Post on 20-Sep-2020
Deemon:DetectingCSRFwithDynamicAnalysisandPropertyGraphsG.Pellegrinoetal.giancarlo.pellegrino@cispa.saarland(presentedbyMartinJohns,SAPSecurityResearch)
UWON’TBELIEVEWHATDISCATISDOIN’!!!1!
TWEET SHARE PIN SEND EMAIL
GiancarloPellegrino,gpellegrino@cispa.saarland 2
<img src="http://store.com/change_pwd.php?password=pwnd" width="0px" height="0px"/>
Cross-SiteRequestForgeryAttack
GiancarloPellegrino,gpellegrino@cispa.saarland 3
POST /login.php […] user=Alice&pwd=secret
200 OKSet-cookie: session=YBLqp32F
GET /video.html
+
GET /change_pwd.php?password=pwndCookie: session=YBLqp32F
Ifcookieisvalid,thenupdatepassword
Lookatthiscatvideo!
Ifcredentialsarevalid,createandsendasessioncookies
TheForgottenSleepingGiant
• Popularvulnerability• Amongtop10securityrisksw/XSSandSQLi• Discoveredinpopularwebsites,e.g.,Gmail,Netflix,andING
• Mostofpreviouseffortsspentoncountermeasures:• Originheader,synchronizertokens,andbrowserplugins
• Alittlehasbeendonetoprovidetechniquesforthedetection• Existing(semi-)automatedtechniquesfocusoninputvalidationandlogicflaws→DetectionofCSRFviamanualinspection
GiancarloPellegrino,gpellegrino@cispa.saarland 4
[Top10_OWASP_2007-2013]
BuildingatooltofindCSRF
• CSRFisnotoverlyhardtofindforpentestersorsecurityexpertsduringdedicatedsecuritytesting• But
• Bugpatternisunintuitivefordevelopers• Securitytestingisoftenusedinautomatedprocesses,suchasQ-Gatesorregressiontesting
• Hence,• CanwebuildatooltofindCSRFautomatically?
GiancarloPellegrino,gpellegrino@cispa.saarland 5
So,whyisithardtodetectCSRFautomatically?
• Challenges(Operational):1) Applicationinteraction2) Side-effectfreetesting
• Challenges(Detection):1) CSRFtargetsstatetransitions2) Attackerreliablycreaterequestsincl.parametersandvalues3) Notallstatetransitionsarerelevant
GiancarloPellegrino,gpellegrino@cispa.saarland 6
ChallengeO1:Applicationinteraction
• CSRFisrarelyfoundonapplicationentrypages• Instead,ingeneralitrequiresinteractionwithdeeperfunctionalityoftheapplication• Thus,“blind”black-boxtestingisunlikelytoaccessallCSRF-relevantinterfaces
GiancarloPellegrino,gpellegrino@cispa.saarland 7
ChallengeO2:Side-effectfreetesting
• Remember:CSRFisallaboutcausinglastingside-effectsontheserver-side• But:
• Testingforsuchsideeffectspotentiallycauses…sideeffects• Think:
• Deletionofashoppingbasket• Terminatinganauthenticatedsession• ...
• Howcanweensurethatourtestingdoesinterferewithourtesting?
GiancarloPellegrino,gpellegrino@cispa.saarland 8
ChallengeD1:CSRFTargetsStateTransitions
• Determinewhenastatetransitionoccurs• Notalloperationschangethestateofawebapp
• E.g.,Viewuserdatavsresetuserpassword
• Learningstatetransitionsispossible• However,existingapproachcanbeinaccurateoroperation-specific
GiancarloPellegrino,gpellegrino@cispa.saarland 9
GET /user_data.phpCookie: session=YBLqp32F Showuserdata
GET /change_pwd.php?password=new_secretCookie: session=YBLqp32F Updatepassword
SELECT*FROMusers[…]
UPDATEusersSETpwd=new_secret[…]
Fireastatetransition
ChallengeD2:AttackerReliablyCreatesRequests
• Determinerelationshipsbetweenparametersandtransitions• E.g.,randomsecuritytokenmaynotbeguessedbyanattacker
• Existingtechniquesdonotdeterminesucharelationship• E.g.,Webscannersmatchparam namesagainstlistofpredefinednames(e.g.,“token”)
GiancarloPellegrino,gpellegrino@cispa.saarland 10
GET /place_order.php?token=XZR4t6qCookie: session=YBLqp32F
ChallengeD3:NotallStateTransitionsareRelevant
• Determinetherelevanceofastatetransition• Statetransitionscanbetheresultofoperationssuchastracinguseractivities• Theyarestate-changingoperationsbutnotnecessarilysecurity-relevant
• Easyforhumansbuthardformachines
GiancarloPellegrino,gpellegrino@cispa.saarland 11
GET /product.php?id=201Cookie: session=YBLqp32F
200 OK
1) PageCounter++2) Returnproduct
description
UPDATEpagesSETcnt =cnt +1WHEREid=201
Fireastatetransition
Ourapproach:Deemon
• Approach:Guidedgrey-boxtesting• Input:Usergeneratedinteractiontraces
• E.g.,Seleniumscriptsforregression/UItesting
• Infrastructure• HTTPobservation• Instrumentedserver-sidethatmonitorsallstatechanges
GiancarloPellegrino,gpellegrino@cispa.saarland 12
OurSolution:Deemon
• Application-agnosticframeworkfordevelopersandanalysts1. Inferstatetransitions+dataflowfromprogramexecutions2. Propertygraphsforuniformandreusablemodelrepresentation3. Graphtraversalstoselectrequestcandidatesfortesting4. Verifyreplay-abilityofHTTPrequests
GiancarloPellegrino,gpellegrino@cispa.saarland 13
Deemon:Architecture
GiancarloPellegrino,gpellegrino@cispa.saarland 14
A F<,,,,>
VirtualizedEnv.
Loginandchangepassword
GET
200 OK
DynamicTraceGeneration
A F<,,,,>
<GET ,200,GET ,302 >
<,>
Reliable,repeatableworkflowtesting
• Thearchitectureallowsside-effectfreetesting• SetserverVMintovanillastate• RunUIworkflowandrecordalltraffic&server-sideeffects• …repeat
• Clearmappingbetween:UIinteraction/HTTPrequests/server-sideeffects• Thisallowtheidentificationofsinglerequestsbetweentraces
• RunningthesameUIworkflowmultipletimesandcomparingHTTPrequestparameters• Withthesameuser->sessionspecificparameters• Withdifferentusers->userspecificparameters
GiancarloPellegrino,gpellegrino@cispa.saarland 15
Deemon:ModelConstruction
GiancarloPellegrino,gpellegrino@cispa.saarland 16
A
GET /
YBLqp32F
GET
hdrs
…
200 GET 302
next
caused
next
next next next
caused
UPDATE tbl
id=YBLqp
SQL
claus
…
SQL
next
caused
TracesandParseTrees
q0 q1q0→q1
trans to
accepts
FSM Dataflowandtypes
v1= YBLqp32F
Types: String, Session unique
v2= YBLqp32F
Types: String, Session unique
propag.
source
sink
has
A F<,,,,>
<GET ,200,GET ,302 >
<,>
Deemon:Traversals
GiancarloPellegrino,gpellegrino@cispa.saarland 17
“FindallCSRF”⇓
“Findallrequests rsuchthat:1)risstate-changing2)rcanbecreated byanattacker3)thestatechangeisrelevant”
⇓“∀n:request(n)
1)∃tr,qi,qf:trans(tr,qi,qf)∧accepts(tr,n)
2)∀v:variable(v)∧has(qf,v)∧v.Types ⋂{“unguessable”}=∅
3)relevant(r)”⇓
[Queryprocessor]
GET
password
r
pwd
hdrs
qi qfqi→qf
trans to
r
accept
request(r)
∃tr,qi,qf:trans(tr,qi,qf)∧accepts(tr,r)
v1= pwd
Types: String
qf
has
url
∀v:variable(v)∧has(qf,v)∧v.Types ⋂{“unguessable”}=∅
<,,,,>
Deemon:Testing
GiancarloPellegrino,gpellegrino@cispa.saarland 18
GraphTraversals TestExecution
<,,,,>
Requests
Queries
VirtualizedEnv.
200 OK
?
GET
Failed Successful
RevisitingtheChallenges
• O1)Applicationinteraction• Guidedtestingviarecordedworkflows
• O2)Side-effectfreetesting• RemovalofsideeffectsviaVMsnapshots
• D1)CSRFtargetsstatetransitions• Monitoringofserver-sideeffects
• D2)Attackerreliablycreaterequestsincl.parametersandvalues• Automatedanalysisofparameterrolesandinformationflows
• D3)Notallstatetransitionsarerelevant• Removalofnon-authenticationandgenericstatetransitions
GiancarloPellegrino,gpellegrino@cispa.saarland 19
Evaluation
• Inputs:• 10WebappsfromtheBitnami catalog(avg 600kLoC)• 93workflows(e.g.,changepassword,username,add/deleteuser/admin,enable/disableplugin)
•
•
• Attacks:• UseraccounttakeoverinAbanteCart andOpenCart• DatabasecorruptioninMautic• WebapptakeoverinSimpleInvoices
GiancarloPellegrino,gpellegrino@cispa.saarland20
1,380requests194notst-ch
1,186st-ch 164relevant1,022notrelevant
111unprotected
53protected(108tokens)
219tests29succ.190failed
14distinctCSRFs
ResultsAnalysis:Awareness
1. CompleteAwareness:allstate-changingoperationsareprotected• E.g.,Horde,Oxid,andPrestashop
2. Unawareness:noneoftherelevantstate-changingoperationsareprotected• I.e.,SimpleInvoices
3. PartialAwareness• Role-based:onlyadminisprotected
• I.e.,OpenCart andAbanteCart
• Operation-based:addingdataitemsisprotected,deletingisnot• I.e.,Mautic
GiancarloPellegrino,gpellegrino@cispa.saarland 21
Takeaways
• PresentedDeemon:Dynamicanalysis+propertygraphs• Deemon detected14CSRFsthatcanbeexploitedtotakeoveraccounts,websites,andcompromisedatabaseintegrity• Discoveredalarmingbehaviors:security-sensitiveoperationsareprotectedinaselectivemanner• ReadallthegorydetailsorplaywithDeemon:
• G.Pellegrinoetal.:Deemon:DetectingCSRFwithDynamicAnalysisandPropertyGraphsin24thACMConferenceonComputerandCommunicationsSecurity,2017(CCS2017)
• https://github.com/tgianko/deemonGiancarloPellegrino,gpellegrino@cispa.saarland 22