ABSTRACT
Many of today's web applications are built on frameworks that include sophisticated defenses against malicious adversaries. However, mistakes in the way developers deploy those defenses could leave applications open to attack. To address this issue, we introduce Rubyx, a symbolic executor that we use to analyze Ruby-on-Rails web applications for security vulnerabilities. Rubyx specifications can easily be adapted to variety of properties, since they are built from general assertions, assumptions, and object invariants. We show how to write Ruby specifications to detect susceptibility to cross-site scripting and cross-site request forgery, insufficient authentication, leaks of secret information, insufficient access control, as well as application-specific security properties. We used Rubyx to check seven web applications from various sources against out specifications. We found many vulnerabilities, and each application was subject to at least one critical attack. Encouragingly, we also found that it was relatively easy to fix most vulnerabilities, and that Rubyx showed the absence of attacks after our fixes. Our results suggest that Rubyx is a promising new way to discover security vulnerabilities in Ruby-on-Rails web applications.
- }}Jong-hoon An, Avik Chaudhuri, and Jeffrey S. Foster. Static typing for Ruby on Rails. In ASE, 2009. Google ScholarDigital Library
- }}S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M.D. Ernst. Finding bugs in web applications using dynamic test generation and explicit state model checking. IEEE Transactions on Software Engineering, 2010. Google ScholarDigital Library
- }}I.G. Baltopoulos and A.D. Gordon. Secure compilation of a multi-tier web language. In TLDI, 2009. Google ScholarDigital Library
- }}A. Barth, C. Jackson, and J.C. Mitchell. Robust defenses for cross-site request forgery. In CCS. ACM, 2008. Google ScholarDigital Library
- }}Jesper Bengtson, Karthikeyan Bhargavan, C édric Fournet, Andrew D. Gordon, and Sergio Maffeis. Refinement types for secure implementations. In CSF, 2008. Google ScholarDigital Library
- }}Gavin M. Bierman, Andrew D. Gordon, Cuatualin Hrictcu, and David Langworthy. Semantic subtyping with an SMT solver. In ICFP, 2010. Google ScholarDigital Library
- }}Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur., 13(2), 2010. Google ScholarDigital Library
- }}Adam Chlipala. Ur: Statically-typed metaprogramming with type-level record computation. In PLDI, 2010. Google ScholarDigital Library
- }}S. Chong, K. Vikram, A.C. Myers, et al. SIF: Enforcing confidentiality and integrity in web applications. In USENIX Security, 2007. Google ScholarDigital Library
- }}Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. Cross-tier, label-based security enforcement for web applications. In SIGMOD, 2009. Google ScholarDigital Library
- }}M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications. In USENIX Security, 2009. Google ScholarDigital Library
- }}Dorothy E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5), 1976. Google ScholarDigital Library
- }}U. Erlingsson, B. Livshits, and Y. Xie. End-to-end web application security. In HOTOS, 2007. Google ScholarDigital Library
- }}C édric Fournet, Andrew D. Gordon, and Sergio Maffeis. A type discipline for authorization in distributed systems. In phCSF, 2007. Google ScholarDigital Library
- }}P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In PLDI, 2005. Google ScholarDigital Library
- }}Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for Ajax intrusion detection. In WWW, 2009. Google ScholarDigital Library
- }}M. Johns. SessionSafe: Implementing XSS immune session handling. ESORICS, 2006. Google ScholarDigital Library
- }}N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In S &P, 2006. Google ScholarDigital Library
- }}James C. King. Symbolic execution and program testing. Commun. ACM, 19(7), 1976. Google ScholarDigital Library
- }}S. Maffeis, J.C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In S &P, 2010. Google ScholarDigital Library
- }}J. Magazinius, A. Askarov, and A. Sabelfeld. A Lattice-based Approach to Mashup Security. In ASIACCS, 2010. Google ScholarDigital Library
- }}Z. Mao, N. Li, and I. Molloy. Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. Financial Cryptography and Data Security, 2009. Google ScholarDigital Library
- }}M. Martin, B. Livshits, and M.S. Lam. Finding application errors and security flaws using PQL: a program query language. In OOPSLA, 2005. Google ScholarDigital Library
- }}J. McCarthy. Towards a mathematical science of computation. Information Processing, 62, 1962.Google Scholar
- }}G. Naumovich and P. Centonze. Static analysis of role-based access control in J2EE applications. ACM SIGSOFT Software Engineering Notes, 29(5), 2004. Google ScholarDigital Library
- }}OWASP. The ten most critical web application risks, 2010. http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf.Google Scholar
- }}Sam Ruby, Dave Thomas, and David Heinemeier Hansson. Agile Web Development with Rails. The Pragmatic Bookshelf, 2009. Google ScholarDigital Library
- }}P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript, 2010. Technical Report UCB/EECS-2010--26, EECS Department, University of California, Berkeley.Google ScholarDigital Library
- }}SRI. Yices: An SMT solver. http://yices.csl.sri.com/.Google Scholar
- }}Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. In POPL, 2006. Google ScholarDigital Library
- }}Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. TAJ: Effective taint analysis for Java. In PLDI, 2009. Google ScholarDigital Library
- }}K. Vikram, A. Prateek, and B. Livshits. Ripley: automatically securing web 2.0 applications through replicated execution. In CCS, 2009. Google ScholarDigital Library
- }}P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007.Google Scholar
- }}Gary Wassermann and Zhendong Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, 2007. Google ScholarDigital Library
- }}Web Application Security Consortium. Web application security statistics, 2008. http://projects.webappsec.org/Web-Application-Security-Statistics.Google Scholar
- }}Heiko Webers. Ruby on rails security, v2. OWASP report: http://www.owasp.org/images/2/26/Owasp-rails-security.pdf.Google Scholar
- }}Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security, 2006. Google ScholarDigital Library
- }}Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. Javascript instrumentation for browser security. In POPL, 2007. Google ScholarDigital Library
Index Terms
- Symbolic security analysis of ruby-on-rails web applications
Recommendations
Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThis paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Defining code-injection attacks
POPL '12This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments