ABSTRACT
The complexity of modern web applications makes it difficult for developers to fully understand the security implications of their code. Attackers exploit the resulting security vulnerabilities to gain unauthorized access to the web application environment. Previous research into web application vulnerabilities has mostly focused on input validation flaws, such as cross site scripting and SQL injection, while logic flaws have received comparably less attention. In this paper, we present a comprehensive study of a relatively unknown logic flaw in web applications, which we call Execution After Redirect, or EAR. A web application developer can introduce an EAR by calling a redirect method under the assumption that execution will halt. A vulnerability occurs when server-side execution continues after the developer's intended halting point, which can lead to broken/insufficient access controls and information leakage. We start with an analysis of how susceptible applications written in nine web frameworks are to EAR vulnerabilities. We then discuss the results from the EAR challenge contained within the 2010 International Capture the Flag Competition. Finally, we present an open-source, white-box, static analysis tool to detect EARs in Ruby on Rails web applications. This tool found 3,944 EAR instances in 18,127 open-source applications. Finally, we describe an approach to prevent EARs in web frameworks.
- ASP.NET MVC. http://www.asp.net/mvc.Google Scholar
- Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., and Kruegel, C. A Solution for the Automated Detection of Clickjacking Attacks. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS) (Beijing, China, April 2010). Google ScholarDigital Library
- Balduzzi, M., Gimenez, C., Balzarotti, D., and Kirda, E. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the 18th Network and Distributed System Security Symposium (2011).Google Scholar
- Balzarotti, D., Cova, M., Felmetsger, V. V., and Vigna, G. Multi-module vulnerability analysis of web-based applications. In Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), CCS '07, ACM, pp. 25--35. Google ScholarDigital Library
- Barth, A., Jackson, C., and Mitchell, J. C. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008) (2008). Google ScholarDigital Library
- Boe, B. UCSB's International Capture The Flag Competition 2010 Challenge 6: Fear The EAR. http://cs.ucsb.edu/ bboe/r/ictf10, December 2010.Google Scholar
- Boe, B. Using StackOverflow's API to Find the Top Web Frameworks. http://cs.ucsb.edu/ bboe/r/top-web-frameworks, February 2011.Google Scholar
- Boehm, B. W. Software Engineering Economics, 1st ed. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1981. Google ScholarDigital Library
- Include exit with a redirect call. http://replay.web.archive.org/20061011152124/https://trac.cakephp.org/t%icket/1076, August 2006.Google Scholar
- docs should mention redirect does not "exit" a script. http://replay.web.archive.org/20061011180440/https://trac.cakephp.org/t%icket/1358, August 2006.Google Scholar
- Cake Software Foundation, Inc. The CakePHP 1.3 Book. http://book.cakephp.org/view/982/redirect, 2011.Google Scholar
- Carettoni, L., and Di Paola, S. HTTP Parameter Pollution. OWASP AppSec Europe 2009, May 2009.Google Scholar
- Chaudhuri, A., and Foster, J. Symbolic security analysis of ruby-on-rails web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10) (2010), ACM, pp. 585--594. Google ScholarDigital Library
- Childers, N., Boe, B., Cavallaro, L., Cavedon, L., Cova, M., Egele, M., and Vigna, G. Organizing large scale hacking competitions. In Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment (Berlin, Heidelberg, 2010), DIMVA'10, Springer-Verlag, pp. 132--152. Google ScholarDigital Library
- Django Software Foundation. Django shortcut functions. http://docs.djangoproject.com/en/dev/topics/http/shortcuts/#django.shor%tcuts.redirect, 2011.Google Scholar
- EllisLab, Inc. CodeIgniter User Guide Version 2.0.2. http://codeigniter.com/user_guide/helpers/url_helper.html, 2011.Google Scholar
- Felmetsger, V., Cavedon, L., Kruegel, C., and Vigna, G. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium (Washington, DC, August 2010). Google ScholarDigital Library
- Furr, M., hoon (David) An, J., Foster, J. S., and Hicks, M. The Ruby intermediate language. In Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS) (Oct. 2009). Google ScholarDigital Library
- GitHub. http://github.com.Google Scholar
- Indictment in U.S. v. Albert Gonzalez. http://www.justice.gov/usao/ma/news/IDTheft/Gonzalez,%20Albert%20-%2%0Indictment%20080508.pdf, August 2008.Google Scholar
- Hansen, R. Clickjacking. http://ha.ckers.org/blog/20080915/clickjacking/, September 2008.Google Scholar
- Hofstetter, D. Don't forget to exit after a redirect. http://cakebaker.wordpress.com/2006/08/28/dont-forget-to-exit-after-a-redirect/, August 2006.Google Scholar
- hoon An, J., Chaudhuri, A., and Foster, J. Static typing for ruby on rails. In Proceedings of the 24th IEEE/ACM Conference on Automated Software Engineering (ASE'09) (2009), IEEE, pp. 590--594. Google ScholarDigital Library
- Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web (New York, NY, USA, 2004), WWW '04, ACM, pp. 40--52. Google ScholarDigital Library
- Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (2006), pp. 258--263. Google ScholarDigital Library
- Jovanovic, N., Kruegel, C., and Kirda, E. Precise alias analysis for static detection of web application vulnerabilities. In Proceedings of the 2006 workshop on Programming languages and analysis for security (New York, NY, USA, 2006), PLAS '06, ACM, pp. 27--36. Google ScholarDigital Library
- Klein, A. Divide and conquer: HTTP response splitting, Web cache poisoning attacks, and related topics. http://www.packetstormsecurity.org/papers/general/whitepaper/httprespon%se.pdf, 2004.Google Scholar
- Livshits, V. B., and Lam, M. S. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium - Volume 14 (Berkeley, CA, USA, 2005), USENIX Association, pp. 18--18. Google ScholarDigital Library
- Open Web Application Security Project (OWASP). OWASP Top Ten Project. http://www.owasp.org/index.php/Top_10, 2010.Google Scholar
- Ortiz, C. Outcome of sentencing in U.S. v. Albert Gonzalez. http://www.justice.gov/usao/ma/news/IDTheft/09-CR-10382/GONZALEZ%20web%site%20info%205--11--10.pdf, March 2010.Google Scholar
- R. Fielding, J. Gettys, J. M. H. F. L. M. P. L. T. B.-L. RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 Header Field Definitions. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30, June 1999. Google ScholarDigital Library
- R. Fielding, J. Gettys, J. M. H. F. L. M. P. L. T. B.-L. RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 Status Code Definitions. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html, June 1999. Google ScholarDigital Library
- Reenskaug, T. Models - views - controllers. Tech. rep., Xerox Parc, 1979.Google Scholar
- SpringSource. Contollers - Redirects. http://www.grails.org/Controllers-Redirects, 2010.Google Scholar
- Wang, R., Chen, S., Wang, X., and Qadeer, S. How to shop for free online - security analysis of cashier-as-a-service based web stores. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland, CA, May 2011), IEEE. Google ScholarDigital Library
- Zend Technologies Ltd. Zend Framework: Documentation: Action Helpers - Zend Framework Manual. http://framework.zend.com/manual/en/zend.controller.actionhelpers.html zend.controller.actionhelpers.redirector, 2011.Google Scholar
Index Terms
- Fear the EAR: discovering and mitigating execution after redirect vulnerabilities
Recommendations
Multi-module vulnerability analysis of web-based applications
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityIn recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has ...
Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityThis paper describes a new class of denial-of-service (DoS) attack, which we refer to as Second Order DoS attacks. These attacks consist of two phases, one that pollutes a database with junk entries and another that performs a costly operation on these ...
Static detection of cross-site scripting vulnerabilities
ICSE '08: Proceedings of the 30th international conference on Software engineeringWeb applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted ...
Comments