Cybersecurity Testing and Analysis for Web Applications

William GJ Halfond

Center for Systems and Software Engineering

University of Southern California

Research Area

Software Engineering Quality Assurance• Security• Testing• Analysis

2

Importance of Web Applications

3

Yahoo’s projected revenue in 2008 = $7.2 billion.Bank of America services over 23 million visitors a month.Facebook has over 120 million active users.

Problems in Web Applications

Amazon.com: 60sec = $30,000

4

Average data breach: $6.6 millionDowntime cost = $3.6 millionReported software vulnerabilities

Current Approaches

1. Web crawlers and scanners

2. Scenario-based testing

5

Web Crawlers

6

Problems with Web Crawling

7

Scenario-Based Testing

General Process:

1. Define use cases

2. Check each use case

8

+ Realistic – Incomplete

– Tests known behaviors

Research Overview

9

Goal Improve quality of web applications1. Develop new techniques2. Adaptation of existing techniques

Method Develop and apply program analysis techniques to web applications in order to analyze and understand their structure and runtime behavior.

Benefits • Accurate and complete• Automatable

Key Differences

10

Observation:Many software quality assurance techniques are not directly applicable to web applications.

Complications: • Interface definitions• Control flow• Generated object programs• Data flow

Problem: Traditional abstractions look very different in web applications.

Developed Techniques

1. Accepted Interface Analysis Improve test coverage Discover vulnerabilities

2. Component Output Identification Static verification of correctness

3. Control-Flow Analysis Verify runtime behaviors

11

1) Parameter names

Traditional Interface

12

public void write(File outfile, String buffer, int length)

3) Domain information

2) Grouping of parameters

Web Application Interfaces

13

1. Parameter names2. Grouping of

parameters3. Domain information

void service( Request req ) 1. String dbQuery = "select * from db where " 2. String search = req.getParameter( "search" ) 3. String dbQuery += "name like '" + search + "' and " 4. String searchType = req.getParameter( "sPref" ) 5. if (searchType.equals( "zip" )) 6. int zip = Integer.parseInt(req.getParameter( “zip” ) 7. dbQuery+= "zip=" + zip 8. else if (searchType.equals( "type" )) 9. String type = req.getParameter( "business" ) 10. dbQuery+= "type=" +type 11. else 12. String state = req.getParameter( "state" ) 13. dbQuery+= "state=" +state 14. ResultSet results = execute(dbQuery) 15. print(results)

Interface Information

Interface NameDomain-

TypeConstraints

1

search String -

sPref String sPref=“zip”

zip Integer -

2

search String -

sPref String sPref ≠“zip” sPref = “type”

business String -

3

search String -

sPref String sPref ≠“zip” sPref ≠ “type”

state String -

14

Testing Improvements

15

% Stmt.Coverage

% BranchCoverage

# CommandForms

Branch coverage increase: 48%

Statement coverage increase: 30%

Command form increase: 94%

WAMDF Spider

Penetration Testing

16

DB

Other

Systems

White Hat

Tester

!@#$

Secret Data!

Web Application

HTML

Servlets

Penetration Testing Results

17

WAMDF Spider

# SQLInjection

Vulns.

# XSSVulns.

Vulnerability detection increase: 365%

Vulnerability detection increase: 282%

Traditional Invocation Verification

18

public void write(File outfile, String buffer, int length)

write(file, string, int)

write(file, string, string)

Web Application Invocations

19

Analysis to Identify

Invocations

Component Output Analysis

20

InterfaceInvocations

Web Application

HTML

ServletsServlet

Invocation Verification

21

Web Application

searchpage.jsp dosearch.jsp

X

Verification Results

22

High-level Analysis

23

Web Application

login.jsp

memberInfo.jsp

shoppingCart.jsp

AttackerEnd Users

Areas of Future Work in Analysis

24

• Protocol Analysis

• Object Program Semantics

Control Flow

Data FlowObject Programs

Def

UseUseUse

D

UUU

D

UUU

Servlet

JavaScript

SQL

HTML

Summary

• Research focused on quality assurance for web applications

• Promising results in basic areas

• Future work in higher-level analysis

25