• Aucun résultat trouvé

Mathematical model of input validation vulnerabilities and attacks

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Mathematical model of input validation vulnerabilities and attacks"

Copied!
25
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Mathematical model of input validation

vulnerabilities and attacks

Ivan Novikov, Wallarm

(2)

@d0znpp (twitter, facebook, etc.)

Web application security researcher Bug hunter

Author of “SSRF bible” (http://bit.ly/SSRF_bible) Wallarm CEO (https://wallarm.com)

About

(3)

A problem of terminology

CWE WASC OWASP ...

X: I found XSS!

Y: HTML injection?

X: !!!!%^@^#%^%@!!

X: I found XXE!

Y: XML injection?

X: !!!!%^@^#%^%@!!

X: I found CRLF injection!

Y: Can you exploit it as splitting for XSS injection? Or just open-redirect?

X: !!!!%^@^#%^%@!!

(4)

1930s

(5)

von Neumann (Princeton)

Harvard

1940s

(6)

> SELECT id FROM users WHERE login=’admin’ AND password=’123456’

< OK

> SELECT id FROM users WHERE login=? AND password=?

> admin

> 123456

< OK

“Common bus” in a client-server model

(7)

> SELECT id FROM users WHERE login=’admin’ AND password=’123456’

< OK

> SELECT id FROM users WHERE login=? AND password=?

> admin

> 123456

< OK

“Common bus” in a client-server model

Harvard

von Neumann (Princeton)

(8)

Which conclusions?

Data and

instructions

How to systemize it?

(9)

As always, mathematics can help us!

(10)
(11)

o i

(12)

o i

o j

(13)

V-objects of K

j

type injection for O definition

Exists o in O have V-objects not in Kj-type AND Exists another o in O have V-objects in Kj-type

(14)

V-objects of K

j

type execution for O definition

All o in O have V-objects in Kj-type

(15)

Implementations

Turing machine Formal grammars Logic flows

DNA Viruses ...

(16)

Example #1. XML instructions execution

POST /xmlrpc HTTP/1.1

<?xml version=”1.0”?>

<!DOCTYPE [<!ENTITY % a SYSTEM “http://...”> %a; %o; %l;]>

<a>test</a>

(17)

Example #1. XML external entities injection

POST /xmlrpc HTTP/1.1

<?xml version=”1.0”?>

<!DOCTYPE [<!ENTITY % a SYSTEM “http://...”> %a; %o; %l;]>

<a>test</a>

(18)

No precedents (regexps, fingerprints) anymore for:

IDS/IPS (such as WAF) Fuzzers

DAST ...

And what? What does it do in practice?

(19)

libinjection — open source library to detect SQL injection based on tokenizer Only first 5 tokens

Token fingerprints for all known attacks (about 9k) Hardcoded tokenizer — hard to maintain

It seems to be a good idea to mark each token as “data” or “instruction”.

As a result, it’ll be possible to detect attacks without signatures!

First steps

(20)

http://pastebin.com/8i40qQAx http://pastebin.com/Wy0fhegr http://pastebin.com/7zd51x0h

NEW! Bypasses for mod_security, libinjection and other WAFs

by @sergey_lakantar , @lightos , @d0znpp , @NGalbreath , @black2fan

Parser/tokenizer bugs provides bypasses anyway

(21)

And finally... More syntaxes!

libdetection PoC is available at https://github.com/wallarm now ./lib/sqli:

CMakeLists.txt sqli.c sqli.h sqli_lexer.re2c sqli_parser.y

./include/:

detect.h detect_parser.h queue.h

Bison grammar (BNF like) re2c lexer

definitions

interface for your parsers external

interface for libdetection

(22)
(23)
(24)

Just PoC. Grammar and lexer are simple!

Some tests

/dev/random strings (average length 255 bytes) i7-4710HQ (1 core used)

libinjection wallarm PoC (libdetection) /dev/random (255b aver.len) 391k/s 953k/s (+243%)

libinjection ./data/* attacks 530k/s 539k/s (~ the same)

AAA...x1024 182k/s 200k/s (+9%)

(25)

Thanks!

@wallarm, @d0znpp

https://github.com/wallarm

research

Références

Télécharger maintenant ( PDF - 25 Page - 7.97 MB )

Documents relatifs

Scenario-Based Markovian Modeling of Web-System Availability Considering Attacks on Vulnerabilities

This model describes a web-system with attacks on DNS vulnerabilities and periodic maintenance activities (security audits) including detection and elimination

Cutter – a Universal Multilingual Tokenizer

Unit tests reliably detect if new to- ken identification rules conflict with existing ones and thus assure consistent tokenization when extending the rule sets.. In: Mark Cieliebak,

SQL Injection Attacks and Defense

Exploiting a SQL injection vulnerability can mean different things in different situations depending on the conditions in place, such as the privileges of the user per- forming

Smart attacks based on control packets vulnerabilities with IEEE 802.11 MAC

to listen and monitor the network traffic, we obtained result which is plotted in figure 12. We notice that after the first successful communication between nodes A and B, node M

ATTACK DETECTION RESPONSE LINUXFIREWALLS USE IPTABLES TO DETECT AND PREVENT NETWORK-BASED ATTACKSUSE IPTABLES TO DETECT AND PREVENT NETWORK-BASED ATTACKS

The seq and ack Snort options apply to the sequence and acknowledg- ment numbers in the TCP header, but the LOG target does not include these fields by default when a packet

Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities

More precisely, to facilitate security auditing of XMLi, XPathi, and SQLi vulnerabilities in program source code, we apply static analysis to first identify the sinks and sources,

On the impact of tokenizer and parameters on N-gram based Code Analysis

First, we compute the Pearson correlation coefficients to formally assess whether there is a strong linear relationship between the tokenizers (i.e., the entropy values change

On Distinct Known Plaintext Attacks

Keywords: multidimensional linear attack, zero-correlation linear at- tack, key-difference-invariant-bias attack, known plaintext, distinct known plaintext, statistical model..