Transcript In Depth Testing of Web Applications

Leveraging User Interactions for
In-Depth Testing of Web Application
Sean McAllister
Secure System Lab, Technical University Vienna, Austria
Engin Kirda
Institute Eurecom, France
Christopher Kruegel
University of California, Santa Barbara
Presented by..
Mahdi Nasrullah Al-Ameen
Research Problem ::
Detecting Vulnerabilities in Web Applications using
Black-Box Vulnerability Scanner.
Vulnerabilities ::


Cross-site Scripting (XSS Vulnerabilities)
SQL Injection
Vulnerabilities ::
Cross-site Scripting (XSS Vulnerabilities) :
It allows an attacker to embed malicious JavaScript, VBScript,
HTML into a vulnerable dynamic page to fool the user, executing
the script on his machine in order to gather data.
Hacker
Your Web Page
Victim
Infect with Script
Visit
Inject Script
Black Box Vulnerability Scanner ::
 Runs the application and monitors its executions.
 By providing a variety of malformed input values, the goal is to
find cases in which the application misbehaves or crashes.
Limitations of the Current Black Box Vulnerability
Scanners ::
Often fail to test a substantial fraction of a web application’s
logic ..
Especially when this logic is invoked from pages that can
only be reached ..after filling out complex forms that check the
correctness of the provided values.
Contributions of the Paper ::
To address the limitations of existing tools ..the paper has
proposed several techniques ..that allow the scanner to reach
“deeper” into the application ..thus detecting more entry points
..which can then be tested or fuzzed ..using existing databases
of malformed input values.
Contributions of the Paper ::
Guided Fuzzing : Leverages previously recorded user input to
fill out forms with values that are likely valid.
Extended Guided Fuzzing : Guided Fuzzing is further extended
by using each step to explore a program more comprehensively.
Stateful Fuzzing : Mitigates potentially undesirable side effects
that may occur during implementing Extended Guided Fuzzing.
Layout of the Presentation ::
 High Level Idea of Proposed Fuzzing Techniques
 Overview of Experimental Results
 Comparison with Related Works
 Limitations of the Paper
 My Suggestions
Guided Fuzzing :: Increasing Testing Depth
Phase I: Collecting Input ::

Using a Proxy between Web Client and the Web Server
to log inputs that are sent to the Web Applications.

Recording incoming inputs at the Server side by
means of Web Server Log Files.
Guided Fuzzing ::
Phase II: Replaying Input ::
Assume, the Scanner has reached Step 2 using
previously
recorded inputs at Step 1.
Fuzzer component is invoked at Step 2 (uses database of
malformed values).
Previously recorded input values stored for Step 2 are
used to advance to Step 3.
Guided Fuzzing ::
Terminating Condition:

Test Case is exhausted.

Previously recorded input is no longer valid.
Guided Fuzzing ::
Limitations:
For each step only a single entry point is analyzed.
Extended Guided Fuzzing :: Increasing Testing
Breadth
 For each step, all the entry points are explored - for fuzzing the
complete site .. that is reachable from the current page.
 Increases the number of entry points a scanner can test.
Extended Guided Fuzzing :: Increasing Testing
Breadth
Limitations :
Inputs, sent by the fuzzer .. may change the state of
the applications such that the remaining steps can no longer
be executed.
Stateful Fuzzing ::
A Snapshot of the current state of the Application is taken.
Then the Fuzzer is allowed to run .. that may cause significant
changes to the states of the Application.
After each Fuzzing step, the application is restored to the
previously taken Snapshot.
At this point the Application is in the expected state and can
advance one step.
After that .. the process is repeated-that is .. a Snapshot is taken
and the Fuzzer is invoked.
Stateful Fuzzing ::
To be able to capture the state of an Application and
subsequently restore it : whenever an Object is modified or
deleted, a copy of this object is saved.
Stateful Fuzzing ::
Mapping of URLs to Functions:
 Finding the set of URLs that all invoke the same function
within the application.
 User Input, collected for one of these forms .. can be
reused for other forms as well (when no user input is
recorded for these forms).
Stateful Fuzzing ::
Mapping of URLs to Functions:
 Record the name of the function, the requested URL maps to.
 When an unknown URL is found, query .. which function is
invoked by this URL.
 Search .. if this function is previously called by another URL.
 If this is the case, examine name-value pairs associated with
this other URL.
 For each of those names .. find a form element on the current
page that has the same name.
 When a similar name is found .. the corresponding stored value
is supplied.
Overview of the Experimental Results
Application 1: Blogging Application
Detected Unique Vulnerabilities:
Guided Fuzzing:
1
Extended Fuzzing: 1
Stateful Fuzzing: 1
Other Scanners:
0
(Spider, Burp Spider, w3af, Acunetix)
Overview of the Experimental Results
Application 2: Online Shopping Application
Detected Unique Vulnerabilities :
Guided Fuzzing:
9
Extended Fuzzing: 1
Stateful Fuzzing: 9
Other Scanners:
(w3af, Acunetix)
1
Overview of the Experimental Results
Application 2: Online Shopping Application
Locations :
Guided Fuzzing:
22
Extended Fuzzing: 25
Stateful Fuzzing:
32
Other Scanners:
Spider:
Burp Spider:
W3af:
Acunetix
18
22
21
22
Discussion on the Experimental Results ::
The Authors have claimed..
 All vulnerabilities that are found in the experiments were
previously unknown.
 Fuzzing Techniques consistently find more (or at least
same amount) of bugs than other open source and
commercial scanners.
Related Work ::
Secubat : A web Vulnerability Scanner

Can detect XSS and SQL Injection Vulnerabilities.
Limitations:

Cannot fill out forms.

Suffers from the problem of test coverage.
Related Work ::
WinRunner : A web Vulnerability Scanner
 Allows a human tester to record user inputs.
 Replays these inputs while testing.
Limitations:

Not fully Automated.
Limitations of the Paper ::
 Experiments are done only for XSS Vulnerabilities.
 Through experiments no Comparison is shown with Static
Source Code Analysis Tools.
 No Comparison is shown with the Tool that uses Human
Tester.
Scopes of Improvements : My Suggestions ::
To prove the effectiveness of the Proposed Scanner..
 Experiments to find out SQL Injection Vulnerabilities
should be done.
 Experiments should be done for Social Networking
Web Application.
 Experiments should accommodate comparisons
with the tools that use Human Tester.
qUEsTIONs ?
Thank you…