• No results found

Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner"

Copied!
37
0
0

Loading.... (view fulltext now)

Download now ( 37 Page )

Full text

(1)

Enemy of the State:

A State-Aware Black-Box Web

Vulnerability Scanner

Adam Doupé, Ludovico Cavedon,

Christopher Kruegel, and Giovanni Vigna

University of California, Santa Barbara

(2)
(3)
(4)
(5)
(6)

Black-Box Vulnerability Scanners

Crawling

(7)

Black-Box Vulnerability Scanners

Crawling

(8)

Black-Box Vulnerability Scanners

Fuzzing

GET /view.php?id=

<script>alert(1)</

script>

(9)

The Shotgun Approach

GET /view.php?id=

<script>alert(1)</

script>

(10)

The Shotgun Approach

GET /view.php?id=

<script>alert(1)</

script>

What if

this request

changed the

state of the application?

(11)

Simple Web Application

view.php

index.php

login.php

view.php

Must access login.php before

view.php

(12)

Internal State Graph

state_1

index.php

/ A

state_0

login.php

/ B

index.php

/ C

view.php

/ D

(13)

Mealy Machine

state_1

index.php / A

state_0

login.php / B

index.php / C

view.php / D

(14)

Inferring the State

index.php

A

login.php

B

index.php

C

view.php

D

(15)

Inferring the State

index.php

A

login.php

B

index.php

C

view.php

Made identical

request and got

different

response.

State has

changed!

(16)

Necessary Steps to Inferring the

State

•  Cluster similar pages (using links)

– Links changing means what a user can do to

the application has changed

•  Determine state-changing request

– Which request in the list changed the state?

•  Collapse similar states

– How to know if, when we detect a state

change, we return to a previous state?

(17)
(18)

Cluster Similar Pages

<a, index.php,

home>

<a,

profile.php,

id=1>

<form, POST,

logout.php>

<a, index.php,

home>

<a,

profile.php,

id=2>

<form, POST,

logout.php>

<a, index.php,

home>

<a,

profile.php,

id=3>

<form, POST,

logout.php>

<a, index.php,

home>

<form, POST,

add.php>

<a,

review.php,

check>

(19)

Cluster Similar Pages

<a, index.php,

home>

<a,

profile.php,

id=1>

<form, POST,

<a, index.php,

home>

<a,

profile.php,

id=2>

<a, index.php,

home>

<a,

profile.php,

id=3>

<a, index.php,

home>

<form, POST,

add.php>

<a,

review.php,

(20)

Determine State-Changing Request

Request

Response

GET index.php

A

GET blah.php

B

POST login.php

C

GET account.php

D

GET index.php

E

Use a heuristic that

favors new requests

over old requests,

POST requests over

GET requests, and

requests that always

change the state over

those that never

change the state.

(21)

Collapse Similar States

•  Graph coloring

– States as nodes

– Edge between two states when they cannot

be the same

(22)

Collapse Similar States

state_0

state_4

state_1

state_2

state_3

(23)

Collapse Similar States

logged

out

state_4

state_1

state_2

state_3

(24)

Collapse Similar States

logged

out

state_4

logged in

state_2

state_3

(25)

Collapse Similar States

logged

out

state_4

logged in

logged

out

state_3

(26)

Collapse Similar States

logged

out

state_4

logged in

logged

out

logged in

(27)

Collapse Similar States

logged

out

logged

out

logged in

logged

out

logged in

(28)

Collapse Similar States

logged

(29)

State-Aware Fuzzing

def

 fuzz_state_changing(  fuzz_request  ):  

   make_request(  fuzz_request  )  

   

if

 state_has_changed():    

       

if

 state_is_reversible():  

           make_requests_to_revert_state()    

           

if  not  

back_in_previous_state():    

               reset_and_put_in_previous_state()    

       

else

:    

(30)

Evaluation—Scanners

•  skipfish

•  w3af

•  state-aware-crawler

•  wget

(31)

Evaluation—Applications

Web Application

Lines of Code

Gallery

26,622

PhpBB v2

16,034

PhpBB v3

110,186

SCARF

798

Vanilla Forums

43,880

WackoPicko v2

900

WordPress v2

17,995

(32)

Code Coverage Results

16.2% 241.9% 14.5% 15.8% 101.2% 12.5% 11.0% 194.8% -18.3%

-50%

0%

50%

100%

150%

200%

250%

300%

Galle

ry

Wacko

Picko

v2

Word

Press

v2

Pe

rc

en

ta

g

e

C

o

d

e

C

o

ve

ra

g

e

Im

p

ro

ve

m

en

t

o

ve

r

w

g

et

Selected Applications

state-aware-scanner

w3af

skipfish

(33)

Code Coverage Results

16.2% 241.9% 14.5% 15.8% 101.2% 12.5% 11.0% 194.8% -18.3%

-50%

0%

50%

100%

150%

200%

250%

300%

Galle

ry

Picko

v2

Press

v2

Pe

rc

en

ta

g

e

C

o

d

e

C

o

ve

ra

g

e

Im

p

ro

ve

m

en

t

o

ve

r

w

g

et

state-aware-scanner

w3af

skipfish

(34)

Web App

Scanner

Code %

True

Vuln

Unique

Vuln

PhpBB v2

state

38.34

3

1

PhpBB v2

w3af

1.04

1

0

PhpBB v2

skipfish

5.10

2

0

SCARF

state

67.03

1

1

SCARF

w3af

55.66

0

0

SCARF

skipfish

21.55

0

0

Vanilla

state

30.89

0

0

Vanilla

w3af

1.06

0

0

Vanilla

skipfish

-2.32

15

2

WackoPicko state

241.86

5

1

WackoPicko w3af

101.15

5

1

(35)

385 397 POST /cart/action.php?action=purchase 400 GET /users/logout.php 200 231 POST /cart/action.php?action=purchase 261 POST /comments/add_comment.php 970 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1055 POST /cart/action.php?action=purchase 1240 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1157 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 899 POST /comments/add_comment.php 290 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 325 POST /cart/action.php?action=purchase POST /cart/action.php?action=delete 417 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 350 POST /users/login.php POST /users/register.php 169

POST /comments/add_comment.php POST /cart/action.php?action=purchase POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 904 POST /comments/add_comment.php 794 813 POST /comments/add_comment.php POST /comments/add_comment.php 147 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 780 POST /comments/add_comment.php POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /cart/action.php?action=delete 1641 GET /users/logout.php 1248 POST /cart/action.php?action=delete 1328 GET /users/logout.php 1256 GET /users/logout.php 543 POST /comments/add_comment.php 549 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 424 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1536 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 857 POST /comments/add_comment.php 879 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 884 POST /comments/add_comment.php 1615 GET /users/logout.php GET /users/logout.php 874 POST /comments/add_comment.php 1756 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1669 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1725 GET /users/logout.php GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 0 91 POST /passcheck.php 93 POST /users/login.php POST /users/register.php 523 471 POST /passcheck.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php 726 POST /passcheck.php POST /users/login.php

POST /users/register.php POST /passcheck.php

POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php POST /passcheck.php POST /users/login.php POST /users/register.php GET /users/logout.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 907 GET /users/logout.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php 1735 POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14

(36)

385 397 POST /cart/action.php?action=purchase 400 GET /users/logout.php 200 231 POST /cart/action.php?action=purchase 261 POST /comments/add_comment.php 970 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1055 POST /cart/action.php?action=purchase 1240 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1157 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 899 POST /comments/add_comment.php 290 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 325 POST /cart/action.php?action=purchase POST /cart/action.php?action=delete 417 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 350 POST /users/login.php POST /users/register.php 169

POST /comments/add_comment.php POST /cart/action.php?action=purchase

POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 904 POST /comments/add_comment.php 794 813 POST /comments/add_comment.php POST /comments/add_comment.php 147 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 780 POST /comments/add_comment.php POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /cart/action.php?action=delete 1641 GET /users/logout.php 1248 POST /cart/action.php?action=delete 1328 GET /users/logout.php 1256 GET /users/logout.php 543 POST /comments/add_comment.php 549 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 424 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1536 GET /users/logout.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 857 POST /comments/add_comment.php 879 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 884 POST /comments/add_comment.php 1615 GET /users/logout.php 1389 POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 889 POST /comments/add_comment.php GET /users/logout.php 874 POST /comments/add_comment.php 1756 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 POST /comments/add_comment.php 1669 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1725 GET /users/logout.php GET /users/logout.php POST /comments/add_comment.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 0 91 POST /passcheck.php 93 POST /users/login.php POST /users/register.php 523 471 POST /passcheck.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php 726 POST /passcheck.php POST /users/login.php

POST /users/register.php POST /passcheck.php

POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php POST /passcheck.php POST /users/login.php POST /users/register.php GET /users/logout.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 907 GET /users/logout.php POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /users/logout.php 1735 POST /users/login.php POST /users/register.php POST /users/login.php POST /users/register.php GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 1769 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=7 GET /cart/action.php?action=add&picid=8 GET /cart/action.php?action=add&picid=9 GET /cart/action.php?action=add&picid=14 GET /cart/action.php?action=add&picid=15 Doupé - 8/10/12

(37)

ENEMY OF THE STATE: A

STATE-AWARE BLACK-BOX WEB

Adam Doupé

Email:  

   

[email protected]  

Twitter:  

 

@adamdoupe  

References

Download now ( PDF - 37 Page - 2.03 MB )

Related documents