enemy of the state: a state-aware black-box web ... · web app scanner code % true vuln unique vuln...
Post on 24-Aug-2020
3 Views
Preview:
TRANSCRIPT
Enemy of the State: A State-Aware Black-Box Web
Vulnerability Scanner
Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna
University of California, Santa Barbara
USENIX 2012 – 8/10/12
Web Applications Have Bugs
Doupé - 8/10/12
White-Box
Doupé - 8/10/12
Black-Box
Doupé - 8/10/12
Commercial Tools
Doupé - 8/10/12
Black-Box Vulnerability Scanners Crawling
Doupé - 8/10/12
GET /index.php
Black-Box Vulnerability Scanners Crawling
Doupé - 8/10/12
GET /view.php?id=1
Black-Box Vulnerability Scanners Fuzzing
Doupé - 8/10/12
GET /view.php?id= <script>alert(1)</script>
The Shotgun Approach
Doupé - 8/10/12
GET /view.php?id= <script>alert(1)</script>
The Shotgun Approach
Doupé - 8/10/12
GET /view.php?id= <script>alert(1)</script>
What if this request changed the state of the application? Logged the user out?
Simple Web Application
Doupé - 8/10/12
view.php
index.php login.php
view.php
Must access login.php before view.php
Internal State Graph
Doupé - 8/10/12
state_1
index.php / A
state_0 login.php / B
index.php / C
view.php / D
Mealy Machine
Doupé - 8/10/12
state_1
index.php / A
state_0 login.php / B
index.php / C
view.php / D
Must fuzz in different states
Inferring the State
Doupé - 8/10/12
index.php
A
login.php
B
index.php
C
view.php
D
Inferring the State
Doupé - 8/10/12
index.php
A
login.php
B
index.php
C
view.php
D
Made identical request and got
different response. State has changed!
Necessary Steps to Inferring the State
• Cluster similar pages (using links) – Links changing means what a user can do to
the application has changed • Determine state-changing request
– Which request in the list changed the state? • Collapse similar states
– How to know if, when we detect a state change, we return to a previous state?
Doupé - 8/10/12
Cluster Similar Pages
Doupé - 8/10/12
Cluster Similar Pages
Doupé - 8/10/12
<a, index.php, home> <a, profile.php, id=1> <form, POST, logout.php>
<a, index.php, home> <a, profile.php, id=2> <form, POST, logout.php>
<a, index.php, home> <a, profile.php, id=3> <form, POST, logout.php>
<a, index.php, home> <form, POST, add.php> <a, review.php, check>
Cluster Similar Pages
Doupé - 8/10/12
<a, index.php, home> <a, profile.php, id=1> <form, POST, logout.php>
<a, index.php, home> <a, profile.php, id=2> <form, POST, logout.php>
<a, index.php, home> <a, profile.php, id=3> <form, POST, logout.php>
<a, index.php, home> <form, POST, add.php> <a, review.php, check>
Determine State-Changing Request
Request Response GET index.php A GET blah.php B POST login.php C GET account.php D GET index.php E
Doupé - 8/10/12
Use a heuristic that favors new requests over old requests,
POST requests over GET requests, and
requests that always change the state over
those that never change the state.
Collapse Similar States
• Graph coloring – States as nodes
– Edge between two states when they cannot be the same
– Greedy coloring algorithm
Doupé - 8/10/12
Collapse Similar States
Doupé - 8/10/12
state_0
state_4
state_1
state_2
state_3
Collapse Similar States
Doupé - 8/10/12
logged out
state_4
state_1
state_2
state_3
Collapse Similar States
Doupé - 8/10/12
logged out
state_4
logged in
state_2
state_3
Collapse Similar States
Doupé - 8/10/12
logged out
state_4
logged in
logged out
state_3
Collapse Similar States
Doupé - 8/10/12
logged out
state_4
logged in
logged out
logged in
Collapse Similar States
Doupé - 8/10/12
logged out
logged out
logged in
logged out
logged in
Collapse Similar States
Doupé - 8/10/12
logged out logged in
State-Aware Fuzzing def fuzz_state_changing( fuzz_request ): make_request( fuzz_request ) if state_has_changed(): if state_is_reversible(): make_requests_to_revert_state() if not back_in_previous_state(): reset_and_put_in_previous_state() else: reset_and_put_in_previous_state() Doupé - 8/10/12
Evaluation—Scanners
• skipfish • w3af • state-aware-crawler • wget
Doupé - 8/10/12
Evaluation—Applications Web Application Lines of Code Gallery 26,622 PhpBB v2 16,034 PhpBB v3 110,186 SCARF 798 Vanilla Forums 43,880 WackoPicko v2 900 WordPress v2 17,995 WordPress v3 71,698
Doupé - 8/10/12
Code Coverage Results
Doupé - 8/10/12
16.2%
241.9%
14.5% 15.8%
101.2%
12.5% 11.0%
194.8%
-18.3% -50%
0%
50%
100%
150%
200%
250%
300%
Gallery
WackoPicko v2 WordPress v2
Perc
enta
ge C
ode
Cov
erag
e Im
prov
emen
t ove
r wge
t
Selected Applications
state-aware-scanner
w3af
skipfish
Code Coverage Results
Doupé - 8/10/12
16.2%
241.9%
14.5% 15.8%
101.2%
12.5% 11.0%
194.8%
-18.3% -50%
0%
50%
100%
150%
200%
250%
300%
Gallery
WackoPicko v2 WordPress v2
Perc
enta
ge C
ode
Cov
erag
e Im
prov
emen
t ove
r wge
t
Selected Applications
state-aware-scanner
w3af
skipfish
Web App Scanner Code % True Vuln
Unique Vuln
PhpBB v2 state 38.34 3 1 PhpBB v2 w3af 1.04 1 0 PhpBB v2 skipfish 5.10 2 0 SCARF state 67.03 1 1 SCARF w3af 55.66 0 0 SCARF skipfish 21.55 0 0 Vanilla state 30.89 0 0 Vanilla w3af 1.06 0 0 Vanilla skipfish -2.32 15 2 WackoPicko state 241.86 5 1 WackoPicko w3af 101.15 5 1 WackoPicko skipfish 194.77 3 1
Doupé - 8/10/12
385
397
POST /cart/action.php?action=purchase
400
GET /users/logout.php
200
231
POST /cart/action.php?action=purchase
261
POST /comments/add_comment.php
970
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1055
894
POST /cart/action.php?action=purchase
1240
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1157
GET /users/logout.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
899
POST /comments/add_comment.php
290
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
325
POST /cart/action.php?action=purchase
POST /cart/action.php?action=delete
417
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
350
POST /users/login.phpPOST /users/register.php
169
POST /comments/add_comment.php POST /cart/action.php?action=purchase
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
904
POST /comments/add_comment.php
794
813
POST /comments/add_comment.php
POST /comments/add_comment.php
147
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
780
POST /comments/add_comment.php
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /cart/action.php?action=delete
1641
GET /users/logout.php
1248
POST /cart/action.php?action=delete
1328
GET /users/logout.php
1256
GET /users/logout.php
543
POST /comments/add_comment.php
549
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /comments/add_comment.php
424
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /comments/add_comment.php
1536
GET /users/logout.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
857
POST /comments/add_comment.php
879
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
884
POST /comments/add_comment.php
1615
GET /users/logout.php
1389
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
889
POST /comments/add_comment.php
GET /users/logout.php
874
POST /comments/add_comment.php
1756
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /comments/add_comment.php
1669
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1725
GET /users/logout.php
GET /users/logout.php
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
0
91
POST /passcheck.php
93
POST /users/login.phpPOST /users/register.php
523
471
POST /passcheck.php
POST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
726
POST /passcheck.php
POST /users/login.phpPOST /users/register.php POST /passcheck.php
POST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
POST /passcheck.php
POST /users/login.phpPOST /users/register.php
GET /users/logout.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
907
GET /users/logout.phpPOST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
GET /users/logout.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
GET /users/logout.php
1735
POST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1769
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1782
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
Doupé - 8/10/12
385
397
POST /cart/action.php?action=purchase
400
GET /users/logout.php
200
231
POST /cart/action.php?action=purchase
261
POST /comments/add_comment.php
970
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1055
894
POST /cart/action.php?action=purchase
1240
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1157
GET /users/logout.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
899
POST /comments/add_comment.php
290
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
325
POST /cart/action.php?action=purchase
POST /cart/action.php?action=delete
417
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
350
POST /users/login.phpPOST /users/register.php
169
POST /comments/add_comment.php POST /cart/action.php?action=purchase
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
904
POST /comments/add_comment.php
794
813
POST /comments/add_comment.php
POST /comments/add_comment.php
147
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
780
POST /comments/add_comment.php
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /cart/action.php?action=delete
1641
GET /users/logout.php
1248
POST /cart/action.php?action=delete
1328
GET /users/logout.php
1256
GET /users/logout.php
543
POST /comments/add_comment.php
549
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /comments/add_comment.php
424
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /comments/add_comment.php
1536
GET /users/logout.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
857
POST /comments/add_comment.php
879
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
884
POST /comments/add_comment.php
1615
GET /users/logout.php
1389
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
889
POST /comments/add_comment.php
GET /users/logout.php
874
POST /comments/add_comment.php
1756
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
POST /comments/add_comment.php
1669
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1725
GET /users/logout.php
GET /users/logout.php
POST /comments/add_comment.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
0
91
POST /passcheck.php
93
POST /users/login.phpPOST /users/register.php
523
471
POST /passcheck.php
POST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
726
POST /passcheck.php
POST /users/login.phpPOST /users/register.php POST /passcheck.php
POST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
POST /passcheck.php
POST /users/login.phpPOST /users/register.php
GET /users/logout.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
907
GET /users/logout.phpPOST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
GET /users/logout.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
GET /users/logout.php
1735
POST /users/login.phpPOST /users/register.php
POST /users/login.phpPOST /users/register.php
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1769
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
1782
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
GET /cart/action.php?action=add&picid=7GET /cart/action.php?action=add&picid=8GET /cart/action.php?action=add&picid=9
GET /cart/action.php?action=add&picid=14GET /cart/action.php?action=add&picid=15
Doupé - 8/10/12
ENEMY OF THE STATE: A STATE-AWARE BLACK-BOX WEB VULNERABILITY SCANNER
Adam Doupé Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe
Doupé - 8/10/12
top related