Automated detection of injection vulnerabilities in web applications

Bandhakavi, Sruthi

Permalink

https://hdl.handle.net/2142/29471 Copy

Description

Title

Automated detection of injection vulnerabilities in web applications

Author(s)

Bandhakavi, Sruthi

Issue Date

2012-02-01T00:47:51Z

Director of Research (if dissertation) or Advisor (if thesis)

Winslett, Marianne

Committee Member(s)

• Parthasarathy, Madhusudan
• Gunter, Carl A.
• King, Samuel T.
• Winsborough, William H.

Department of Study

Computer Science

Discipline

Computer Science

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

Ph.D.

Degree Level

Dissertation

Keyword(s)

• Information Flow
• Web Security
• Injection Vulnerabilities
• Browser Security

Abstract

Web applications and browsers embed code from different origins, each of which could have different levels of trustworthiness. These applications provide rich functionality to the users by interacting with each other and with the host machine—usually by sending and receiving information. The interaction of code and data from various sources in the web applications and browsers has resulted in the emergence of behaviors that could threaten the confidentiality, integrity, and availability properties of the infrastructure on which the web applications and web browsers run and that of the resources they handle. Injection, cross-site scripting (XSS), cross-site request forgery (XSRF), etc. are some examples of vulnerabilities that could allow malicious attacks on web applications and their infrastructure. Of the many attacks on web applications, injection attacks are one of the most popular ones. In this dissertation, we describe two different analysis techniques that could be used to automatically prevent and/or detect two specific types of injection vulnerabilities— SQL injection attacks on web applications and cross-context scripting attacks in Firefox browser extensions. In case of vulnerabilities like SQL injection, malformed user input alters the SQL query issued. This query when processed allows the attacker to gain unauthorized access to the back-end server and database, and extract or modify sensitive information. Like mobile phone apps, browser extensions are widely popular third-party written weakly-vetted pieces of code. They expand the functionality of browsers by interposing on and interacting with browser-level events and data. In this thesis, we examine the cross-context scripting vulnerabilities occurring in the Firefox browser extensions. Firefox extensions are one of the main reasons for Firefox’s popularity—there are thousands of third-party extensions available to the users. The extensions usually have the same privilege level as the browser. Cross-context scripting attacks are caused when some specially crafted inputs from the content pages (web pages, RSS feeds, etc) are executed in the privileged context of the web browser, often by injecting malicious code into the extensions, which run with the same privileges as the web browser. In both the above injection vulnerabilities, there is a legitimate flow of information from the untrusted sources to the trusted application. However, the inputs from the untrusted sources force the trusted applications to behave in ways that are not intended by the application developers. In case of SQL injection attacks, a malicious user of the web application inserts inputs that produce SQL queries with structures different from the query structures that the programmer intended. In case of cross-context scripting attacks, the content (either RSS feeds or web pages) contains malicious JavaScript, which when accessed by the browser extension changes its expected run-time behavior. This change in the expected behavior occurs if the programmers have written buggy code with inadequate sanitization or no sanitization at all of untrusted inputs. To detect SQL injection attacks, apart from knowing that the SQL query is tainted by the inputs from the user, we also need to know exactly which parts of the query are tainted by the user inputs. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Based on this insight, we propose a technique to detect and prevent SQL injection attacks. This technique dynamically mines the programmer-intended query structure on any input, and detects attacks by comparing the structure of the actual query issued with the programmer-intended query structure. We propose a simple and novel mechanism, called CANDID, for mining programmer-intended queries by dynamically evaluating runs over benign candidate inputs. We show that this mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called CANDID that retrofits web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice. To understand how to find cross-context scripting vulnerabilities, we study the Firefox browser extension architecture. In our analysis, we find that most of the vulnerabilities in the Firefox browser extensions can be modelled as information flows between different syntactic program elements in the extensions’ JavaScript code. Based on this insight, we propose a new analysis framework called VEX, which uses static taint analysis of JavaScript programs to identify flow patterns that represent flows between untrusted sources and executable sinks. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 4303 browser extensions to the analysis, and VEX finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities. Unlike previous works on browser extension security which use dynamic information flow analysis techniques for detecting vulnerabilities at run-time, VEX uses a static analysis technique. Consequently, VEX can be used to analyze thousands of extensions offline and imposes no performance overhead at run-time. The main contribution of the thesis is to show that static and dynamic information flow analysis techniques can be used effectively to detect programmers’ intent and thereby detect and/or prevent script injection vulnerabilities. We show that the application architecture, features of the programming language that is used to write the application, the complexity of the input language, and the characteristics of the vulnerabilities play a major role in designing useful information flow analysis techniques for detecting the vulnerability. We describe these considerations in this thesis. We also present an extensive comparison of our approaches with the related work in the area.

Graduation Semester

2011-12

Permalink

http://hdl.handle.net/2142/29471

Copyright and License Information

Copyright 2011 Sruthi Bandhakavi

Owning Collections