Detecting CSRF with Dynamic Analysis and Property Graphs

deemon detecting csrf with dynamic analysis n.w
1 / 17
Embed
Share

Explore the research work of Giancarlo Pellegrino on detecting CSRF through dynamic analysis and property graphs, addressing challenges in vulnerability detection and offering insights on web security and automation.

  • CSRF
  • Dynamic Analysis
  • Web Security
  • Vulnerability Detection
  • Automation
rayaanacharya
adaly Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs* G. Pellegrino, M. Johns, S. Koch, M. Backes, C. Rossow gpellegrino@cispa.saarland / gpellegrino@stanford.edu ITASEC 2018 Feb 7th, Milan, Italy Computer and Communications Security (CCS) Oct 30th Nov 3rd, Dallas, USA

  2. Who am I? Visiting Assistant Professor at Stanford University, US Independent Research Group Leader at CISPA, Saarland, DE (on temp. leave) Topics Web Security Automated Vulnerability Analysis Deep (Reinforcement) Learning Seeking for a talented Ph.D. student Enjoy digging for vulnerabilities? Contact me! 2 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  3. U WONT BELIEVE WHAT DIS CAT IS DOIN !!!1! <img src="http://store.com/change_pwd.php?password=pwnd" width="0px" height="0px"/> TWEET SHARE PIN SEND EMAIL 3 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  4. Cross-Site Request Forgery Attack Look at this cat video! If credentials are valid, create and send a session cookies POST /login.php [ ] user=Alice&pwd=secret 200 OK Set-cookie: session=YBLqp32F GET /video.html + If cookie is valid, then update password GET /change_pwd.php?password=pwnd Cookie: session=YBLqp32F 4 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  5. The Forgotten Sleeping Giant Popular vulnerability Among top 10 security risks w/ XSS and SQLi Discovered in popular websites, e.g., Gmail, Netflix, and ING [Top10_OWASP_2007-2013] Most of previous efforts spent on countermeasures: Origin header, synchronizer tokens, and browser plugins A little has been done to provide techniques for the detection Existing (semi-)automated techniques focus on input validation and logic flaws Detection of CSRF via manual inspection 5 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  6. Why is it hard to detect CSRF? Detection requires reasoning over relationships between application states, the roles and status of request parameters: D1) CSRF targets state transitions D2) Attacker reliably create requests incl. parameters and values D3) Not all state transitions are relevant Additional challenges (Operational): O1) CSRF in non-trivial workflows O2) Side-effect free testing 6 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  7. D1) CSRF Targets State Transitions GET /user_data.php Cookie: session=YBLqp32F Show user data GET /change_pwd.php?password=new_secret Cookie: session=YBLqp32F Fire a state transition Update password UPDATE users SET pwd=new_secret [ ] Determine when a state transition occurs Not all operations change the state of a webapp E.g., View user data vs reset user password Learning state transitions is possible However, existing approach can be inaccurate or operation-specific SELECT * FROM users [ ] 7 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  8. D2) Attacker Reliably Creates Requests incl. Params GET /place_order.php?token=XZR4t6q Cookie: session=YBLqp32F Determine relationships between parameters and transitions E.g., random security token may not be guessed by an attacker Existing techniques do not determine such a relationship E.g., Web scanners match param names against list of predefined names (e.g., token ) 8 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  9. D3) Not all State Transitions are Relevant 1) PageCounter++ 2) Return product description GET /product.php?id=201 Cookie: session=YBLqp32F Fire a state transition 200 OK UPDATE pages SET cnt = cnt + 1 WHERE id=201 Determine the relevance of a state transition State transitions can be the result of operations such as tracing user activities They are state-changing operations but not necessarily security-relevant Easy for humans but hard for machines 9 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  10. Our Solution: Deemon Property Graph Infer state transitions (D1) Infer data flow with semantic types (D2) Graph Traversal Query Find n s.t.: request(n) st, state-changing(st, n) attacker-controlled(n) relevant(st) Use heuristics for reoccurring transitions (D3) 10 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  11. Deemon: Trace Generation Dynamic Trace Generation A F < , , , , > < GET , 200, GET , 302 > GET 200 OK A F < , , , , > Login and change password < , > Virtualized Env. 11 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  12. Deemon: Property Graph Construction Traces and Parse Trees FSM Data flow and types next next trans to A F < , , , , > A q1 q0 q0 q1 caused caused v1= YBLqp32F next next next has Types: String, Session unique < GET , 200, GET , 302 > 200 302 GET GET GET / hdrs caused propag. accepts YBLqp32F next SQL SQL < , > source v2= YBLqp32F Types: String, Session unique UPDATE tbl claus id=YBLqp sink 12 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  13. Deemon: Traversals for Test Generation r GET hdrs url Find all CSRF Find all requests 1) r is state 2) r can be created 3) the state change is relevant n: request(n) 1) tr, qi, qf: trans(tr, qi, qf) accepts(tr, n) 2) v: variable(v) has(qf, v) v.Types { unguessable } = 3) relevant(r) [Query processor] password pwd requests r such that: state- -changing changing created by an attacker request(r) r relevant accept trans to qf qi qi qf tr, qi, qf: trans(tr, qi, qf) accepts(tr, r) has v1= pwd qf Types: String, Session unique v: variable(v) has(qf, v) v.Types { unguessable } = 13 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  14. Deemon: Testing Test Execution Graph Traversals < , , , , > Requests GET 200 OK < , , , , > Queries ? Virtualized Env. Failed Successful 14 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  15. Evaluation Inputs: 10 Web apps from the Bitnami catalog (avg 600k LoC ) 93 workflows (e.g., change password, username, add/delete user/admin, enable/disable plugin) 53 protected (108 tokens) 1,022 not relevant 194 not st-ch 1,380 requests 164 relevant 1,186 st-ch 111 unprotected 190 failed 219 tests 29 succ. 14 distinct CSRFs Attacks: User account takeover in AbanteCart and OpenCart Database corruption in Mautic Web app takeover in Simple Invoices Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017 15

  16. Results Analysis: Awareness 1. Complete Awareness: all state-changing operations are protected E.g., Horde, Oxid, and Prestashop 2. Unawareness: none of the relevant state-changing operations are protected I.e., Simple Invoices 3. Partial Awareness Role-based: only admin is protected I.e., OpenCart and AbanteCart Operation-based: adding data items is protected, deleting is not I.e., Mautic 16 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  17. Takeaways Presented Deemon: Dynamic analysis + property graphs Deemon detected 14 CSRFs that can be exploited to takeover accounts, websites, and compromise database integrity Discovered alarming behaviors: security-sensitive operations are protected in a selective manner Read all the gory details or play with Deemon: G. Pellegrino et al., Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs, in 24th ACM Conference onf Computer and Communications Security, 2017 (CCS 2017) Source code: https://github.com/tgianko/deemon 17 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

Related


Detecting CSRF with Dynamic Analysis and Property Graphs

Detecting CSRF with Dynamic Analysis and Property Graphs

frll259
Introduction to String DAQ/Read-out at Collaboration Meeting

Introduction to String DAQ/Read-out at Collaboration Meeting

brgh942

More Related Content