Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner

Black-box web vulnerability scanners are a popular choice for finding security vulnerabilities in web applications in an automated fashion. These tools operate in a point-and-shootmanner, testing any web application-- regardless of the server-side language--for common security vulnerabilities. Unfortunately, black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions that can change the application's state. If a vulnerability analysis tool does not take into account changes in the web application's state, it might overlook vulnerabilities or completely miss entire portions of the web application. We propose a novel way of inferring the web application's internal state machine from the outside--that is, by navigating through the web application, observing differences in output, and incrementally producing a model representing the web application's state. We utilize the inferred state machine to drive a black-box web application vulnerability scanner. Our scanner traverses a web application's state machine to find and fuzz user-input vectors and discover security flaws. We implemented our technique in a prototype crawler and linked it to the fuzzing component from an open-source web vulnerability scanner. We show that our state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.

[1]  Frank Tip,et al.  Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking , 2010, IEEE Transactions on Software Engineering.

[2]  D. de Werra,et al.  Graph Coloring Problems , 2013 .

[3]  Yannis Smaragdakis,et al.  DSD-Crasher: A hybrid analysis tool for bug finding , 2006, TSEM.

[4]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[5]  Giuseppe A. Di Lucca,et al.  WARE: a tool for the reverse engineering of Web applications , 2002, Proceedings of the Sixth European Conference on Software Maintenance and Reengineering.

[6]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[7]  Sriram Raghavan,et al.  Crawling the Hidden Web , 2001, VLDB.

[8]  Xiaowei Li,et al.  BLOCK: a black-box approach for detection of state violation attacks towards web applications , 2011, ACSAC '11.

[9]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[10]  Christopher Krügel,et al.  Leveraging User Interactions for In-Depth Testing of Web Applications , 2008, RAID.

[11]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Richard Wolski,et al.  The Eucalyptus Open-Source Cloud-Computing System , 2009, 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid.

[13]  Arie van Deursen,et al.  Crawling AJAX by Inferring User Interface State Changes , 2008, 2008 Eighth International Conference on Web Engineering.

[14]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[15]  Porfirio Tramontana,et al.  Reverse Engineering Finite State Machines from Rich Internet Applications , 2008, 2008 15th Working Conference on Reverse Engineering.

[16]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[17]  Josef Stoer,et al.  Numerische Mathematik 1 , 1989 .

[18]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[19]  Tommy R. Jensen,et al.  Graph Coloring Problems , 1994 .

[20]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[21]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[22]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[23]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[24]  Tao Xie,et al.  DSD-Crasher: A hybrid analysis tool for bug finding , 2008 .

[25]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[26]  Christopher Krügel,et al.  Static analysis for detecting taint-style vulnerabilities in web applications , 2010, J. Comput. Secur..

[27]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[28]  Christopher Krügel,et al.  Fear the EAR: discovering and mitigating execution after redirect vulnerabilities , 2011, CCS '11.

[29]  Alessandro Orso,et al.  Penetration Testing with Improved Input Vector Identification , 2009, 2009 International Conference on Software Testing Verification and Validation.

[30]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[31]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[32]  Jesse James Garrett Ajax: A New Approach to Web Applications , 2007 .

[33]  Bengt Jonsson,et al.  Regular Inference for State Machines Using Domains with Equality Tests , 2008, FASE.

[34]  Xiaowei Li,et al.  SENTINEL: securing database from logic flaws in web applications , 2012, CODASPY '12.