Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking

Cross-site scripting (XSS) and SQL injection errors are two prominent examples of taint-based vulnerabilities that have been responsible for a large number of security breaches in recent years. This paper presents QED, a goal-directed model-checking system that automatically generates attacks exploiting taint-based vulnerabilities in large Java web applications. This is the first time where model checking has been used successfully on real-life Java programs to create attack sequences that consist of multiple HTTP requests. QED accepts any Java web application that is written to the standard servlet specification. The analyst specifies the vulnerability of interest in a specification that looks like a Java code fragment, along with a range of values for form parameters. QED then generates a goal-directed analysis from the specification to perform session-aware tests, optimizes to eliminate inputs that are not of interest, and feeds the remainder to a model checker. The checker will systematically explore the remaining state space and report example attacks if the vulnerability specification is matched. QED provides better results than traditional analyses because it does not generate any false positive warnings. It proves the existence of errors by providing an example attack and a program trace showing how the code is compromised. Past experience suggests this is important because it makes it easy for the application maintainer to recognize the errors and to make the necessary fixes. In addition, for a class of applications, QED can guarantee that it has found all the potential bugs in the program. We have run QED over 3 Java web applications totaling 130,000 lines of code. We found 10 SQL injections and 13 cross-site scripting errors.

[1]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[2]  Benjamin Livshits,et al.  Reflection Analysis for Java , 2005, APLAS.

[3]  Christian Bauer,et al.  Hibernate in action , 2005 .

[4]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[5]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[6]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[7]  James Holmes,et al.  Struts: The Complete Reference (Osborne Complete Reference Series) , 2004 .

[8]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[9]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[10]  D. T. Lee,et al.  Verifying Web applications using bounded model checking , 2004, International Conference on Dependable Systems and Networks, 2004.

[11]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[12]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[13]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[14]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[15]  Herbert Schildt,et al.  Struts : the complete reference , 2004 .

[16]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[17]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[18]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[19]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[20]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[21]  Junfeng Yang,et al.  Automatically generating malicious disks using symbolic execution , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[22]  Edith Schonberg,et al.  SABER: smart analysis based error reduction , 2004, ISSTA '04.

[23]  Dawson R. Engler,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation Cmc: a Pragmatic Approach to Model Checking Real Code , 2022 .

[24]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[25]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[26]  Michael Benedikt,et al.  VeriWeb: Automatically Testing Dynamic Web Sites , 2002 .

[27]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[28]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[29]  Jack Dongarra,et al.  MPI: The Complete Reference , 1996 .

[30]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.