Abstract
We propose a formal approach that allows one to (i) reason about file-system vulnerabilities of web applications and (ii) combine file-system vulnerabilities and SQL-Injection vulnerabilities for complex, multi-stage attacks. We have developed an automatic tool that implements our approach and we show its efficiency by discussing four real-world case studies, which are witness to the fact that our tool can generate, and exploit, attacks that, to the best of our knowledge, no other tool for the security of web applications can find.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The Top 10 compiled by OWASP is a general classification and it does not include a specific category named “file-system vulnerability”; however, “Injections”, “Broken Authentication and session Management”, “Security misconfiguration” (just to name a few) can all lead to a vulnerability related to the file-system.
- 2.
We assume the communication with the file-system to be secure since the file-system actually is not a real network node, and thus no attacker can put himself between the communication with the file-system, i.e., man-in-the-middle attacks are not possible.
- 3.
In this paper, we need not distinguish between different kinds of encrypted messages, but we could do it by following standard practice. Here we don’t even need to consider explicitly encrypted messages, but we add them for completeness.
- 4.
We don’t need to consider access control policies/models as they are external to the web app. Hence, we assume that every file that is in the file-system can always be read and that every writing operation will always succeed..
- 5.
We plan to extend CL-AtSe or replace it with a tool capable of generating multiple attack traces.
References
Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In CSF. IEEE (2010). doi:10.1109/CSF.2010.27
Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28756-5_19
ASP documentation: Including Files in ASP Applications. https://msdn.microsoft.com/en-us/library/ms524876(v=vs.90).aspx
Büchler, M., Oudinet, J., Pretschner, A.: Semi-automatic security testing of web applications from a secure model. In: SERE. doi:10.1109/SERE.2012.38
Calvi, A., Viganò, L.: An automated approach for testing the security of web applications against chained attacks. In: 31st ACM/SIGAPP Symposium on Applied Computing (SAC). ACM Press (2016). doi:10.1145/2851613.2851803
Carey, M.: Penetration Testing vs. Vulnerability Scanning - What’s the Difference? https://www.alienvault.com/blogs/security-essentials/penetration-testing-vs-vulnerability-scanning-whats-the-difference
Christey, S.: The 2009 CWE/SANS top 25 most dangerous programming errors. http://cwe.mitre.org/top25
Damele, B., Guimarães, A.: Advanced SQL injection to operating system full control. In: BlackHat EU (2009)
De Meo, F., Rocchetto, M., Viganò, L.: Formal analysis of vulnerabilities of web applications based on SQL injection. In: Barthe, G., Markatos, E., Samarati, P. (eds.) STM 2016. LNCS, vol. 9871, pp. 179–195. Springer, Cham (2016). doi:10.1007/978-3-319-46598-2_13
De Meo, F., Viganò, L.: WAFEx: Web Application Formal Exploiter. http://regis.di.univr.it/wafex/
De Meo, F., Viganò, L.: A Formal Approach to Exploiting Multi-Stage Attacks based on File-System Vulnerabilities of Web Applications (Extended Version) (2017). https://arxiv.org/abs/1705.03658
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29, 198–208 (1983). doi:10.1109/TIT.1983.1056650
DotDotPwn - The Directory Traversal Fuzzer. https://github.com/wireghoul/dotdotpwn
Doupé, A., Cova, M., Vigna, G.: Why johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14215-4_7
DVWA: Damn Vulnerable Web Application. http://www.dvwa.co.uk/
Glynn, F.: Vulnerability Assessment and Penetration Testing. http://www.veracode.com/security/vulnerability-assessment-and-penetration-testing
Joomla! https://www.joomla.org
The Java EE 5 Tutorial: Reusing Content in JSP Pages. http://docs.oracle.com/javaee/5/tutorial/doc/bnajb.html
OWASP. Top 10 for 2013. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
PHP documentation: include. http://php.net/manual/it/function.include.php
Postswigger. Burp Proxy (2014). https://portswigger.net/burp/proxy.html
Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55415-5_3
SANS Institute. Penetration Testing: Assessing Your Overall Security Before Attackers Do. https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635
Trustwave SpiderLabs. Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access (2015). https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access
Viganò, L.: The SPaCIoS project: secure provision and consumption in the internet of services. In: Software Testing, Verification and Validation (ICST) (2013). doi:10.1109/ICST.2013.75
Wfuzz: The Web Bruteforcer. https://github.com/xmendez/wfuzz
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
De Meo, F., Viganò, L. (2017). A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2017. Lecture Notes in Computer Science(), vol 10379. Springer, Cham. https://doi.org/10.1007/978-3-319-62105-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-62105-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62104-3
Online ISBN: 978-3-319-62105-0
eBook Packages: Computer ScienceComputer Science (R0)