77
1
Evaluating AVDL Descriptions for Web Application Vulnerability Analysis Ha Thanh Le and Peter Kok Keong Loh, Member, IEEE
Abstract—Several vulnerability analysis techniques in webbased applications detect and report on different types of vulnerabilities. However, no single technique provides a generic technology-independent handling of web-based vulnerabilities. In this paper we present our experience with and experimental exemplification of using the Application Vulnerability Description Language (AVDL) to realize a unified data model for technologyindependent vulnerability analysis of web applications. This work is part of a project that is funded by the Centre for Strategic Infocomm Technologies, Ministry of Defence Singapore. Index Terms—AVDL, vulnerability analysis, vulnerability description, web application vulnerability.
I. INTRODUCTION
T
HE rapid rise of corporate web applications offers abundant opportunities for e-businesses to flourish. However, this also raises many security issues and exacerbates the demand for practical customer-friendly solutions [1-3]. Although there are many approaches of vulnerability analysis, web applications require a more technology-independent solution. In this paper, we evaluate three different scanners in detecting web application vulnerabilities and investigate the effectiveness of using the Application Vulnerability Description Language (AVDL) to describe vulnerabilities and its contribution in developing a unified data model used in a technology-independent, rule-base solution for vulnerability analysis of web-based applications. II. RELATED WORKS A. Web-based Vulnerability Taxonomies For web applications, which are usually developed using high-level declarative languages, the vulnerabilities occur frequently in places where the script-based algorithms interact with other systems or components, such as databases, file Manuscript received January 30, 2008. This work is funded by Centre for Strategic Infocomm Technologies, Ministry of Defence Singapore. H. T. Le is Research Student (Ph.D.) working in Forensic and Security Laboratory at School of Computer Engineering, Nanyang Technological University, Block N4, Nanyang Avenue, Singapore 639798. (e-mail:
[email protected]). P. K. K. Loh is with the School of Computer Engineering, Nanyang Technological University, Block N4, Nanyang Avenue, Singapore 639798. (e-mail:
[email protected]).
systems, operating systems, or the network [4, 5]. In other words, systems can be compromised via web technologies, e.g. exploitation via a web script may start a security breach. Many web vulnerability classes have also been detected, classified and documented [2-4, 6-8]. Bishop [9], Berghe et al. [10] and Bazaz and Arthur [11] proposed different models of vulnerability taxonomy, on which new analytical methodologies may be designed and implemented. Others only concentrate research on potential classes of vulnerability: Jovanovic et al. contributed work on cross-site scripting (XSS) [12], Halfond et al. [13, 14], Kals et al. [15] and NguyenTuong et al. [6] focus on SQL Injection. B. Web-based Vulnerability Analysis Several tools and techniques have been developed to analyze vulnerabilities in web-based applications. In recent survey, Cova et al. [8] has classified vulnerability analysis of web-based applications according to detection models and analysis techniques. Analysis tools and scanners, however, are specific to web technology and practically, no single scanner provides a complete methodology to find more vulnerabilities and a technology-independent coverage of all possible vulnerabilities [8, 16]. C. Web vulnerability description Testers and QA team must rely on a combination of tools and must understand different vulnerability description formats. However, vulnerability description provided by tools or vulnerability databases such as SecurityFocus Vulnerabilities list [17], Bugtraq [18] and CVE (Common Vulnerability Exposure) [19] does not describe the vulnerability in enough detail and a common format [20]. Therefore, tools usually possess overlapping functionalities, raising costs, lowering performance, incurring data surplus and overheads in vulnerability analysis and detection. J. Steffan and M. Schumacher [21] suggest a graph-based collaborative attack modeling, which provides meaningful knowledge sharing method with more detail vulnerability description. Open Web Application Security Project (OWASP) [22] released VulnXML as a common description of static known application level vulnerabilities. OASIS [23] recommended using web Application Vulnerability Description Language (AVDL) [24] as "a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application
77
2
vulnerabilities”. III. NEW VULNERABILITY ANALYSIS MODEL A. Analyzing scanner output Many vulnerabilities are common among different web technologies, the rest are particular for each of them due to language characteristics, compile process, executing methodology. The question is how to detect vulnerabilities with least dependence on development technologies and programming languages. Our approach [25] is to develop an analysis technique that would cover vulnerabilities over multiple web-programming technologies. We propose an approach comprising a combination of vulnerability scanners (front-end layer) to generate output and categorization with a language-neutral data model using appropriate mining techniques for vulnerability data analysis and rule extraction and classification. A functional layer with a rule-based inference engine and diagnostics capability is needed to generate reports for the users. B. AVDL – Unified Vulnerability Description In our research, we use AVDL as a vulnerability description format in the data model and report generated by the inference engine. AVDL Traversal Structure (TS) output provides information of user-level transaction activity. This structure describes request/response pair for the round-trip HTTP traversal to the server and contains sufficient descriptive data (type of request, connection methodology, targeted host, URI, protocol version of request data, header structure) needed for vulnerability analysis. The detected vulnerabilities within the web application are described using AVDL Vulnerability Probe Structure (VPS). IV. CASE STUDIES We conducted case study with Acunetix Cross Site Scripting scanner (free edition) [26], N-Stalker Free edition [27] and IBM Rational AppScan (evaluation version) [28] to test whether a web application scanner can cover the equivalent
AppScan
Number of vulnerable file 6
Acunetix
4
N-Stalker
4
amount of vulnerabilities and provide relevant outputs. Then, in next stage of experiment, we used AVDL to provide a descriptive format to specifying the architectural views of real vulnerabilities. Because selected scanners do not support AVDL we make use of an AVDL schema to describe the scanner outputs and evaluate if the AVDL formatted outputs deliver the same effective description as the original outputs. The case study is performed on http://demo.testfire.net/ website (Microsoft IIS 6.0 server, APS.NET) provided by IBM Rational AppScan evaluation version. Because Acunetix Free edition can only detect Cross Site Scripting vulnerabilities on demo website, we only monitor XSS vulnerabilities detected by AppScan and N-Stalker. V. RESULTS AND DISCUSSION Results from test case show that three scanners detected XSS vulnerabilities from test website (Table 1). However, the scanning outputs are different: IBM Rational AppScan detected 79 security issues in which 7 are XSS vulnerabilities, Acunetix discovered 73 XSS vulnerabilities and N-Stalker detected 4 XSS vulnerabilities. Acunetix counts the total instance of vulnerabilities according to variants of each exploit was tested while AppScan and N-Stalker counts the number of vulnerable positions in file which was scanned. The number of variants of same vulnerability is also different among scanners. While both AppScan and Acunetix detect several variants in one vulnerable position, N-Stalker detects and shows only one vulnerable instance in a file. Acunetix and N-Stalker did not detect any vulnerability in one file (transfer.aspx) and omitted other vulnerabilities which possibly exist in customize.aspx and subscribe.aspx accordingly. This test case may indicate that different scanners do not cover same vulnerabilities and they do not provide complete scanning solution even within the same application. Moreover, the vulnerability outputs of each of the three scanners are specific to itself and do not provide equivalent and relevant information. Users often have a vague idea on how to approach a vulnerability description when referencing the output of more
TABLE 1 XSS VULNERABILITIES DETECTED BY SCANNERS Vulnerable position (# Number of Number of vulnerable parameter) variant vulnerabilities counted /customize.aspx(1 - lang) 10 (GET) 7 /login.aspx(1 - uid) 12 (POST) /transfer.aspx(2–creditAccount, 10 (POST) debitAccount) 10 (POST) /comment.aspx(1 – name) 10 (POST) /search.aspx(1 – txtSearch) 10 (GET) /subscribe.aspx(1 – txtEmail) 14 (POST) /login.aspx(1 – uid) 2 (POST) 73 /comment.aspx(1 – name) 25 (POST) /search.aspx(1 – txtSearch) 25 (GET) /subscribe.aspx(1 – txtEmail) 21 (POST) /customize.aspx(1 - lang) 1 (GET) 4 /login.aspx(1 - uid) 1 (POST) /comment.aspx(1 - cfile) 1 (POST) /search.aspx(1 - txtSearch) 1 (GET)
Severity (by scanner)
Type of scan
High
Applicationlevel test
High
Validation (Parameter manipulation)
Medium
Not provided
77
3
than one scanner. In next stage of this experiment, we use AVDL schema [29] to describe the XSS vulnerability extracted from scanners output. We collect list of files which contain XSS vulnerabilities in scanners output. Then, for each unique exploit variant we create a new AVDL-based description record and assign description detail into the equivalent data element which is defined by AVDL schema. In case the output is less descriptive, data element will be empty if the description data value does not exist. Although this methodology is manual, it provides a generic XSS vulnerability description of test website. Every variant is unique and no overlapping. Moreover, the description can be extended whenever a new variant of same vulnerability is detected by a scanner. Additional descriptive details can be filled in the empty data element by user after fixing the discovered vulnerability. During the case study, we realized that the use of AVDL is highly effective in making the concept of vulnerability concrete and tangible. With the aid of AVDL, web application vulnerability is no longer an abstract, overlapping and errorprone idea but a tangible object of modeling and analytical specification process.
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
VI. CONCLUSIONS Web applications having become popular, wide spread and rapidly proliferated raises many security issues and exacerbates the demand for practical solutions. Manual security solutions targeted at these vulnerabilities are language-dependent, type-specific, labor-intensive, expensive and error-prone. In this paper, we have evaluated the use of a language-neutral data model as part of a new framework for web application vulnerability analysis. Our framework is extendible being based on existing web application scanners and AVDL as a uniform vulnerability description format. At the current stage, we conduct case studies with different web application scanners and evaluating their outputs using AVDL. We continue with description extraction tool and the unified data model as a data interface for the rule-based inference engine which incorporates vulnerability analysis and prediction capability. In due course, we hope to provide a commercializable tool to web site administrators and web developers to actively secure their applications.
[15]
[16]
[17] [18] [19] [20] [21]
[22] [23] [24]
REFERENCES [1] [2] [3]
[4]
[5] [6]
K. Raina. (2004). Trends in Web Application Security [Online]. Available: http://www.securityfocus.com/print/infocus/1809 J. Grossman, "WhiteHat Website Security Statistics Report," WhiteHat Security, October 2007. IBM, "Cyber Attacks On The Rise: IBM 2007 Midyear Report," IBM Internet Security Systems™ X-Force® Research and Development, 2007. M. Dowd, J. McDonald, and J. Schuh, in The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison Wesley Professional, 2006, ch. 1, 2, 3, 4, 8, 13, 17, 18. M. Stamp, Information Security: Principles and Practice. John Wiley & Sons, 2006. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, "Automatically Hardening Web Applications Using Precise Tainting."
[25]
[26] [27] [28] [29]
in Proc. The 20th IFIP International Information Security Conference, Makuhari-Messe, Chiba, Japan, 30 May - 1 June 2005 S. Siddharth, and P. Doshi. (2006). Five common Web application vulnerabilities [Online]. Available: http://www.securityfocus.com/infocus/1864 M. Cova, V. Felmetsger, and G. Vigna: "Vulnerability Analysis of Webbased Applications", in Test and Analysis of Web Services, Baresi, L., and Nitto, E.D. (Eds.) Springer Berlin Heidelberg, 2007, pp. 363-394, ch. IV. Reliability, Security, and Trust M. Bishop, "Vulnerabilities Analysis." in Proc. The 2nd International Workshop on Recent Advances in Intrusion Detection (RAID'99), West Lafayette, Indiana, USA, 7-9 September 1999 C. V. Berghe, J. Riordan, and F. Piessens, "A Vulnerability Taxonomy Methodology applied to Web Services." in Proc. The 10th Nordic Workshop on Secure IT-systems (NORDSEC 2005), Tartu, Estonia, 2021 October 2005 A. Bazaz, and J. D. Arthur, "Towards A Taxonomy of Vulnerabilities." in Proc. The 40th Annual Hawaii International Conference on System Sciences (HICSS-40 2007), Waikoloa, HI, USA, 3-6 January 2007, pp. 163a - 163a N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short paper)." in Proc. The 2006 IEEE Symposium on Security and Privacy (S&P'06), Berkeley/Oakland, California, USA, 21-24 May 2006, pp. 258-263 W. G. J. Halfond, A. Orso, and P. Manolios, "Using positive tainting and syntax-aware evaluation to counter SQL injection attacks." in Proc. The 14th ACM SIGSOFT international symposium on Foundations of software engineering (ACM SIGSOFT 2006/FSE-14), Portland, Oregon, USA, 5-11 November 2006, pp. 175-185, 1181797. W. G. J. Halfond, J. Viegas, and A. Orso, "A Classification of SQL Injection Attacks and Countermeasures." in Proc. The IEEE International Symposium on Secure Software Engineering (ISSSE 2006) Arlington, VA, USA, 13-15 March 2006 S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "SecuBat: A Web Vulnerability Scanner." in Proc. The 15th International Conference on World Wide Web (WWW 2006), Edinburgh, Scotland, 23–26 May 2006, pp. 247 - 256 L. Suto. (2007). Analyzing the Effectiveness and Coverage of Web Application Security Scanners [Online]. Available: http://ha.ckers.org/blog/20071014/web-application-scanning-depthstatistics/ SecurityFocus. (2007). Vulnerabilities list [Online]. Available: http://www.securityfocus.com/vulnerabilities SecurityFocus. (2007). Bugtraq Mailing list [Online]. Available: http://www.securityfocus.com/archive/1 CVE. (2007). CVE - Common Vulnerabilities and Exposures (CVE) [Online]. Available: http://cve.mitre.org/ M. Rohse, "Vulnerability naming schemes and description languages: CVE, Bugtraq, AVDL and VulnXML," SANS Institute, 22 April 2003. J. Steffan, and M. Schumacher, "Collaborative attack modeling." in Proc. The 2002 ACM symposium on Applied computing (SAC 2002), Madrid, Spain, 11-14 March 2002, pp. 253-259 OWASP. Open Web Application Security Project [Online]. Available: http://www.owasp.org/ OASIS. OASIS homepage. Available: http://www.oasis-open.org/ OASIS. (2004). Application Vulnerability Description Language v1.0. Available: http://www.oasisopen.org/committees/download.php/7145/AVDL%20Specification%20 V1.pdf H. T. Le, and P. K. K. Loh, "Unified Approach to Vulnerability Analysis of Web Applications," presented at The International e-Conference on Computer Science (IeCCS 2007), 14-23 December 2007 in press. Acunetix. (2007). Acunetix Cross Site Scripting Scanner [Online]. Available: http://www.acunetix.com/cross-site-scripting/scanner.htm N-Stalker. N-Stalker Free Edition - The Web Security Specialists [Online]. Available: http://www.nstalker.com/products/free/ Watchfire. AppScan [Online]. Available: http://www.watchfire.com/ OASIS. (2003). AVDL XML Schema. Available: http://www.oasisopen.org/committees/download.php/5065/avdl.xsd
