Basic Search / Detailed Display

Author: 王奕勛
Yi-Hsun Wang
Thesis Title: 利用攻擊向量的結構學習產生跨網站變形攻擊
Structural Learning of Attack Vectors for Mutated XSS Attacks Generation
Advisor: 李漢銘
Hahn-Ming Lee
Committee: 林豐澤
Feng-Tse Lin
王榮英
Jung-Ying Wang
鮑興國
Hsing-Kuo Pao
Degree: 碩士
Master
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2010
Graduation Academic Year: 98
Language: 英文
Pages: 71
Keywords (in Chinese): 跨網站攻擊網站應用程式安全馬可夫模型貝氏理論變形攻擊
Keywords (in other languages): Web Security, XSS, HMM, Bayes theorem, Mutation
Reference times: Clicks: 245Downloads: 2
Share:
School Collection Retrieve National Library Collection Retrieve Error Report
  • 在網站應用程式中,跨網站攻擊可以繞過其存取控制而得到提昇的權限,而這些
    攻擊都源自於網站應用程式中含有不完整或不正確的過濾函式。即使是程式設計
    師或安全專家皆使用自動測試工具來找出跨網站弱點,這類的工具卻缺少變形的
    機制來協助發現潛在的跨網站弱點。
    為了協助目前的跨網站弱點偵測技術,本文強調產生更具威脅性的跨網站攻
    擊。我們提出一個完全自動化地攻擊向量的結構學習機制。變形攻擊的產生仰賴
    於攻擊向量的分析及結構上的學習機制。在學習機制的核心方法上,為了捕捉攻
    擊向量組成的潛在手法,利用了隱藏式馬可夫模型以呈現攻擊向量模型的結構。
    利用由本文所提出的字符分解(Tokenize)機制,將跨網站攻擊標記為具有文法上
    的抽象意義,這有益於所塑模出的手法更具代表性,此外,利用了貝氏理論來決
    定攻擊向量模型的隱藏狀態節點的數量,使模型更具有泛用性。我們使用Burp
    Intruder來檢驗我們所提出的方法,而實驗結果顯示跨網站變形攻擊可以識別出
    潛在的跨網站弱點。
    本文中所提出的技術著重於學習跨網站攻擊中的組成元素及隱含的結構。而
    且,該技術能夠增加黑箱或白箱測試偵測到跨網站弱點的能力。本文的貢獻如下:
    (1) 自動地從實際資料的分析到塑模一個攻擊向量的結構模型,以學習攻擊向量
    的結構,(2) 模仿攻擊向量的組成手法及元素以擴展跨網站弱點測試工具的測試
    能力,(3) 有助於驗證網站應用程式中以黑名單方式過濾輸入的函式的弱點。


    Cross-site scripting (XSS) attacks inWeb applications can bypass the access control to
    gain elevated access privileges and resulted from incomplete or incorrect input saniti-
    zation. Either the programmers or the security experts use automatic testing tools that
    are equipped predefined attack vectors or manually craft attack vectors for identify-
    ing XSS vulnerabilities, it is short of mutation mechanism that helps the discovery of
    diverse manifestation of potential vulnerabilities. Learning the structure of attack vec-
    tors could enrich the variety of manifestations in generated XSS attacks for identifying
    XSS vulnerabilities.
    In this study, we focus on the generation of threatening XSS attacks for the state-
    of-the-art detection approaches that can find potential XSS vulnerabilities in web ap-
    plications. We proposed a structural learning mechanism for generating the mutated
    XSS attacks in a fully automatic way. Mutated XSS attack generation depends on the
    analysis of attack vectors and the structural learning mechanism. For the kernel of the
    learning mechanism, the hidden Markov model (HMM) is applied to present the struc-
    ture of the attack vector model for capturing the implicit manner of the attack vector.
    These manners benefited from the syntax meanings that are labeled by the proposed
    tokenizing mechanism. Bayes’ Theorem is used to determine the number of hidden states in the model for generalizing the attack vector model. We evaluate the proposed
    mechanism by Burp Intruder with a dataset collected from public XSS archives. The
    experimental results demonstrate that mutated XSS attack generation can identify potential
    vulnerabilities.
    The proposed technique aims at testing Web applications by learning the elements
    and implicit structures existed in XSS attacks. Furthermore, this method could increase
    the probability of finding XSS vulnerabilities in black-box or white-box testing. We
    give the contributions of this study: (1) automatically learn the structure of attack
    vectors from practical data analysis to modeling a structure model of attack vectors,
    (2) mimic the manners and the elements of attack vectors to extend the ability of testing
    tool for identifying XSS vulnerabilities, (3) be helpful to verify the flaws of blacklist
    sanitization procedures of Web applications.

    ABSTRACT i ACKNOWLEDGEMENTS iii 1 Introduction 1 1.1 Motivation 2 1.2 Problem Definition and Goal 5 1.3 Thesis Contribution 6 1.4 The Outline of Thesis 7 2 RelatedWork 8 2.1 Static Analysis 8 2.2 Black-box Testing 10 2.3 Hybrid Testing 12 3 Generation of Mutated XSS Attacks 14 3.1 Attack Vector Tokenizer 15 3.1.1 XSS Attack Locator 16 3.1.2 Token Extractor 17 3.2 Structural Learning of Attack Vectors 17 3.2.1 Attack Vector Structure Learning 18 3.2.2 Attack Vector Profile 20 3.3 Mutated Attack Generator 20 4 Experiment and Results 22 4.1 Experiment Design and Dataset 22 4.1.1 Experiment Concept and Description 23 4.1.2 Dataset Description 24 4.2 Evaluation Metrics 26 4.3 Numerical Results and Case Studies 27 4.4 Discussion 31 5 Conclusion and FurtherWork 34 A Appendix 44

    [1] S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst, “Find-
    ing bugs in dynamic web applications,” in Proceedings of the 2008 international
    symposium on Software testing and analysis, July 20–24 2008, pp. 261–272.
    [2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and
    G. Vigna, “Saner: Composing static and dynamic analysis to validate sanitization
    in web applications,” in Proceedings of the 2008 IEEE Symposium on Security
    and Privacy, Oakland, California, USA, May 18–21 2008, pp. 387–401.
    [3] J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, “State of the art: Automated
    black-box web application vulnerability testing,” in Proceedings of the 2010
    IEEE Symposium on Security and Privacy, Oakland, California, USA, May 16–
    19 2010, pp. 332–345.
    [4] C. T. Company, “Paros 3.2.13,” Auguest 2006. [Online]. Available: http:
    //www.parosproxy.org
    [5] CPAN.ORG, “Html parser class,” April 2010. [Online]. Available: http:
    //search.cpan.org/ gaas/HTML-Parser-3.65/
    [6] CPAN.ORG, “Html::entities,” April 2010. [Online]. Available: http://search.
    cpan.org/ gaas/HTML-Parser-3.65/lib/HTML/Entities.pm
    [7] CPAN.ORG, “Uri::escape,” March 2010. [Online]. Available: http://search.cpan.
    org/ gaas/URI-1.54/URI/Escape.pm
    [8] P. Dupont, F. Denis, and Y. Esposito, “Links between probabilistic automata and
    hidden markov models: Probability distributions, learning models and induction
    algorithms,” Pattern Recognition, vol. 38, no. 9, pp. 1349–1371, September 2005.
    [9] K. Fernandez and D. Pagkalos, “Xssed project,” February 2007. [Online].
    Available: http://xssed.com
    [10] P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, andW. Lee, “Polymorphic blending
    attacks,” in Proceedings of the 15th USENIX Security Symposium, July 31–
    August 4 2006, pp. 241–256.
    [11] Fourthdimension, “Stealing cookie with xss,” April 2009. [Online]. Available:
    http://www.go4expert.com/forums/showthread.php?t=17066
    [12] W. G. J. Halfond, S. R. Choudhary, and A. Orso, “Penetration testing with improved
    input vector identification,” in Proceedings of the 2009 International Conference
    on Software Testing Verification and Validation, Denver, Colorado, USA,
    April 1–4 2009, pp. 346–355.
    [13] S. Hansman and R. Hunt, “A taxonomy of network and computer attacks,” Computers
    and Security, vol. 24, no. 1, pp. 31–43, 2005.
    [14] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, “Web application security
    assessment by fault injection and behavior monitoring,” in Proceedings of the
    12th international conference on World Wide Web, May 20–24 2003, pp. 148–
    159.
    [15] Y.-W. Huang, C.-H. Tsai, T.-P. Lin, S.-K. Huang, D.-T. Lee, and S.-Y. Kuo, “A
    testing framework for web application security assessment,” Computer Network,
    vol. 48, no. 5, pp. 739–761, 2005.
    [16] G. Inc., “Sourceforge.net,” 2010. [Online]. Available: http://sourceforge.net
    [17] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for detecting
    web application vulnerabilities (short paper),” in Proceedings of the 2006 IEEE
    Symposium on Security and Privacy, Berkeley/Oakland, California, USA, May
    21–24 2006, pp. 258–263.
    [18] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “Secubat: A web vulnerability
    scanner,” in Proceedings of the 15th international conference onWorldWideWeb,
    Edinburgh, Scotland, UK, May 23–26 2006, pp. 247–256.
    [19] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, “Automatic creation of sql
    injection and cross-site scripting attacks,” in Proceedings of the 31st International
    Conference on Software Engineering, Vancouver, Canada, May 16–24 2009, pp.
    199–209.
    [20] M. Martin and M. S. Lam, “Automatic generation of xss and sql injection attacks
    with goal-directed model checking,” in Proceedings of the 17th conference on
    Security symposium, Boston, Massachusetts, June 22–27 2008, pp. 31–43.
    [21] S. McAllister, E. Kirda, and C. Kruegel, “Leveraging user interactions for indepth
    testing of web applications,” in Proceedings of the 11th International
    Symposium on Recent Advances in Intrusion Detection, Massachusetts, USA,
    September 15–17 2008, pp. 191–210.
    [22] Methodman and DP, “Xss, iframe injections and xmlhttp post request errors
    on mcafee sites,” May 2009. [Online]. Available: http://xssed.com/news/92/
    XSS Iframe injections and XMLHTTP post request errors on McAfee sites/
    [23] Y. Minamide, “Static approximation of dynamically generated web pages,” in
    Proceedings of the 14th international conference on World Wide Web, Chiba,
    Japan, May 10–14 2005, pp. 432–441.
    [24] Mrmunkey22, “Schoolmate 1.5.4,” November 2004. [Online]. Available:
    http://sourceforge.net/projects/schoolmate/
    [25] R. Naraine, “Strongwebmail ceo’s mail account hacked via xss,”
    June 2009. [Online]. Available: http://www.zdnet.com/blog/security/
    strongwebmail-ceos-mail-account-hacked-via-xss/3514
    [26] Netcraft.com, “May 2010 web server survey,” May 2010. [Online]. Available:
    http://news.netcraft.com/archives/category/web-server-survey/
    [27] J. Offutt, Y. Wu, X. Du, and H. Huang, “Bypass testing of web applications,” in
    Proceedings of the 15th International Symposium on Software Reliability Engineering,
    St-Malo, France, November 02–05 2004, pp. 187–197.
    [28] O. S. V. D. (OSVDB), “phpmyadmin xss protection string blacklist bypass,”
    March 2007. [Online]. Available: http://osvdb.org/show/osvdb/35048
    [29] OWASP, “Owasp cal9000 project,” December 2009. [Online]. Available:
    http://www.owasp.org/index.php/Category:OWASP CAL9000 Project
    [30] OWASP, “Cross-site scripting (xss),” 2 2010. [Online]. Available: http:
    //www.owasp.org/index.php/Cross-site Scripting (XSS)
    [31] OWASP, “Owasp top 10 project,” 2010. [Online]. Available: http://www.owasp.
    org/index.php/Category:OWASP$ $Top$ $Ten$ $Project
    [32] Php.net, “htmlspecialchars,” 2001. [Online]. Available: http://php.net/manual/
    en/function.htmlspecialchars.php
    [33] PortSwigger, “Burp intruder 1.3.03,” May 2010. [Online]. Available: http:
    //portswigger.net/intruder/
    [34] N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, “All your iframes point
    to us,” in Proceedings of the 17th conference on USENIX Security Symposium,
    San Jose, CA, July 28August 1 2008, pp. 1–15.
    [35] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, “The
    ghost in the browser analysis of web-based malware,” in Proceedings of the first
    conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge,
    MA, April 20 2007, p. 4.
    [36] L. R. Rabiner and B.-H. Juang, “An introduction to hidden markov models,”
    ASSP Magazine, IEEE, vol. 3, no. 1, pp. 4–16, January 1986.
    [37] Roflo1 and Sandking, “Webchess 0.9.0,” September 2004. [Online]. Available:
    http://sourceforge.net/projects/webchess/
    [38] RSnake, “Xss (cross site scripting) cheat sheet,” 2009. [Online]. Available:
    http://ha.ckers.org/xss.html
    [39] SearchSecurity.com, “Security definition-attack vector,” Jan 2007. [Online].
    Available: http://searchsecurity.techtarget.com/dictionary/definition/1005812/
    attack-vector.html
    [40] H. Shahriar and M. Zulkernine, “Automatic testing of program security vulnerabilities,”
    in Proceedings of the 33rd Annual IEEE International Computer Software
    and Applications Conference, vol. 2, Seattle,Washington, USA, July 20–24
    2009, pp. 550–555.
    [41] spamnews.com, “Websites of who and mi5 hacked using xss attacks,”
    Auguest 2009. [Online]. Available: http://spamnews.com/The-News/Latest/
    Websites-of-WHO-and-MI5-Hacked-Using-XSS-Attacks-2009081211637/
    [42] A. Stolcke, “Bayesian learning of probabilistic language models,” Ph.D. dissertation,
    Berkeley, CA: University of California, 1994.
    [43] A. Stolcke and S. Omohundro, “Hidden markov model induction by bayesian
    model merging,” in Advances in Neural Information Processing Systems, vol. 5,
    San Mateo, CA, 1993, pp. 11–18.
    [44] A. Stolcke and S. M. Omohundro, “Best-first model merging for hidden markov
    model induction,” International Computer Science Institute, Berkeley, Ca, Tech.
    Rep., 1994.
    [45] N. Surribas, “Wapiti 2.2.1,” December 2009. [Online]. Available: http:
    //wapiti.sourceforge.net/
    [46] R. T. F. Tim Berners-Lee and L. Masinter, RFC3986-Uniform Resource
    Identifiers (URI): Generic Syntax, Std., January 2005. [Online]. Available:
    http://tools.ietf.org/html/rfc3986
    [47] URL, “Wikipedia.” [Online]. Available: http://en.wikipedia.org/wiki/Uniform
    Resource Locator
    [48] G. Vigna, W. Robertson, and D. Balzarotti, “Testing network-based intrusion detection
    signatures using mutant exploits,” in Proceedings of the ACM Conference
    on Computer and Communication Security, Washington, DC, USA, October 25–
    29 2004, pp. 21–30.
    [49] A. J. Viterbi, “Error bounds for convolutional codes and an asymptotically optimum
    decoding algorithm,” IEEE Transactions on Information Theory, vol. 13,
    no. 2, pp. 260–269, April 1967.
    [50] w3schools.com, “Html tutorial.” [Online]. Available: http://www.w3schools.
    com/html/default.asp
    [51] Y.-H. Wang, C.-H. Mao, and H.-M. Lee, “Structural learning of attack vectors
    for generating mutated xss attacks,” in being appearing in the fourth International
    Workshop on Testing, Analysis and Verification of Web Software, Antwerp,
    Belgium, September 21 2010.
    [52] G. Wassermann and Z. Su, “Sound and precise analysis of web applications for
    injection vulnerabilities,” SIGPLAN Notice, vol. 42, no. 6, pp. 32–41, 2007.
    [53] G. Wassermann and Z. Su, “Static detection of cross-site scripting vulnerabilities,”
    in Proceedings of the 30th International Conference on Software Engineering,
    Leipzig, Germany, May 10-18 2008, pp. 171–180.

    QR CODE