1 Background
1.1 Introduction
1.2 Background and related work
/etc/passwd
file content. In order to identify the vulnerabilities of a Web site, the scanners generally send specially crafted requests via the identified injection points allowing them to determine whether the input parameters submitted to the target system are sanitized or not. An injection point is a piece of a Web page into which a code can be injected: a parameter in the URL or a field of a form, etc. Overall, the identification of potential vulnerabilities is generally based on the characterization of responses of a Web server to crafted requests sent via the injection points and the ability to distinguish rejection pages and execution pages.1.2.1 Error pattern matching approach
W3af
(http://w3af.sourceforge.net) (sqli
module), Wapiti
(http://wapiti.sourceforge.net), and Secubat
[4] adopt such approach. As an example, to detect injection vulnerabilities in authentication forms, the sqli
module of W3af
sends three requests based on the SQL injection: d’z~0
(or d%2Cz%220
encoded in ASCII). The three corresponding responses are then analyzed. If they include SQL error messages (e.g., Mysql_
and supplied argument is not a valid Mysql
), W3af
informs the user that the application is vulnerable.Secubat
for the error pattern matching approach is presented in [4]. This list, derived by analyzing response pages of vulnerable Web sites, is aimed at covering a wide range of error responses and a variety of database servers. A confidence factor that measures the level of confidence that the attacked Web form is vulnerable is also assigned to each keyword.1.2.2 Similarity approach
Skipfish
(http://code.google.com/p/skipfish) for detecting SQL injection vulnerabilities. Three requests are sent to the Web application (A- ’~
, B- \’\~
, and C- \\’\\~
). The responses are compared two by two. According to Skipfish
, a vulnerability is present if both responses associated to B and C are not similar to the response associated to A. The similarity test uses a distance based on the frequency of the words in the response pages.1.2.3 Discussion and contributions
Skipfish
uses only three requests.Skipfish
does not take into account the order of the words in a text. However, this order generally defines the semantics of the page. Thus, it is important to take it into account to assess the similarity, as performed in [5] with a text similarity distance. As an example, the two following pages use the same words in a different order, but they have different semantics:2 Methods
2.1 Html page clustering for Web vulnerability detection
2.1.1 Principles
-
is the set of requests generated from words randomly chosen from the list
[a-zA-Z0-9]+
. They are very likely to generate rejection pages or execution pages associated to invalid input error messages. For example: -
is the set of syntactically incorrect SQL injection requests that are inappropriate for the given injection point. They are constructed to produce a syntax error in the SQL query sent to the SQL server by the HTTP server. Usually, these requests are composed of an odd number of quotes. They are also very likely to generate rejection pages. For example:
-
is the set of syntactically correct SQL injection requests that are constructed to generate execution pages in the presence of vulnerabilities, but they might as well generate rejection pages in the absence of vulnerabilities. For example:
-
The main issue is to determine whether the response is a rejection page or an execution page. To do so, these responses are compared to those associated to sets Rr and Rii.
2.1.2 Distance
2.1.3 Requests generator
Skipfish
).TAUTAG
rules are examples of such tautologies and the INJECTION
rules express how the tautology is included in an initial expression, (1) by closing the expression with delimiter characters (’
, ~
, or )
), (2) by inserting the tautology (through a disjunction), and (3) by opening a new expression using the same delimiter characters.2.1.4 Extension to other vulnerability classes
2.2 Attack scenarios with multiple vulnerabilities
2.2.1 Definitions
2.2.2 Principles
2.2.3 Example
PHP
language and a MySql
database. This site is a simple proof of concept but it uses technologies and a structure similar to ‘real’ Web sites. Figure 3 presents the HTML page graph describing the structure of the Web site. A page is represented by an icon. An edge between two pages corresponds to the existence of an HTML link in the source page leading to the second page. Let us note that a particular reflexive link exists for the display.php
page. This page enables to list the available books and includes a filtering function in a particular form field. A user may then enter a regular expression in this field and submit it to the site, in order to update the list of books.
login.php
. The exploitation of this vulnerability allows an attacker to bypass the authentication thanks to an SQL injection. The second vulnerability is associated to the page display.php
. It allows an attacker to download the content of the database. The last vulnerability associated to the page check.php
allows an attacker to pay the products he ordered without providing any credit card number. This vulnerability cannot be exploited unless some products have been added to the virtual shopping cart.-
access the
index.html
page -
fill in the form with the authentication information in the
login.php
page -
get information from the
about.html
page.
-
P 1:
index.html
-
P 2:
index.html
→about.html
-
P 3:
index.html
→login.php
-
P 4:
index.html
→login.php
→index.html
.
login
/password
) are limited. However, if we consider an attacker who is able to exploit some vulnerabilities, then he is able to perform more actions than an unregistered benign user. Therefore, the associated navigation graph is a richer version of the graph in Figure 4, new edges and new nodes may appear.login.php
page. The result is depicted in Figure 5.
index.html
and login.php
. The set of traces executed for the second iteration includes 65 traces. These traces reach the following files, display.php
, add.php
, delete.php
, buy.php
, or check.php
. Then, the vulnerability identification phase is re-executed once for each new edge generated during of the second iteration. We iterate in this way until we get the final graph that covers the entire site as shown in Figure 6. In the case of this example, the algorithm stops after six iterations considering a maximum depth of navigation set to 7. This means that there are no more vulnerabilities discovered during the sixth iteration.
2.3 Algorithms
3 Results and discussion
Wasapy
and the three open-source vulnerability scanners discussed in this paper: W3af 1.1
, Skipfish 1.9.6b
, and Wapiti 2.2.1
. The experiments are run on a Gnu/Linux (2.6 kernel) host running several virtual machines thanks to the VirtualBox
utility. All the virtual machines run the Apache Web server 1.3.37
or 2.2.8
with PHP 4.0.0
or 5.0.0
and MySQL database
server 5
.Wasapy
. Section 3.3 presents the second set of experiments with vulnerable off-the-shelf applications, without any modification of these applications. This subsection compares Wasapy
to other vulnerability scanners on non-purposely injected vulnerabilities. For some of these applications, evaluation reports based on commercial scanners are available in [16]. We reported some of these results in order to compare these scanners with Wasapy
. Section 3.4 presents the summary of all these experiments.3.1 Notations
SQL Injection
XPath Injection
OS Commanding
File Include
3.2 Experiments with modified applications
-
phpBB-3
: This application (http://www.phpbb.com) is a forum manager written in PHP and using a MySQL database. We modified the authentication form of the application by inserting a vulnerability (v1
) that can be exploited by an SQL injection. This vulnerability allows an attacker to reach the restricted administration area of the forum. -
SecurePage
: This application (http://www.01php.com/fiche-scripts-126.html) written in PHP, is designed to protect the access of a Web site through authentication. Valid pairs for this authentication are stored in a MySQL database. A vulnerability (v2
) similar tov1
was purposely injected. -
HardwareStore
: We developed this application, in PHP 5.0. This application allows a user to inventory computer equipments in a database and to interrogate this database. The user needs first to be authenticated. Five SQL vulnerabilities were injected in this application.v3
allows SQL injection in a search form and allows an attacker to access the whole database.v4
allows SQL injection in the authentication form.v5
allows SQL injection in a parameter of an HTML request. For this vulnerable HTML page, we have purposely disabled the error message reporting, in order to compare the behavior ofW3af
andWapiti
in such a situation with the behavior ofWasapy
. Vulnerabilityv6
is similar tov4
but it is used in a different context: the error message reporting is deactivated. Vulnerabilityv7
can only be exploited after the successful exploitation ofv4
. Indeed, this vulnerability is included in a page that can only be accessed after successful authentication on the application or after a successful bypass of the authentication mechanism (through exploitation ofv4
). XPATH, OS Commanding, and File Include vulnerabilities were also injected in this application. Vulnerabilityv10
, in the authentication page, allows an attacker to bypass the authentication through a XPATH injection.v11
is an Os Commanding vulnerability that can be exploited only afterv4
is successfully exploited. Indeed, this vulnerability is included in a page that is only accessible after authentication (or bypass of the authentication through successful exploitation ofv4
). Vulnerabilityv12
is a File Include vulnerability, it is inserted in the same page asv11
and can be exploited in the same conditions asv11
. -
Insecure
: This application was developed in Ruby on Rails in the context of the Dali projecte. It is an e-commerce site, including user sessions through virtual shopping carts. A vulnerability (v8
), which allows an attacker to inject SQL code, was purposely included in the authentication form of the application. This vulnerability, functionally equivalent tov4
, is anyway different becauseInsecure
is implemented in Ruby and the error reporting messages differ from the Apache error reporting messages. -
Damn Vulnerable Web Application (DVWA): This application (http://www.dvwa.co.uk) is written in PHP and uses MySQL server. A vulnerability
v9
, similar tov3
, was introduced in the application.
W3af
and Wapiti
are similar in average, even if the vulnerabilities detected are not the same (Wapiti
successfully detects v1
and v2
whereas W3af
does not detect them; on the other hand, W3af
detects v4
and v8
whereas Wapiti
does not detect them). This result is consistent with the fact that both scanners use a pattern matching-based algorithm. The observed variations are related to the generation of different requests by these tools. Wasapy
allows us to detect all these vulnerabilities. This confirms that the vulnerability detection clustering algorithm presents a better coverage than the pattern matching algorithm for these vulnerability classes. Vulnerabilities | Scanners | |||||
---|---|---|---|---|---|---|
Type | Application | ID | Skipfish | W3af | Wapiti | Wasapy |
phpBB3
| v1 | ✗ | ✗ | ✓ | ✓ | |
SecurePages
| v2 | ✗ | ✗ | ✓ | ✓ | |
v3 | ✓ | ✓ | ✓ | ✓ | ||
v4 | ✓ | ✓ | ✗ | ✓ | ||
SQLi | HardwareStore
| v5 | ✓ | ✗ | ✗ | ✓ |
v6 | ✗ | ✗ | ✗ | ✓ | ||
v7 |
−
|
−
|
−
| ✓ | ||
Insecure
| v8 | ✓ | ✓ | ✗ | ✓ | |
DVWA
| v9 | ✓ | ✓ |
−
| ✓ | |
XPa | HardwareStore
| v10 | ✗ | ✗ | ✗ | ✓ |
OsC | HardwareStore
| v11 |
−
|
−
|
−
| ✓ |
FIn | HardwareStore
| v12 |
−
|
−
|
−
| ✓ |
Number of detections | 5 | 4 | 3 | 12 |
v1
and v2
, we manually checked the injections performed by Skipfish
(’~
, \’\~
and \\’\\~
) and stored the corresponding responses (respectively A
, B
et C
). As discussed in Section 1.2, Skipfish
considers that A
and C
must be different so that a vulnerability is present. Unfortunately, for these two injection points, this is not the case. The responses correspond to SQL error messages that are very similar.v5
and v6
, they are included in PHP pages for which we purposely deactivated the error reporting message featuref in the configuration file of PHP5. In this particular case, none of the three scanners (Skipfish
, W3af
, and Wapiti
) is able to detect vulnerabilities.v7
, Wasapy
is the only scanner that is able to detect it. Moreover, it is the only scanner that is able to test the corresponding injection point. Indeed, this injection point is included in an HTML page that can only be accessed after a successful authentication or after the successful exploitation of vulnerability v4
. As Wasapy
is the only scanner able to actually exploit v4
, it can automatically access the page including vulnerability v7
. For the other scanners, it is necessary to manually perform the exploitation of v4
so that it is possible to access the page including v7
. Vulnerabilities v11
and v12
were identified only by our tool for the same reasons: they remain masked until the authentication is bypassed.Wasapy
. The calibration of our tool consists in defining empirically the number of requests to generate for each group and injection point. We set this number to 30 for all the applications tested (i.e., 90 requests per injection point). We have observed that a higher number does not provide significantly higher accuracy, while a lower number generates false negatives.3.3 Experiments with non-modified vulnerable applications
Skipfish
, W3af
, and Wapiti
on non-purposely modified vulnerable Web applications. For some of these applications, we could compare our algorithm with some commercial vulnerability scanners, considering the results available in [16]. In this document, the author presents the vulnerability detection results obtained with three commercial scanners: WebInspect
from HP
, AppScan
from IBM
, and Web Vulnerability Scanner
from Acunetix
. These results provide only some preliminary indications to analyze the performance of our tool on the same set of applications and are not meant to be used for a validation purpose.-
Cyphor
(http://Webscripts.softpedia.com/script/Snippets/Cyphor-27985.html) is a configuration Webforum, which uses PHP 4.0.0 session capabilities to authenticate users and a MySQL database. -
Seagull
(http://seagullproject.org/) is an OOP framework for building Web, command line, and GUI applications. This project allows PHP developers to integrate and manage code resources, and build complex applications. This application requires the following configuration: PHP 4.3.0 or newer, MySQL 4.0.x or newer, Apache 1.3.x or 2.x. -
Fttss
is a research project (http://fttss.sourceforge.net) that implements a Text-To-Speech System based on PHP (4.3.0 or newer) and MySQL (4.1.2 or newer). -
Riotpix
(http://www.riotpix.com/) is an open-source discussion forum for the Web based on PHP (4.3.0 or newer) and MySQL (4.1.2 or newer). -
Pligg
(http://www.pligg.com/) is a social networking open-source CMS (Content Management System) that permits visitors to register on the Website, submit content and connect with other users. This software creates Websites where stories are created and voted on by members. PHP (4.3.0 or newer) and MySQL (4.1.2 or newer) are required.
Cyphor
application. All the scanners detected all the vulnerabilities because error messages are reported to the client. Thus, it is easy to distinguish successful vulnerability exploitation from error messages. The underlined results correspond to detections made possible by supplying a valid (login/password) to the scanners to perform authentication. In other words, the corresponding vulnerability is only visible when logged in the site (the authentication page does not contain any SQL-injection vulnerability, it is the only way for any scanner to access the page including the vulnerability).Cyphor
application
Vulnerability | ||||||
---|---|---|---|---|---|---|
Type | CVE | Location | Skipfish | W3af | Wapiti | Wasapy |
NR
| search.php | ✓ | ✓ | ✓ | ✓ | |
SQLi |
2005-3236
| lostpwd.php | ✓ | ✓ | ✓ | ✓ |
2005-3236
| newmsg.php |
✓
|
✓
|
✓
|
✓
| |
2005-3575
| show.php | ✓ | ✓ | ✓ | ✓ | |
False positive | 1 | 0 | 0 | 0 |
Seagull
in Table 3 show that Wasapy
is the only one that reports a vulnerability in this application. Others are unable to do so because the application does not report errors to the client. Regarding File include vulnerabilities, the injection points which allow their exploitation are not directly accessible from the client interface. Hence, the source code is necessary to identify these vulnerabilities. This explains the failure of all scanners.Seagull
application
Vulnerability | ||||||
---|---|---|---|---|---|---|
Type | CVE | Location | Skipfish | W3af | Wapiti | Wasapy |
SQLi |
2010-3212
| index.php | ✗ | ✗ | ✗ | ✓ |
2010-3209
| container.php | ✗ | ✗ | ✗ | ✗ | |
FIn |
2010-3209
| QuickForm.php | ✗ | ✗ | ✗ | ✗ |
2010-3209
| NestedSet.php | ✗ | ✗ | ✗ | ✗ | |
2010-3209
| Output.php | ✗ | ✗ | ✗ | ✗ | |
False positive | 0 | 0 | 0 | 0 |
Fttss
is an application that has been tested in [16]. Hence, some results associated to the three commercial scanners considered are available (cf. Table 4). The commercial scanners do not detect the OS commanding vulnerability, which is the only vulnerability known of this application. In contrast, W3af
and Wasapy
are able to identify this vulnerability. It is noteworthy that none of tested scanners reports false positives in this case.Fttss
application
Vulnerability | |||||||||
---|---|---|---|---|---|---|---|---|---|
Type | CVE | Location | Skipfish | W3af | Wapiti | Wasapy | AppScan | WebInspect | Acunetix |
OsC |
NR
| index.php | ✗ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ |
False positive | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Riotpix
(cf. Table 5), the results are similar to those of Cyphor
. The vulnerabilities are only accessible to successfully authenticated users. Therefore, we had to provide a valid login/password to all scanners. Two vulnerabilities have not been found by any scanner. They correspond to code injection into variables that are not visible to the client and thus cannot be discovered by scanners (their identification would require a source code analysis). These results also show that Wasapy
is efficient for this kind of vulnerability.Riotpix
application
Vulnerability | |||||||||
---|---|---|---|---|---|---|---|---|---|
Type | CVE | Location | Skipfish | W3af | Wapiti | Wasapy | AppScan | WebInspect | Acunetix |
NR
| edit_post.php | ✗ | ✗ | ✗ |
✓
| ✗ | ✗ | ✗ | |
NR
| edit_post_script.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | |
SQLi |
NR
| index.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
NR
| message.php | ✗ | ✗ | ✗ |
✓
| ✗ | ✗ | ✗ | |
NR
| reader.php |
✓
|
✓
| ✗ |
✓
| ✗ | ✗ | ✗ | |
False positive | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Pligg
application (cf. Table 6), all vulnerabilities but the first two are available on hidden injection points. The scanner must be aware of the presence of the injection point in order to test the vulnerability. For the first two vulnerabilities, Wasapy
found them, whereas the other scanners found only one of these vulnerabilities. This is due to the fact that error messages are not forwarded to the client.Pligg
application
Vulnerability | |||||||||
---|---|---|---|---|---|---|---|---|---|
Type | CVE | Location | Skipfish | W3af | Wapiti | Wasapy | AppScan | WebInspect | Acunetix |
2008-7091
| login.php | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✗ | |
2008-7091
| story.php | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | |
NR
| userrss.php | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | |
2008-7091
| out.php | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | |
2008-7091
| trackback.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | |
SQLi |
2008-7091
| cloud.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
2008-7091
| cvote.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | |
2008-7091
| recommend.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | |
2008-7091
| submit.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | |
2008-7091
| vote.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | |
2008-7091
| edit.php | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | |
False positive | 0 | 0 | 0 | 2 | 1 | 1 | 0 |
3.4 Summary
-
Wasapy
is an efficient scanner, especially in particular conditions for which it has been designed: (1) it is more efficient than the other freeware scanners tested when the error reporting is disabled, (2) it is more efficient than the other scanners to discover and exploit vulnerabilities that are included in pages not directly accessible (pages that require the successful exploitation of a vulnerability to be accessed). Indeed,Wasapy
is the only one which is capable of actually exploiting the vulnerability and supplying the exact corresponding injection requests. -
Wasapy
is globally as efficient as the other vulnerability scanners tested on non-modified vulnerable applications. -
Our clustering algorithm can be easily adapted to different kinds of vulnerabilities. Besides SQL injections, the results of the experiments show that
Wasapy
also detects XPATH, OS Commanding and File Include vulnerabilities and that it is at least as efficient as the other vulnerability scanners.
4 Conclusion
Wasapy
.Wasapy
to allow the generation of a larger variety for injections covering the vulnerabilities included so far, as well as new vulnerabilities.