Deemon: Detecting CSRF with Dynamic Analysis and Property ...•Guided testing via recorded...

Deemon:DetectingCSRFwithDynamicAnalysisandPropertyGraphsG.Pellegrinoetal.giancarlo.pellegrino@cispa.saarland(presentedbyMartinJohns,SAPSecurityResearch)

UWON’TBELIEVEWHATDISCATISDOIN’!!!1!

TWEET SHARE PIN SEND EMAIL

GiancarloPellegrino,[email protected] 2

<img src="http://store.com/change_pwd.php?password=pwnd" width="0px" height="0px"/>

Cross-SiteRequestForgeryAttack


POST /login.php […] user=Alice&pwd=secret

200 OKSet-cookie: session=YBLqp32F

GET /video.html

+

GET /change_pwd.php?password=pwndCookie: session=YBLqp32F

Ifcookieisvalid,thenupdatepassword

Lookatthiscatvideo!

Ifcredentialsarevalid,createandsendasessioncookies

TheForgottenSleepingGiant

• Popularvulnerability• Amongtop10securityrisksw/XSSandSQLi• Discoveredinpopularwebsites,e.g.,Gmail,Netflix,andING

• Mostofpreviouseffortsspentoncountermeasures:• Originheader,synchronizertokens,andbrowserplugins

• Alittlehasbeendonetoprovidetechniquesforthedetection• Existing(semi-)automatedtechniquesfocusoninputvalidationandlogicflaws→DetectionofCSRFviamanualinspection


[Top10_OWASP_2007-2013]

BuildingatooltofindCSRF

• CSRFisnotoverlyhardtofindforpentestersorsecurityexpertsduringdedicatedsecuritytesting• But

• Bugpatternisunintuitivefordevelopers• Securitytestingisoftenusedinautomatedprocesses,suchasQ-Gatesorregressiontesting

• Hence,• CanwebuildatooltofindCSRFautomatically?


So,whyisithardtodetectCSRFautomatically?

• Challenges(Operational):1) Applicationinteraction2) Side-effectfreetesting

• Challenges(Detection):1) CSRFtargetsstatetransitions2) Attackerreliablycreaterequestsincl.parametersandvalues3) Notallstatetransitionsarerelevant


ChallengeO1:Applicationinteraction

• CSRFisrarelyfoundonapplicationentrypages• Instead,ingeneralitrequiresinteractionwithdeeperfunctionalityoftheapplication• Thus,“blind”black-boxtestingisunlikelytoaccessallCSRF-relevantinterfaces


ChallengeO2:Side-effectfreetesting

• Remember:CSRFisallaboutcausinglastingside-effectsontheserver-side• But:

• Testingforsuchsideeffectspotentiallycauses…sideeffects• Think:

• Deletionofashoppingbasket• Terminatinganauthenticatedsession• ...

• Howcanweensurethatourtestingdoesinterferewithourtesting?


ChallengeD1:CSRFTargetsStateTransitions

• Determinewhenastatetransitionoccurs• Notalloperationschangethestateofawebapp

• E.g.,Viewuserdatavsresetuserpassword

• Learningstatetransitionsispossible• However,existingapproachcanbeinaccurateoroperation-specific


GET /user_data.phpCookie: session=YBLqp32F Showuserdata

GET /change_pwd.php?password=new_secretCookie: session=YBLqp32F Updatepassword

SELECT*FROMusers[…]

UPDATEusersSETpwd=new_secret[…]

Fireastatetransition

ChallengeD2:AttackerReliablyCreatesRequests

• Determinerelationshipsbetweenparametersandtransitions• E.g.,randomsecuritytokenmaynotbeguessedbyanattacker

• Existingtechniquesdonotdeterminesucharelationship• E.g.,Webscannersmatchparam namesagainstlistofpredefinednames(e.g.,“token”)


GET /place_order.php?token=XZR4t6qCookie: session=YBLqp32F

ChallengeD3:NotallStateTransitionsareRelevant

• Determinetherelevanceofastatetransition• Statetransitionscanbetheresultofoperationssuchastracinguseractivities• Theyarestate-changingoperationsbutnotnecessarilysecurity-relevant

• Easyforhumansbuthardformachines


GET /product.php?id=201Cookie: session=YBLqp32F

200 OK

1) PageCounter++2) Returnproduct

description

UPDATEpagesSETcnt =cnt +1WHEREid=201

Fireastatetransition

Ourapproach:Deemon

• Approach:Guidedgrey-boxtesting• Input:Usergeneratedinteractiontraces

• E.g.,Seleniumscriptsforregression/UItesting

• Infrastructure• HTTPobservation• Instrumentedserver-sidethatmonitorsallstatechanges


OurSolution:Deemon

• Application-agnosticframeworkfordevelopersandanalysts1. Inferstatetransitions+dataflowfromprogramexecutions2. Propertygraphsforuniformandreusablemodelrepresentation3. Graphtraversalstoselectrequestcandidatesfortesting4. Verifyreplay-abilityofHTTPrequests


Deemon:Architecture


A F<,,,,>

VirtualizedEnv.

Loginandchangepassword

GET

200 OK

DynamicTraceGeneration

A F<,,,,>

<GET ,200,GET ,302 >

<,>

Reliable,repeatableworkflowtesting

• Thearchitectureallowsside-effectfreetesting• SetserverVMintovanillastate• RunUIworkflowandrecordalltraffic&server-sideeffects• …repeat

• Clearmappingbetween:UIinteraction/HTTPrequests/server-sideeffects• Thisallowtheidentificationofsinglerequestsbetweentraces

• RunningthesameUIworkflowmultipletimesandcomparingHTTPrequestparameters• Withthesameuser->sessionspecificparameters• Withdifferentusers->userspecificparameters


Deemon:ModelConstruction


A

GET /

YBLqp32F

GET

hdrs

…

200 GET 302

next

caused

next

next next next

caused

UPDATE tbl

id=YBLqp

SQL

claus

…

SQL

next

caused

TracesandParseTrees

q0 q1q0→q1

trans to

accepts

FSM Dataflowandtypes

v1= YBLqp32F

Types: String, Session unique

v2= YBLqp32F

Types: String, Session unique

propag.

source

sink

has

A F<,,,,>

<GET ,200,GET ,302 >

<,>

Deemon:Traversals


“FindallCSRF”⇓

“Findallrequests rsuchthat:1)risstate-changing2)rcanbecreated byanattacker3)thestatechangeisrelevant”

⇓“∀n:request(n)

1)∃tr,qi,qf:trans(tr,qi,qf)∧accepts(tr,n)

2)∀v:variable(v)∧has(qf,v)∧v.Types ⋂{“unguessable”}=∅

3)relevant(r)”⇓

[Queryprocessor]

GET

password

r

pwd

hdrs

qi qfqi→qf

trans to

r

accept

request(r)

∃tr,qi,qf:trans(tr,qi,qf)∧accepts(tr,r)

v1= pwd

Types: String

qf

has

url

∀v:variable(v)∧has(qf,v)∧v.Types ⋂{“unguessable”}=∅

<,,,,>

Deemon:Testing


GraphTraversals TestExecution

<,,,,>

Requests

Queries

VirtualizedEnv.

200 OK

?

GET

Failed Successful

RevisitingtheChallenges

• O1)Applicationinteraction• Guidedtestingviarecordedworkflows

• O2)Side-effectfreetesting• RemovalofsideeffectsviaVMsnapshots

• D1)CSRFtargetsstatetransitions• Monitoringofserver-sideeffects

• D2)Attackerreliablycreaterequestsincl.parametersandvalues• Automatedanalysisofparameterrolesandinformationflows

• D3)Notallstatetransitionsarerelevant• Removalofnon-authenticationandgenericstatetransitions


Evaluation

• Inputs:• 10WebappsfromtheBitnami catalog(avg 600kLoC)• 93workflows(e.g.,changepassword,username,add/deleteuser/admin,enable/disableplugin)

•

•

• Attacks:• UseraccounttakeoverinAbanteCart andOpenCart• DatabasecorruptioninMautic• WebapptakeoverinSimpleInvoices

GiancarloPellegrino,[email protected]

1,380requests194notst-ch

1,186st-ch 164relevant1,022notrelevant

111unprotected

53protected(108tokens)

219tests29succ.190failed

14distinctCSRFs

ResultsAnalysis:Awareness

1. CompleteAwareness:allstate-changingoperationsareprotected• E.g.,Horde,Oxid,andPrestashop

2. Unawareness:noneoftherelevantstate-changingoperationsareprotected• I.e.,SimpleInvoices

3. PartialAwareness• Role-based:onlyadminisprotected

• I.e.,OpenCart andAbanteCart

• Operation-based:addingdataitemsisprotected,deletingisnot• I.e.,Mautic


Takeaways

• PresentedDeemon:Dynamicanalysis+propertygraphs• Deemon detected14CSRFsthatcanbeexploitedtotakeoveraccounts,websites,andcompromisedatabaseintegrity• Discoveredalarmingbehaviors:security-sensitiveoperationsareprotectedinaselectivemanner• ReadallthegorydetailsorplaywithDeemon:

• G.Pellegrinoetal.:Deemon:DetectingCSRFwithDynamicAnalysisandPropertyGraphsin24thACMConferenceonComputerandCommunicationsSecurity,2017(CCS2017)

• https://github.com/tgianko/deemonGiancarloPellegrino,[email protected] 22

Deemon: Detecting CSRF with Dynamic Analysis and Property ...•Guided testing via recorded...

Documents

Transcript of Deemon: Detecting CSRF with Dynamic Analysis and Property ...•Guided testing via recorded...