Behavior -Based Attack Generation for Detecting Web Application Vulnerabilities

Abstract

Web applications provide a convenient platform to support a wide range of day-today activities such as bill payments, online shopping, banking, and social networking. However, the accessibility, omnipresence, demand, and ever-growing user-base have made web applications an attractive target for attackers. The attacks on web applications occur due to the existence of weaknesses in the applications, which allow the attackers to exploit and perform adverse actions. These weaknesses are known as vulnerabilities, and are broadly categorized as Injection vulnerabilities and Logic vulnerabilities, which are rated as the most potent vulnerabilities by different security consortiums. Hence, in order to secure web applications from the attacks, it is indispensable to detect these vulnerabilities. The vulnerabilities in web applications are detected using either whitebox or black-box analysis. While the former analyzes the source code of the application, the latter penetrates the application with malicious inputs/requests, and observes the output for exposing the vulnerabilities. The primary challenge during the penetration lies in producing malicious requests automatically based on the intended behavior of the application. Therefore, this work aims at developing a behavior-based approach to generate attack requests through black-box analysis for the detection of logic and injection vulnerabilities in web applications. Logic vulnerabilities in web applications allow the malicious users to compromise the application-specific functionality against the expectations of the stakeholders. These vulnerabilities are introduced due to missing/incorrect server-side validation, access checks, and sequence checks, and are known as parameter manipulation, access-control, and workflow vulnerabilities respectively. Logic vulnerabilities are application-specific, and hence detection of these vulnerabilities through black-box analysis is extremely challenging as it requires a clear understanding of the intended behavior of the application for generation of attack requests. The intended behavior can be inferred by examining both the data flow and control flow information of the application. The existing approaches utilize either the data flow or control flow to infer the intended behavior, and are capable of detecting only a specific type of logic vulnerability. Hence, there is a demand for a system that is capable of inferring the intended behavior of the application in order to generate attack requests for detecting all types of logic vulnerabilities. The proposed work aims at modeling the intended behavior of the application in the form of an annotated Finite State Machine (FSM) using both the data flow and control flow information obtained from web application traces. The constructed model is utilized togenerate attack requests for identifying all types of business logic vulnerabilities. The constructed model is evaluated on vulnerable benchmark applications, and the experimental results substantiate the effectiveness of the proposed model in comparison with the recent approaches. In addition, the model helps in detecting logic vulnerabilities leading to session puzzling attacks, which is not addressed in the existing approaches. Web applications store data in relational databases traditionally. However, a lot of web applications in use today are XML-based as they involve exchange of information through XML documents, and store these documents in Native XML Databases (NXDs). NXDs are generally preferred for applications that hold highly diverse information, involve integration of information from different set of applications, handle rapidly evolving schemas, and work with a huge set of documents or large-sized documents (e.g., books, web pages). The existing literature assures the growing demand towards usage of NXDs. The database of the applications is targeted by attackers to inject code fragments into user-input which attempt to modify the query submitted to the database resulting in SQL/XML injections. While SQL injection targets relational databases, XML injection targets NXDs that utilize XQuery/XPath as the query language. The literature available to address XML/XPath/XQuery injections is relatively less compared to SQL injection, and the existing approaches for vulnerability detection focus on manual construction of individual attack requests based on known types of attacks. Therefore, there is a demand for an approach that enables the generation of attack requests for detection of all types of XQuery injection vulnerabilities specified by the security consortium-Open Web Application Security Project (OWASP), and that is extendable enough to generate attack requests leading to unknown types of attacks. Hence, this work formulates an attack grammar for generation of attack requests to identify XQuery injection vulnerabilities in web applications driven by NXDs. The strings generated by the attack grammar are injected into the web application for detecting the vulnerabilities. In addition to the different types of attacks listed by OWASP, three new categories of XQuery injection attacks namely alternate encoding, injection through evaluation function, and XQuery comment injection attacks are discovered. These attacks demonstrate the extendability of the proposed attack grammar. The proposed grammar is evaluated on vulnerable benchmark applications from the test suite of AMNESIA. The experimental results substantiate the effectiveness of the proposed grammar in detecting all types of XQuery injection vulnerabilities.