Automated and Effective Testing of Web Services for XML Injection Attacks
1 like1,585 views
The document describes an automated approach and tool called SOLMI for testing web services against XML injection attacks. SOLMI generates valid but malicious XML messages to test services. It uses a taxonomy of 4 XML injection attack types and corresponding mutation operators. The approach extracts schema constraints and uses a constraint solver to generate payload satisfying constraints. An evaluation on a credit card processing system found SOLMI identified vulnerabilities while avoiding false positives, and took around 50 minutes to generate tests.
![<transaction>
<UserName>Mike123</UserName>
<BankCode>0111</BankCode>
<RequestId>R19228381</RequestId>
<CardNumber>1234567891234<CardNumber>
</transaction>
….....
<xs:element name=“RequestId”
type="cw:stringLen1_11"/>
</xs:simpleType>
<xs:simpleType name="stringLen1_11">
<xs:minLength value=”4"/>
<xs:maxLength value=”11"/>
<pattern value="[a-zA-Z0-9s]*"/>
</xs:restriction>
</xs:simpleType>
….....
XML File
Transform Constraint to
Solver’s input language
Schema Constraint for element ‘RequestId’
Generated Content for
the XML element
(Attack Payload)
OR True
Examples of malicious content rejected by the solver:
- OR 1=1
à
violates the regular expression
- Drop table RequestIDs
à
violates maximum
length constraints
Injection
Grammar
Mutation
(type 4)
<transaction>
<UserName>Mika123</UserName>
<BankCode>0111</BankCode>
<!–
</BankCode>
<RequestId>R19228381</RequestId>
<CardNumber>
-->
<RequestId>OR True</RequestId>
<CardNumber>1234567891234<CardNumber>
</transaction>
Resulting XML Message (Test of Type 4)
Concrete Example of Test Generation "
(for Type 4)
Extract associated constraints for
selected element
25
String Constraint
Solver](https://image.slidesharecdn.com/issta-solmi-v0-160718093804/85/Automated-and-Effective-Testing-of-Web-Services-for-XML-Injection-Attacks-25-320.jpg)
Automated and Effective Testing of Web Services for XML Injection Attacks
- 1. .lusoftware verification & validation VVS Automated and Effective Testing of Web Services for XML Injection Attacks Sadeeq Jan, Cu D. Nguyen, Lionel Briand Interdisciplinary Centre for Security, Reliability and Trust (SnT) University of Luxembourg ISSTA’16 The International Symposium on Software Testing and Analysis Saarland University, Saarbrücken, Germany. July 18-20, 2016
- 2. XML Injection 2 • Bypassing authentication • Privilege escalation • Information disclosure • Generating errors/system crash Impact Definition Injecting malicious content into XML files/messages to manipulate/compromise the logic of an application/ service
- 3. 3 XML Injection Example Create new account <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail> </user> <user> <username>admin</username> <password>s4n3p81</password> <role>Administrator</role> <mail>[email protected]</mail> </user> ….. ...... <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail> </user> XML Database
- 4. XML Injection Example " (Privilege Escalation) <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>[email protected]</mail> </user> Web Form Generated XML Message abc</mail><role>Administrator<role> <mail>[email protected] 4
- 5. ......... ......... <complexType name="UserType"> <all> <element name="username" type="tns:StringUserType" maxOccurs="1" minOccurs="1" /> <element name="password" type="tns:StringPassType" maxOccurs="1" minOccurs="1"/> <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> <element name="mail" type="tns:EmailType" maxOccurs="1" minOccurs="1" /> </all> </complexType> ......... ......... 5 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>[email protected]</mail> </user> Well-formed but not valid XML Schema violates cardinality =1 constraint of ‘role’ element in XML Schema <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> XML Injection in presence of constraints
- 6. <user> <username>Tom</username> <password>m1U9q10</password> <!-- </password> <role>user</role> <mail> --> <role>Administrator</role> <mail>[email protected]</mail> </user> Web Form Generated XML Message Well-formed and valid --><role>Administrator<role><mail>[email protected] m1U9q10</password><!-- 6 XML Injection in presence of constraints
- 7. • Generate invalid XML files/messages • Result in large number of false positives • No dedicated testing tool for XML Injection attacks Limitations of State-Of-The-Art Tools 7
- 8. • A novel automated testing approach and tool (SOLMI) • Generates valid but malicious XML files/messages • Covers wide range of XML Injection attacks • Evaluation of the approach on an industrial financial system Contributions of This Work 8
- 9. 9 • Type 1: Deforming • Type 2: Random closing tags • Type 3: Replicating • Type 4: Replacing Taxonomy of XML Injection Attacks
- 10. <user> <username>Tom</username> <password>m1U<9q10</password> <role>user</role> <mail>[email protected]</mail> </user> Mutated XML 10 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail> </user> Original XML Type 1: Deforming Using XML special characters (e.g., <, &, ‘) to crash the service Example:
- 11. <user> <username>Tom</username> <password></test></password> <role>user</role> <mail>[email protected]</mail> </user> Mutated XML 11 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail> </user> Original XML Example: Type 2: Random Closing Tags Using XML closing tags to reveal the hidden XML structure (e.g. </test>)
- 12. <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>[email protected]</mail> </user> Mutated XML 12 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail> </user> Original XML Example: Type 3: Replicating Replicating existing XML elements with malicious content
- 13. <user> <username>Tom</username> <password>m1U9q10</password> <!-- </password> <role>user</role> <mail> --> <role>Administrator</role> <mail>[email protected]</mail> </user> Mutated XML (XML is well-formed, valid, yet malicious) 13 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>[email protected]</mail> </user> Original XML Example: Type 4: Replacing Replicating + ensuring that the resulting XML is well formed and valid
- 15. SOLMI Approach 15 Generalizable approach: Injection Grammar can be replaced for testing other types of vulnerabilities SUT XML Validator (e.g. Gateway/ Firewall) Schema Constraints Security Policies XML T1 T2 Tn Mutation XML Messages (Tests) Type 1 - 2 Web Services XML XML XML Constraint Solving Injection Grammar Type 3 - 4
- 16. Mutation Operators Attack Mut. Operator Description Type 1 Deforming MO_der_meta Inserts an XML meta-character into the selected element of the input XML message MO_der_att Removes a quote from the value of a selected attribute of an element Type 2 Random closing tags MO_clo Adds </test> into the content of a selected XML element of the message Type 3 Replicating MO_replica Replicates an XML element, injects it with a new content and place it at the location right after the selected element Type 4 Replacing MO_replace Replicates an XML element, obtains a new content, comments out the selected element, and injects the new one at its location 16
- 17. Injection Grammar 17 Generate attack strings for elements in XML (e.g. SQL Injection attack strings based on the grammar) SQL Injection Grammar * * D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1–10, April 2015.
- 18. 18 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
- 19. 19 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
- 20. 20 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
- 21. 21 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
- 22. 22 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
- 23. 23 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
- 24. 24 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
- 25. <transaction> <UserName>Mike123</UserName> <BankCode>0111</BankCode> <RequestId>R19228381</RequestId> <CardNumber>1234567891234<CardNumber> </transaction> …..... <xs:element name=“RequestId” type="cw:stringLen1_11"/> </xs:simpleType> <xs:simpleType name="stringLen1_11"> <xs:minLength value=”4"/> <xs:maxLength value=”11"/> <pattern value="[a-zA-Z0-9s]*"/> </xs:restriction> </xs:simpleType> …..... XML File Transform Constraint to Solver’s input language Schema Constraint for element ‘RequestId’ Generated Content for the XML element (Attack Payload) OR True Examples of malicious content rejected by the solver: - OR 1=1 à violates the regular expression - Drop table RequestIDs à violates maximum length constraints Injection Grammar Mutation (type 4) <transaction> <UserName>Mika123</UserName> <BankCode>0111</BankCode> <!– </BankCode> <RequestId>R19228381</RequestId> <CardNumber> --> <RequestId>OR True</RequestId> <CardNumber>1234567891234<CardNumber> </transaction> Resulting XML Message (Test of Type 4) Concrete Example of Test Generation " (for Type 4) Extract associated constraints for selected element 25 String Constraint Solver
- 27. Objectives & Tools for evaluation Objectives • To evaluate the effectiveness and cost (time) of our proposed approach • To compare our proposed approach with the state- of-the-art tools Tools • ReadyAPI • SOLMI 27
- 28. Subject Application 28 XML Gateway (Axway XML Gateway) that protects 44 Web Services of a credit card processing company Web Service 1 Web Service 2 Web Service N XML Schemas XML Threat Policy Backend Service Interface 1 Service Interface Service Interface N XML GatewayInternet Service Interface 1 Service Interface Service Interface N XML Gateway
- 29. 29 Architecture of SOLMI Constraint Solver Hampi XML Processor Schema Processor Injection Grammar (SQL) Test Generator Mutation Strategies Test Cases SUT Test Executor Monitor/ Oracle Transformer
- 30. Results 30 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
- 31. Results 31 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
- 32. Results 32 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
- 33. Results 33 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
- 34. Results 34 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
- 35. Results 35 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
- 36. 36 • Test strategy that randomly injects XML meta- characters or closing tags (state-of-the-art tools) are unlikely to be effective • SOLMI approach is highly effective and the test generation time is practically reasonable • SOLMI is generalizable to other types of attacks Conclusion
- 37. Summary 37