• No results found

Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner

N/A
N/A
Protected

Academic year: 2021

Share "Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner"

Copied!
37
0
0

Loading.... (view fulltext now)

Full text

(1)

Enemy of the State:

A State-Aware Black-Box Web

Vulnerability Scanner

Adam Doupé, Ludovico Cavedon,

Christopher Kruegel, and Giovanni Vigna

University of California, Santa Barbara

(2)
(3)
(4)
(5)
(6)

Black-Box Vulnerability Scanners

Crawling

(7)

Black-Box Vulnerability Scanners

Crawling

(8)

Black-Box Vulnerability Scanners

Fuzzing

GET /view.php?id=

<script>alert(1)</

script>

(9)

The Shotgun Approach

GET /view.php?id=

<script>alert(1)</

script>

(10)

The Shotgun Approach

GET /view.php?id=

<script>alert(1)</

script>

What if

this request

changed the

state of the application?

(11)

Simple Web Application

view.php

index.php

login.php

view.php

Must access login.php before

view.php

(12)

Internal State Graph

state_1

index.php

/ A

state_0

login.php

/ B

index.php

/ C

view.php

/ D

(13)

Mealy Machine

state_1

index.php / A

state_0

login.php / B

index.php / C

view.php / D

(14)

Inferring the State

index.php

A

login.php

B

index.php

C

view.php

D

(15)

Inferring the State

index.php

A

login.php

B

index.php

C

view.php

Made identical

request and got

different

response.

State has

changed!

(16)

Necessary Steps to Inferring the

State

•  Cluster similar pages (using links)

– Links changing means what a user can do to

the application has changed

•  Determine state-changing request

– Which request in the list changed the state?

•  Collapse similar states

– How to know if, when we detect a state

change, we return to a previous state?

(17)
(18)

Cluster Similar Pages

<a, index.php,

home>

<a,

profile.php,

id=1>

<form, POST,

logout.php>

<a, index.php,

home>

<a,

profile.php,

id=2>

<form, POST,

logout.php>

<a, index.php,

home>

<a,

profile.php,

id=3>

<form, POST,

logout.php>

<a, index.php,

home>

<form, POST,

add.php>

<a,

review.php,

check>

(19)

Cluster Similar Pages

<a, index.php,

home>

<a,

profile.php,

id=1>

<form, POST,

<a, index.php,

home>

<a,

profile.php,

id=2>

<a, index.php,

home>

<a,

profile.php,

id=3>

<a, index.php,

home>

<form, POST,

add.php>

<a,

review.php,

(20)

Determine State-Changing Request

Request

Response

GET index.php

A

GET blah.php

B

POST login.php

C

GET account.php

D

GET index.php

E

Use a heuristic that

favors new requests

over old requests,

POST requests over

GET requests, and

requests that always

change the state over

those that never

change the state.

(21)

Collapse Similar States

•  Graph coloring

– States as nodes

– Edge between two states when they cannot

be the same

(22)

Collapse Similar States

state_0

state_4

state_1

state_2

state_3

(23)

Collapse Similar States

logged

out

state_4

state_1

state_2

state_3

(24)

Collapse Similar States

logged

out

state_4

logged in

state_2

state_3

(25)

Collapse Similar States

logged

out

state_4

logged in

logged

out

state_3

(26)

Collapse Similar States

logged

out

state_4

logged in

logged

out

logged in

(27)

Collapse Similar States

logged

out

logged

out

logged in

logged

out

logged in

(28)

Collapse Similar States

logged

(29)

State-Aware Fuzzing

def

 fuzz_state_changing(  fuzz_request  ):  

   make_request(  fuzz_request  )  

   

if

 state_has_changed():    

       

if

 state_is_reversible():  

           make_requests_to_revert_state()    

           

if  not  

back_in_previous_state():    

               reset_and_put_in_previous_state()    

       

else

:    

(30)

Evaluation—Scanners

•  skipfish

•  w3af

•  state-aware-crawler

•  wget

(31)

Evaluation—Applications

Web Application

Lines of Code

Gallery

26,622

PhpBB v2

16,034

PhpBB v3

110,186

SCARF

798

Vanilla Forums

43,880

WackoPicko v2

900

WordPress v2

17,995

(32)

Code Coverage Results

16.2% 241.9% 14.5% 15.8% 101.2% 12.5% 11.0% 194.8% -18.3%

-50%

0%

50%

100%

150%

200%

250%

300%

Galle

ry

Wacko

Picko

v2

Word

Press

v2

Pe

rc

en

ta

g

e

C

o

d

e

C

o

ve

ra

g

e

Im

p

ro

ve

m

en

t

o

ve

r

w

g

et

Selected Applications

state-aware-scanner

w3af

skipfish

(33)

Code Coverage Results

16.2% 241.9% 14.5% 15.8% 101.2% 12.5% 11.0% 194.8% -18.3%

-50%

0%

50%

100%

150%

200%

250%

300%

Galle

ry

Picko

v2

Press

v2

Pe

rc

en

ta

g

e

C

o

d

e

C

o

ve

ra

g

e

Im

p

ro

ve

m

en

t

o

ve

r

w

g

et

state-aware-scanner

w3af

skipfish

(34)

Web App

Scanner

Code %

True

Vuln

Unique

Vuln

PhpBB v2

state

38.34

3

1

PhpBB v2

w3af

1.04

1

0

PhpBB v2

skipfish

5.10

2

0

SCARF

state

67.03

1

1

SCARF

w3af

55.66

0

0

SCARF

skipfish

21.55

0

0

Vanilla

state

30.89

0

0

Vanilla

w3af

1.06

0

0

Vanilla

skipfish

-2.32

15

2

WackoPicko state

241.86

5

1

WackoPicko w3af

101.15

5

1

(35)

385 397 POST /cart/action.php?action=purchase 400 GET /users/logout.php 200 231 POST /cart/action.php?action=purchase 261 POST /comments/add_comment.php 970 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1055 POST /cart/action.php?action=purchase 1240 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1157 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 899 POST /comments/add_comment.php 290 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 325 POST /cart/action.php?action=purchase POST /cart/action.php?action=delete 417 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 350 POST /users/login.php POST /users/register.php 169

POST /comments/add_comment.php POST /cart/action.php?action=purchase POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 904 POST /comments/add_comment.php 794 813 POST /comments/add_comment.php POST /comments/add_comment.php 147 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 780 POST /comments/add_comment.php POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /cart/action.php?action=delete 1641 GET /users/logout.php 1248 POST /cart/action.php?action=delete 1328 GET /users/logout.php 1256 GET /users/logout.php 543 POST /comments/add_comment.php 549 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 424 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1536 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 857 POST /comments/add_comment.php 879 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 884 POST /comments/add_comment.php 1615 GET /users/logout.php GET /users/logout.php 874 POST /comments/add_comment.php 1756 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1669 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1725 GET /users/logout.php GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 0 91 POST /passcheck.php 93 POST /users/login.php POST /users/register.php 523 471 POST /passcheck.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php 726 POST /passcheck.php POST /users/login.php

POST /users/register.php POST /passcheck.php

POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php POST /passcheck.php POST /users/login.php POST /users/register.php GET /users/logout.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 907 GET /users/logout.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php 1735 POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14

(36)

385 397 POST /cart/action.php?action=purchase 400 GET /users/logout.php 200 231 POST /cart/action.php?action=purchase 261 POST /comments/add_comment.php 970 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1055 POST /cart/action.php?action=purchase 1240 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1157 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 899 POST /comments/add_comment.php 290 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 325 POST /cart/action.php?action=purchase POST /cart/action.php?action=delete 417 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 350 POST /users/login.php POST /users/register.php 169

POST /comments/add_comment.php POST /cart/action.php?action=purchase

POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 904 POST /comments/add_comment.php 794 813 POST /comments/add_comment.php POST /comments/add_comment.php 147 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 780 POST /comments/add_comment.php POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /cart/action.php?action=delete 1641 GET /users/logout.php 1248 POST /cart/action.php?action=delete 1328 GET /users/logout.php 1256 GET /users/logout.php 543 POST /comments/add_comment.php 549 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 424 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1536 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 857 POST /comments/add_comment.php 879 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 884 POST /comments/add_comment.php 1615 GET /users/logout.php 1389 POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 889 POST /comments/add_comment.php GET /users/logout.php 874 POST /comments/add_comment.php 1756 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1669 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1725 GET /users/logout.php GET /users/logout.php POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 0 91 POST /passcheck.php 93 POST /users/login.php POST /users/register.php 523 471 POST /passcheck.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php 726 POST /passcheck.php POST /users/login.php

POST /users/register.php POST /passcheck.php

POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php POST /passcheck.php POST /users/login.php POST /users/register.php GET /users/logout.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 907 GET /users/logout.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php 1735 POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1769 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 Doupé - 8/10/12

(37)

ENEMY OF THE STATE: A

STATE-AWARE BLACK-BOX WEB

Adam Doupé

Email:  

   

adoupe@cs.ucsb.edu  

Twitter:  

 

@adamdoupe  

References

Related documents

In the Event Manager Configuration tree, select the required network source, then in the Actions list, click Add Process Action.. The Add Process Action

public static function get($key, $default = null) } setgetkeyENV haunt.phpConfig::get(’haunt‘)haunt.phpitemConfig::get(’haunt.item‘) php.ini php.ini php - i | grep php.

You should now have a “Click Here to Support Your Club” picture that shows up on your slideshow on your homepage which when clicked, goes straight to your betting service. HOW TO ADD:

You will learn about • The ideal location for a data center • An optimized computer room layout • Data center availability models N, N+1 and 2N • Leveling of data center

 Takes same action on all items in cart, so you can Approve, Reject or Return entire Requisition Approval via eSHOP..  Takes action on all or part of the items in the cart, so

Web applications Programming Diploma using PHP&amp; MySQL HTML - CSS - JavaScript – PHP - MYSQL.. What

During the implementation of its Pallas Athena Public Thinking Programme, the National Bank of Hungary (Magyar Nemzeti Bank, MNB) set up a strategy to improve financial literacy

1) 경제의 세계화에 따라 기존 국민국가의 역할중 일정부분이 초국가적 기구(UN, WTO, IMF등)로 이전 되고, 동시에 국가내부에서도 중앙에서 지방으로의