
Vulnerability Examples public String auth(String login, String pass) throw SQLException { String sql = "SELECT * FROM users WHERE "+ "username='" + login + "' AND "+ "password='" + pass + "'";
' OR 1=1 --
ResultSet rs = users statement.executeQuery(sql); "SELECT * FROM WHERE username='' OR 1=1 -- ' AND (…) password=''“; }
public void delete(String str) throw SQLException{ String sql = "DELETE FROM table ' OR ''=' "WHERE id='" + str + "'"; statement.executeUpdate(sql); "DELETE FROM table WHERE id='' OR '' = ''"; }
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
6
Software Testing techniques
White-box testing:
Black-box testing:
The analysis of the application’s code
The analysis of application’s execution searching for vulnerabilities Known as penetration testing
Gray-box testing:
Nuno Antunes
Approaches that combine black box and white box DSN 2009, June 29 - July 2, Estoril, Portugal
7
Web Security Scanners
Easy and widely-used way to test applications searching vulnerabilities
Use fuzzing techniques to attack applications
Perform thousands of tests in an automated way
What is the effectiveness of these tools?
Nuno Antunes
Can programmers rely on these tools? DSN 2009, June 29 - July 2, Estoril, Portugal
8
Research Goals
Study the effectiveness of the scanners
Identify common types of vulnerabilities
In the context of web service environments
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
9
Methodology
Apply leading commercial scanners in public web services
300 Web Services tested
Randomly selected
4 Scanners used (including two different versions of a brand)
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
10
Experimental Study
Preparation
Execution
Test the services using the scanners
Verification
Select services and scanners
Identify false positives
Analysis
Nuno Antunes
Analysis and systematization of results
DSN 2009, June 29 - July 2, Estoril, Portugal
11
Scanners
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
12
Vulnerabilities Found
SQL injection
XPath Injection
Code Execution
Possible Parameter Based Buffer Overflow
Possible Username or Password Disclosure
Possible Server Path Disclosure
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
13
Overall results analysis
Vulnerability Types
VS1.1
VS1.2
VS2
VS3
# Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS SQL Injection
217
38
225
38
25
5
35
11
XPath Injection
10
1
10
1
0
0
0
0
Code Execution
1
1
1
1
0
0
0
0
Possible Parameter Based Buffer Overflow
0
0
0
0
0
0
4
3
Possible Username or Password Disclosure
0
0
0
0
0
0
47
3
Possible Server Path Disclosure
0
0
0
0
0
0
17
5
Total
228
40
236
40
25
5
103
22
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
14
SQL Injection
225
VS1.2 Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
15
SQL Injection VS1.1
19
198
VS1.2 Nuno Antunes
27
DSN 2009, June 29 - July 2, Estoril, Portugal
16
SQL Injection VS1.1
19
172 26 3
VS1.2 Nuno Antunes
24
6
VS3
DSN 2009, June 29 - July 2, Estoril, Portugal
17
SQL Injection VS1.1
19 VS2 2
1 171
21 1
5 3
VS1.2 Nuno Antunes
24
5
VS3
DSN 2009, June 29 - July 2, Estoril, Portugal
18
SQL Injection VS1.1
19
? VS2 2
1 171
21 1
5 3
VS1.2 Nuno Antunes
24
5
VS3
DSN 2009, June 29 - July 2, Estoril, Portugal
19
False Positives examination
False positive when
the error/answer obtained is related to an application robustness problem. the same problem occurs when the service is executed with valid inputs
Confirmed Vulnerabilities when
Nuno Antunes
is possible to observe that a SQL command was invalidated by the “injected” values the “injected” values lead to exceptions raised by the database server is possible to access unauthorized resources DSN 2009, June 29 - July 2, Estoril, Portugal
20
False Positives results 225 False Positives
200 175
40% 87
83
37%
Doubtful Confirmed Vulnerabilities
150 125
14
6,5%
26
11,6%
100
25,7%
75 50
116
32%
25 0 VS1.1
Nuno Antunes
14%
116
VS1.2
8 17
9 5 21
VS2
VS3
DSN 2009, June 29 - July 2, Estoril, Portugal
21
SQL Injection without False Positives
142
VS1.2
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
22
SQL Injection without False Positives
VS1.1
3
127
VS1.2
Nuno Antunes
15
DSN 2009, June 29 - July 2, Estoril, Portugal
23
SQL Injection without False Positives
VS1.1
3
103
24
2
VS3
VS1.2
Nuno Antunes
15
DSN 2009, June 29 - July 2, Estoril, Portugal
24
SQL Injection without False Positives
VS1.1
3
VS2 2 1 21 1
102
3
1 VS3
VS1.2
Nuno Antunes
15
DSN 2009, June 29 - July 2, Estoril, Portugal
25
SQL Injection without False Positives
VS1.1
3
VS2
?
2 1 21 1
102
3
1 VS3
VS1.2
Nuno Antunes
15
DSN 2009, June 29 - July 2, Estoril, Portugal
26
Coverage analysis
Real number of vulnerabilities unavailable
It is possible to make a comparative analysis
Overestimated Coverage values!!
Nuno Antunes
Scanner
# SQL Injection Vulnerabilities
Coverage %
VS1.1
130
87.2%
VS1.2
142
95.3%
VS2
25
16.8%
VS3
26
17.4%
Total
149
100%
DSN 2009, June 29 - July 2, Estoril, Portugal
27
Common Vulnerabilities
10 16
1
SQL Injection (149)
1
Possible Server Path Disclosure (16) XPath Injection (10) Code Execution (1) 149
Possible Parameter Based Buffer Overflow (1)
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
28
Conclusions
A large number of vulnerabilities was observed
SQL Injection vulnerabilities are prevalent
Selecting a scanner for web services is a very difficult task
Different scanners detect different types of vulnerabilities High false positives rates Low coverage rates
Can we do better?
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
29
Preliminary work
Develop a new approach for vulnerabilities detection
Detect SQL Injection and XPath Injection vulnerabilities effectively
Generate workload and attackload
Analyze responses
Analyze vulnerabilities to avoid False positives
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
30
Preliminary Work Results 180
False Positives
160
Doubtful
140
Confirmed
120 100
93
86
80 60
13
25
40 20
47
47
4 17
1 4 21
VS1.1
VS1.2
VS2
VS3
0
Nuno Antunes
14 13
0
DSN 2009, June 29 - July 2, Estoril, Portugal
52
VS.WS
31
Innovations introduced
Generation of a more complete workload:
A complete attackload
A better knowledge of service’s behavior
All attacks used by scanners and other present in bibliography
Better analysis of service’s responses:
Nuno Antunes
Compare with valid requests Robustness testing applied DSN 2009, June 29 - July 2, Estoril, Portugal
32
Questions?
Nuno Antunes
DSN 2009, June 29 - July 2, Estoril, Portugal
33
