Improving Penetration Testing Through Enhanced Input Vector Identification

Enhance your penetration testing efforts by improving information gathering and response analysis. This comprehensive guide explores various aspects of penetration testing, including information gathering, attack generation, and response analysis, offering valuable insights and strategies to bolster your security testing practices.

• Penetration Testing
• Security Analysis
• Information Gathering
• Response Analysis

jax_c Follow

Uploaded on Oct 11, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia Institute of Technology

2. Web Application Overview Web Application DB HTTP Requests HTML HTML Pages End Users Servlets Web Server Other Systems 2

3. Penetration Testing Overview Web Application DB !@#$ HTML Secret Data! White Hat Tester Servlets Other Systems 3

4. Penetration Testing Phases Information Gathering Attack Generation Attacks Information Web Target Selection Application HTML Analysis Feedback Servlets White Hat Tester Responses Response Analysis Report

5. Example Web Application Code public void service(HttpServletRequest req) 1. String action = req.getParameter( userAction ) 2. if (action.equals( createLogin )) 3. String password = req.getParameter( password ) 4. String loginName = req.getParameter( login ) 5. if (isInteger(password)) 6. db.execute( insert into UserTable + (login, password) values ( + loginName + , + password + ) ) 7. displayAddressForm() 8. else 9. displayErrorPage( Bad password. ) 10. else if (action.equals( provideAddress )) 11. String loginName = req.getParameter( login ) 12. String address = req.getParameter( address ) 13. db.execute( update UserTable set + address = + address + + where loginName= + loginName) 14. else 15. displayCreateLoginForm() !

6. Our Approach Goal: Improve penetration testing by improving information gathering and response analysis. Improvements to penetration testing: 1. Information gathering Static interface analysis 2. Attack Generation Generate realistic test-inputs 3. Response Analysis Produce observable side effect of attack

7. 1) Information Gathering: Interface Analysis Web Application Identify IP Names Interface Analysis [FSE 2007] Compute IP Domains HTML Interfaces Servlets Group IPs Phase 1: Identify Input Parameters (IP) names Phase 2: Compute IP domain information Phase 3: Group IP into distinct interfaces 7

8. 1) Interface Analysis: Identify IP Names public void service(HttpServletRequest req) 1. String action = req.getParameter( userAction ) 2. if (action.equals( createLogin )) { 3. String password = req.getParameter( password ) 4. String loginName = req.getParameter( login ) 5. if (isInteger(password)) 6. db.execute( insert into UserTable + (login, password) values ( + loginName + , + password + ) ) 7. displayAddressForm() 8. else 9. displayErrorPage( Bad password. ) 10. else if (action.equals( provideAddress )) 11. String loginName = req.getParameter( login ) 12. String address = req.getParameter( address ) 13. db.execute( update UserTable set + address = + address + + where loginName= + loginName) 14. else 15. displayCreateLoginForm() userAction password login login address

9. 1) Interface Analysis: Compute IP Domains userAction:String public void service(HttpServletRequest req) 1. String action = req.getParameter( userAction ) 2. if (action.equals( createLogin )) 3. String password = req.getParameter( password ) 4. String loginName = req.getParameter( login ) 5. if (isInteger(password)) 6. db.execute( insert into UserTable + (login, password) values ( + loginName + , + password + ) ) 7. displayAddressForm() 8. else 9. displayErrorPage( Bad password. ) 10. else if (action.equals( provideAddress )) 11. String loginName = req.getParameter( login ) 12. String address = req.getParameter( address ) 13. db.execute( update UserTable set + address = + address + + where loginName= + loginName) 14. else 15. displayCreateLoginForm() userAction { createLogin , provideAddress } password password:String password:Integer login login:String login login:String address address:String

10. 1) Interface Analysis: Group IPs userAction:String public void service(HttpServletRequest req) 1. String action = req.getParameter( userAction ) 2. if (action.equals( createLogin )) { 3. String password = req.getParameter( password ) 4. String loginName = req.getParameter( login ) 5. if (isInteger(password)) 6. db.execute( insert into UserTable + (login, password) values ( + loginName + , + password + ) ) 7. displayAddressForm() 8. else 9. displayErrorPage( Bad password. ) 10. else if (action.equals( provideAddress )) 11. String loginName = req.getParameter( login ) 12. String address = req.getParameter( address ) 13. db.execute( update UserTable set + address = + address + + where loginName= + loginName) 14. else 15. displayCreateLoginForm() 1 userAction { createLogin , provideAddress } 2 password password:String password:Integer 3 login login:String 10 14 11 4 15 12 5 login login:String address address:String 6 13 8 9 7

11. 1) Information Gathering: Summary Interface Parameter Domain Relevant Values createLogin , provideAddress userAction String 1 login password String Integer createLogin , provideAddress userAction String 2 login address String String createLogin , provideAddress 3 userAction String

12. 2) Attack Generation Interface userAction login password White Hat Tester userAction = ? login = <attack string> password = ? userAction = createLogin login = <attack string> password = 1234 IP Domain Information

13. 3) Response Analysis with WASP Response Analysis: 1. Send attack to web application 2. If WASP detects attack 1. Block attack 2. Send out-of-band signal 3. Check for signal on client side WASP: 1. Positive tainting: Identify and mark developer-trusted strings. Propagate taint markings at runtime Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings 2.

14. 3) WASP: Identify Trusted Data public void service(HttpServletRequest req) 1. String action = req.getParameter( userAction ) 2. if (action.equals( createLogin )) { 3. String password = req.getParameter( password ) 4. String loginName = req.getParameter( login ) 5. if (isInteger(password)) 6. db.execute( insert into UserTable + (login, password) values ( + loginName + , + password + ) ) 7. displayAddressForm() 8. else 9. displayErrorPage( Bad password. ) 10. else if (action.equals( provideAddress )) 11. String loginName = req.getParameter( login ) 12. String address = req.getParameter( address ) 13. db.execute( update UserTable set + address = + address + + where loginName= + loginName) 14. else 15. displayCreateLoginForm()

15. 3) WASP: Syntax Aware Evaluation Legitimate Query: Input: login = GJ , address = Home update userTable set address = Home where login = GJ Attempted SQL Injection: Input: login = GJ ; drop table userTable -- , address = Home update userTable set address = Home where login = GJ ; drop table userTable --

16. Empirical Evaluation Goal: Evaluate the usefulness of our approach as compared to a traditional penetration testing approach. Research Questions (RQ): 1. Runtime of analysis 2. Thoroughness of the penetration testing 3. Number of vulnerabilities discovered 16

17. Implementation: Baseline Approach SQLMap integrated with OWASP WebScarab Spider SQLMap++ Information Gathering OWASP WebScarab Widely used code-base Actively maintained Attack Generation SQLMap Widely used penetration testing tool Commonly used attack generation heuristics Response analysis WASP[FSE 2006]

18. Implementation: Our Approach Static and Dynamic Analysis-based Penetration Testing SDAPT Analyzes bytecode of Java Enterprise Edition (JEE) based web applications Interface analysis WAM[FSE 2007] Attack generation leverages SQLMap Response analysis WASP[FSE 2006]

19. Subject Applications Subject LOC Classes Servlets Bookstore 19,402 28 27 Checkers 5,415 59 32 Classifieds 10,702 18 18 Daffodil 18,706 119 70 Employee Directory 5,529 11 9 Events 7,164 13 12 Filelister 8,671 41 10 Office Talk 4,670 63 39 Portal 16,089 28 27

20. RQ1: Runtime Analysis Time (s) 10000 SQLMAP++ SDAPT 1000 100 10 1 Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Portal SDAPT ranged from 8 to 40 mins Positive note: Testing was more thorough

21. RQ2: Thoroughness Number of Input Vectors SQLMAP++ 250 SDAPT 200 150 100 50 0 Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Portal Number of Components SQLMAP++ 50 SDAPT 40 30 20 10 0 Bookstore Checkers Classifieds Daffodil Empl. Dir Events Filelister Officetalk Portal

22. RQ3: Number of Vulnerabilities Number of Discovered Vulnerabilities 18 SQLMAP++ 16 SDAPT 14 12 10 Average increase: 246% 8 6 4 2 0 Bookstore Checkers Classifieds Daffodil Empl. Dir. Events Filelister Officetalk Portal

23. Summary of Results Improvements to penetration testing Information gathering with static analysis Response analysis with dynamic detection Relatively longer analysis time More thorough and more vulnerabilities discovered during penetration testing