Static Detection of Vulnerabilities in Modern PHP Applications
Static Detection of Vulnerabilities in Modern PHP Applications
Johannes Dahse
HackPra ’14, November 26th, Ruhr-University Bochum, Germany 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.1 Background
● @FluxReiners / websec.wordpress.com
● IT-Security Student, Ruhr-University Bochum (2006 - 2012)
● Co-founder CTF team FluxFingers (2007)
● Co-founder HackerPraktikum, BadBank Developer (2009)
● Penetration Tester / Code Auditer
● RIPS 0.5 – Static Code Analyzer (2009 - 2011)
● RIPS 1.0 – New rewritten prototype (2012 – today, 24/7)
● PhD Student at Chair for Systems Security, RUB (2013 - today)
2 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.2 Why PHP?
e CTF services analyzed by FluxFingers g a
u Python 22% g
n PHP 19% a l C 14% e d
i Java 9% s -
r Binary 9% e
v Perl 8% (23% of all websites) (3% of all websites) r e %
s Ruby 5 http://w3techs.com
All CVE entries
http://www.coelho.net/php_cve.html
3 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.3 Motivation
● SQL Injection in BadBank
1 $id = $_GET['id']; 2 $sql = "SELECT id, titel, hinweis source FROM hinweise WHERE id = ".$id; 3 $result = mysql_query($sql);
● Cross-Site Scripting in BadBank
1 $order = $_GET['order']; 2 $html = " (nach " . $order . ")\n"; 3 echo $html; sensitive sink
4 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.4 Taint-style Vulnerabilities
user input sensitive sink vulnerability type $_GET print() Cross-Site Scripting $_POST mysql_query() SQL Injection $_COOKIE include() File Inclusion + = $_REQUEST eval() Code Execution $_FILES system() Command Execution $_SERVER ......
Note: Logical Flaws do not follow such a general concept and are harder to detect
5 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
RIPS 0.5 BadBank Demo Scan
6 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
7 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.4 Taint-style Vulnerabilities
user input sensitive sink vulnerability type $_GET print() Cross-Site Scripting $_POST mysql_query() SQL Injection $_COOKIE include() File Inclusion + = $_REQUEST eval() Code Execution $_FILES system() Command Execution $_SERVER ......
Note: Logical Flaws do not follow such a general concept and are harder to detect
8 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.4 Taint-style Vulnerabilities
user input sanitization sensitive sink vulnerability $_GET htmlentities() print() XSS $_POST addslashes() mysql_query() SQL Injection $_COOKIE basename() include() File Inclusion + + = $_REQUEST (int) eval() Code Exec $_FILES escapeshellarg() system() Cmd Exec $_SERVER ......
Refined concept of previous prototype and current tools on the market
9 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.4 Taint-style Vulnerabilities user input sanitization markup sensitive sink vulnerability $_GET htmlentities() HTML print() XSS $_POST addslashes() SQL mysql_query() SQL Injection $_COOKIE basename() File Path include() File Inclusion + + + = $_REQUEST (int) PHP eval() Code Exec $_FILES escapeshellarg() OS Command system() Cmd Exec $_SERVER ......
Refined concept of new prototype
10 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.5 Lessons Learned
1. Its easy to built a static code analysis tool that detects simple vulnerabilities
11 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.5 Lessons Learned
1. Its easy to built a static code analysis tool that detects simple vulnerabilities 2. Its challenging to built a static code analysis tool that detects sophisticated vulnerabilities
12 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
1.5 Lessons Learned
1. Its easy to built a static code analysis tool that detects simple vulnerabilities 2. Its challenging to built a static code analysis tool that detects sophisticated vulnerabilities 3. Its hard to built a static code analysis tool that detects sophisticated vulnerabilities in large applications with acceptable performance and a low false positive rate
13 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
RIPS 1.0 BadBank Demo Scan
14 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
15 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2. Static VS Dynamic Code Analysis
Static Dynamic analyze code analyze code without execution while execution Code Coverage full Single execution path
Data Coverage Compile-time data Runtime data (valid for environment) Decidability Halting Problem Real data
16 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2. Static Code Analysis
Static Dynamic analyze code analyze code without execution while execution Code Coverage full Single execution path
Data Coverage Compile-time data Runtime data (valid for environment) Decidability Halting Problem Real data
17 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.1 Overview
● Load all PHP files
● Tokenize PHP code and build an Abstract Syntax Tree (AST)
● Split AST into Basic Blocks
● Connect Basic Blocks to a Control Flow Graph (CFG)
● Analyze data flow through CFG
● RIPS uses block and function summaries
18 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.2 Abstract Syntax Tree
$cookie = $_COOKIE['text']; ● Tokenize Code
● Parse tokens according to PHP syntax
● Structure tokens into a tree representation
● AST allows to parse semantics without dealing with punctuation or delimiters
19 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.2 Abstract Syntax Tree Variable Variable String $cookie = $_COOKIE['text']; ● Tokenize Code
● Parse tokens according to PHP syntax
● Structure tokens into a tree representation
● AST allows to parse semantics without dealing with punctuation or delimiters
20 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.2 Abstract Syntax Tree Variable Variable String $cookie = $_COOKIE['text']; ● Tokenize Code
● Parse tokens according to PHP syntax = ● Structure tokens into a tree $_COOKIE['text'] representation $cookie
● AST allows to parse semantics without dealing with punctuation or delimiters
21 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.2 Abstract Syntax Tree Variable Variable String $cookie = $_COOKIE['text']; ● Tokenize Code
● Parse tokens according to PHP syntax Assign ● Structure tokens into a tree var expr $cookie $_COOKIE['text'] representation variable ● AST allows to parse semantics without dealing with punctuation or delimiters
22 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.2 Abstract Syntax Tree Variable Variable String $cookie = $_COOKIE['text']; ● Tokenize Code
● Parse tokens according to PHP syntax Assign ● Structure tokens into a tree var expr $cookie $_COOKIE representation variable array dim ● AST allows to parse semantics without 'text' dealing with punctuation or delimiters string
23 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.3 Basic Block
1 ... ● Split AST at jump nodes 2 if(isset($_COOKIE['text'])) { 3 $cookie = $_COOKIE['text']; 4 $s = $cookie; ● Single input, single output code block 5 } 6 else { ● Simulate data flow in basic block 7 $cookie = trim($default); 8 $s = $cookie; ● Precisely model PHP built-in features 9 } 10 ... ● Summarize data flow
24 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.3 Basic Block
1 ... ● Split AST at jump nodes 2 if(isset($_COOKIE['text'])) { 3 $cookie == $_COOKIE$_COOKIE[['text''text'];]; 4 $s = $cookie; ● Single input, single output code block 5 } 6 else { ● Simulate data flow in basic block 7 $cookie = $defaulttrim($default); ; 8 $s = $cookie; ● Precisely model PHP built-in features 9 } 10 ... ● Summarize data flow
25 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.3 Basic Block
1 ... ● Split AST at jump nodes 2 if(isset($_COOKIE['text'])) { 3 $cookie$cookie: = $_COOKIE$_COOKIE[['text''text'];]; 4 $s$s: = $cookie $_COOKIE; ['text']; ● Single input, single output code block 5 } 6 else { ● Simulate data flow in basic block 7 $cookie := $default$default;; 8 $s := $cookie; $default; ● Precisely model PHP built-in features 9 } 10 ... ● Summarize data flow
26 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.4 Control Flow Graph ... ● if Connect basic blocks to CFG $cookie: $_COOKIE['text']; $s: $_COOKIE['text']; ● Edges are jump conditions else ● Represents all code paths $cookie: $default; $s: $default; ● Efficient data flow analysis ... on block summaries
27 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.4 Control Flow Graph
● Connect basic blocks to CFG ...
● Edges are jump conditions $cookie: $_COOKIE['text']; $cookie: $default; ● Represents all code paths $s: $_COOKIE['text']; $s: $default;
● Efficient data flow analysis ... on block summaries
28 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.5 Inter-procedural Analysis
● Call to user-defined function function getText($default) invokes intra-procedural $cookie: $_COOKIE['text']; $cookie: $default; analysis of this function $s: $_COOKIE['text']; $s: $default;
● Effects of function are stored return $s; in function summary
29 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.5 Inter-procedural Analysis
● Call to user-defined function function getText($default) invokes intra-procedural $cookie: $_COOKIE['text']; $cookie: $default; analysis of this function $s: $_COOKIE['text']; $s: $default;
● Effects of function are stored return: in function summary $_COOKIE['text'] | $default
30 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.5 Inter-procedural Analysis
● Call to user-defined function function getText($arg1) invokes intra-procedural return: $_COOKIE['text'] | $arg1 analysis of this function 1 ...
● 2 $text = getText('foo'); Effects of function are stored 3 ... in function summary
31 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.5 Inter-procedural Analysis
● Call to user-defined function function getText($arg1) invokes intra-procedural return: $_COOKIE['text'] | $arg1 analysis of this function $text: $_COOKIE['text']|'foo' ● Effects of function are stored in function summary
32 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.6 Taint Analysis
● Identify a configured set ... of sensitive sinks $cookie: $_COOKIE['text']; $cookie: $default; ● Resolve sensitive arguments $s: $_COOKIE['text']; $s: $default; from previous block summaries echo $s; ● Issue vulnerabilty report if argument is resolved to a source
33 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.7 Context-sensitive String Analysis
1 $s = addslashes($_GET['s']); ● Resolve all strings (markup) 2 if($mode == 1) { 3 $where = "name = '$s'"; of a sensitive argument 4 } 5 else { ● Replace sources with a placeholder 6 $where = "id = $s"; 7 } ● Invoke markup parser 8 mysql_query('SELECT * FROM users ' . $where); ● Evaluate sanitization of each source regarding its markup context
34 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.7 Context-sensitive String Analysis
SQL_SQ, $s: $_GET['s'] ● Resolve all strings (markup) SQL, DQ
of a sensitive argument $where: "name = '$s'" $where: "id = ".$s
● Replace sources with a placeholder mysql_query('SELECT * FROM ● Invoke markup parser users WHERE '.$where);
● Evaluate sanitization of each source regarding its markup context
35 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.7 Context-sensitive String Analysis
SQL_SQ, $s: $_GET['s'] ● Resolve all strings (markup) SQL, DQ
of a sensitive argument $where: "name = '$s'" $where: "id = ".$s
● Replace sources with a placeholder mysql_query('SELECT * FROM ● Invoke markup parser users WHERE '.$where);
● Evaluate sanitization of each source SELECT * FROM users WHERE name = 'S' SQL_SQ SELECT * FROM users WHERE id = S SQL_NQ regarding its markup context
36 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
2.7 Context-sensitive String Analysis
SQL_SQ, $s: $_GET['s'] ● Resolve all strings (markup) SQL, DQ
of a sensitive argument $where: "name = '$s'" $where: "id = ".$s
● Replace sources with a placeholder mysql_query('SELECT * FROM ● Invoke markup parser users WHERE '.$where);
● Evaluate sanitization of each source SELECT * FROM users WHERE name = 'S' SQL_SQ SELECT * FROM users WHERE id = S SQL_NQ regarding its markup context
37 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3. Detecting Modern Vulnerabilities
● Taint-style concept remains: source → sink ● Data flow is more complex ● Dynamic language features
● Array Handling
● PHP built-in features CVEs http://www.coelho.net/php_cve.html 7000 ● Input sanitization + validation 6000 5000 4000 Other ● Object-Oriented Programming 3000 PHP 2000 ● 1000 More LOC (100k-200k) 0 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 year
38 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.1 Analyze Exceptional Sources
● Often sanitized: $_GET, $_POST, and $_REQUEST ● Often overlooked: $_SERVER, $_FILES, and $_COOKIE ● Examples:
PHP Source Developer Assumption Exploit Example $_SERVER['PHP_SELF'] /index.php /index.php/“>
● RIPS analyzes sources context-sensitively
39 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.2 Precise Array Handling
● PHP superglobals ($_GET, $_POST, etc.) are arrays
● RIPS analyzes built- SugarCRM 6.5.18 /include/export_utils.php 72 function export($type, $records) { ins precisely 160 $records = explode(',', $records); 161 $records = "'" . implode("','", $records) . "'"; ● Array keys are 162 $where = "{$focus->table_name}.id in ($records)"; 384 } tainted too (Drupal) export(clean($_REQUEST['module']), $_REQUEST['uid']);
40 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.2 Precise Array Handling
● PHP superglobals ($_GET, $_POST, etc.) are arrays
● RIPS analyzes built- SugarCRM 6.5.18 /include/export_utils.php 72 function export($type, $records) { ins precisely 160 $records = explode(',', $records); 161 $records = "'" . implode("','", $records) . "'"; ● Array keys are 162 $where = "{$focus->table_name}.id in ($records)"; 384 } tainted too (Drupal) export(clean($_REQUEST['module']), $_REQUEST['uid']);
Wordpress/wp-admin/network/users.php 4.0.1 /wp-admin/network/users.php 19 function confirm_delete_users($users) { 32 foreach($_POST['allusers']) as $key => $val) { 42 echo "\n"; 77 } 84 } allusers[0]='>RIPS')
41 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.3 Object-Oriented Programming
Assist osCommerce 2.3.4 /admin/backup.php 1 class Upload { backwards-directed 2 function parse($name) { data flow analysis 3 $this->set_filename($_FILES[$name]['name']); with 4 } 5 function set_filename($filename) { forwards-directed 6 $this->filename = $filename; data propagation 7 } 8 }
199 $sql_file = new Upload(); 201 if ($sql_file->parse('sql_file') == true) { 202 $read_from = $sql_file->filename; 203 } 273 tep_db_query("insert into " . TABLE_CONFIG . " values ('DB_RESTORE', '" . $read_from . "', '6', '')");
42 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.3 Object-Oriented Programming
Assist osCommerce 2.3.4 /admin/backup.php 1 class Upload { backwards-directed 2 function parse($name) { data flow analysis 3 $this->set_filename($_FILES[$name]['name']); with 4 } 5 function set_filename($filename) { forwards-directed 6 $this->filename = $filename; data propagation 7 } 8 }
199 $sql_file = new Upload(); 201 if ($sql_file->parse('sql_file') == true) { 202 $read_from = $sql_file->filename; 203 } 273 tep_db_query("insert into " . TABLE_CONFIG . " values ('DB_RESTORE', '" . $read_from . "', '6', '')");
43 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.3 Object-Oriented Programming
Assist osCommerce 2.3.4 /admin/backup.php 1 class Upload { backwards-directed 2 function parse($name) { data flow analysis 3 $this->set_filename($_FILES[$name]['name']); with 4 } 5 function set_filename($filename) { forwards-directed 6 $this->filename = $filename; data propagation 7 } 8 }
199 $sql_file = new Upload(); 201 if ($sql_file->parse('sql_file') == true) { 202 $read_from = $sql_file->filename; 203 } 273 tep_db_query("insert into " . TABLE_CONFIG . " values ('DB_RESTORE', '" . $read_from . "', '6', '')");
44 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.3 Object-Oriented Programming
Assist osCommerce 2.3.4 /admin/backup.php 1 class Upload { backwards-directed 2 function parse($name) { data flow analysis 3 $this->set_filename($_FILES[$name]['name']); with 4 } 5 function set_filename($filename) { forwards-directed 6 $this->filename = $filename; data propagation 7 } 8 }
199 $sql_file = new Upload(); 201 if ($sql_file->parse('sql_file') == true) { 202 $read_from = $sql_file->filename; 203 } 273 tep_db_query("insert into " . TABLE_CONFIG . " values ('DB_RESTORE', '" . $read_from . "', '6', '')");
45 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.3 Object-Oriented Programming
Assist osCommerce 2.3.4 /admin/backup.php 1 class Upload { backwards-directed 2 function parse($name) { data flow analysis 3 $this->set_filename($_FILES[$name]['name']); with 4 } 5 function set_filename($filename) { forwards-directed 6 $this->filename = $filename; data propagation 7 } 8 }
199 $sql_file = new Upload(); 201 if ($sql_file->parse('sql_file') == true) { 202 $read_from = $sql_file->filename; 203 } 273 tep_db_query("insert into " . TABLE_CONFIG . " values ('DB_RESTORE', '" . $read_from . "', '6', '')");
46 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.3 Object-Oriented Programming
Assist osCommerce 2.3.4 /admin/backup.php 1 class Upload { backwards-directed 2 function parse($name) { data flow analysis 3 $this->set_filename($_FILES[$name]['name']); with 4 } 5 function set_filename($filename) { forwards-directed 6 $this->filename = $filename; data propagation 7 } 8 }
199 $sql_file = new Upload(); 201 if ($sql_file->parse('sql_file') == true) { 202 $read_from = $sql_file->filename; 203 } 273 tep_db_query("insert into " . TABLE_CONFIG . " values ('DB_RESTORE', '" . $read_from . "', '6', '')");
47 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack ● Escaping level
48 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack 12345678901234567890' ● Escaping level
49 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack 12345678901234567890\' ● Escaping level
50 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack 12345678901234567890\ ● Escaping level
51 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack 1, category_title=(SELECT password ...) ● Escaping level
52 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack ● Escaping level Mambo CMS 4.6.2 /includes/cmtclasses.php 88 $mosmsg = mosGetParam($_REQUEST, 'mosmsg', ''); 90 $mosmsg = addslashes($mosmsg); 91 echo "\n
53 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack ● Escaping level Mambo CMS 4.6.2 /includes/cmtclasses.php 88 $mosmsg = mosGetParam($_REQUEST, 'mosmsg', ''); 90 $mosmsg = addslashes($mosmsg); 91 echo "\n
Couch CMS 1.4 /couch/includes/fileuploader/io.php 603 echo '';
54 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.4 Insufficient Sanitization
Pligg CMS 2.0.2 /admin/admin_categories.php ● Sanitization tags 233 $parent = substr(addslashes($_REQUEST['parent']),9,100); 245 $sql = "update ".table_categories." set category_parent ● Encoding stack = " . $parent . " where category_id=" . $id . ";"; 246 $db->query($sql); ● Decoding stack ● Escaping level Mambo CMS 4.6.2 /includes/cmtclasses.php 88 $mosmsg = mosGetParam($_REQUEST, 'mosmsg', ''); 90 $mosmsg = addslashes($mosmsg); 91 echo "\n
Couch CMS 1.4 /couch/includes/fileuploader/io.php 603 echo '';
55 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
„First-Order“ SQL Injection:
1 $name = $_POST['name']; 2 $pwd = md5($_POST['pwd']); 3 $query = "INSERT INTO users VALUES('$name','$pwd')"; 4 $result = mysql_query($query);
!“*$()&/'\ send
user input
application
56 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
„First-Order“ SQL Injection (sanitized):
1 $name = mysql_real_escape_string($_POST['name']); 2 $pwd = md5($_POST['pwd']); 3 $query = "INSERT INTO users VALUES('$name','$pwd')"; 4 $result = mysql_query($query);
!“*$()&/'\ send
user input
application
57 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
Database Write:
1 $name = mysql_real_escape_string($_POST['name']); 2 $pwd = md5($_POST['pwd']); 3 $query = "INSERT INTO users VALUES('$name','$pwd')"; 4 $result = mysql_query($query);
send
write user input
application database
58 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
Database Read:
1 $query = "SELECT * FROM users WHERE id = 1"; 2 $result = mysql_query($query); 3 $user = mysql_fetch_assoc($result); 4 echo $user['name'];
send
write
user input read
application database
59 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
PDS connect Reads Writes
users id name pass Temporary Vulnerability Report users[name] * XSS
PDS'
60 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
PDS Reads Writes
users id name pass Temporary tainted? Vulnerability Report users[name] * XSS
PDS'
61 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
PDS Reads Writes
users id name pass Temporary Vulnerability Report sanitized? users[name] * XSS
PDS'
62 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.5 Second-Order Vulnerabilities
PDS Reads Writes
users id name pass Temporary Vulnerability Report users[name] * XSS
Second-Order Vulnerability Report XSS PDS'
63 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.6 Multi-Step Exploits
„First-Order“ SQL Injection:
1 $name = $_POST['name']; 2 $pwd = md5($_POST['pwd']); 3 $query = "INSERT INTO users VALUES('$name','$pwd')"; 4 $result = mysql_query($query);
!“*$()&/'\ send
user input database application
64 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.6 Multi-Step Exploits
Exploit „First-Order“ SQL Injection to taint database:
1 $name = $_POST['name']; // ', 'payload')-- - 2 $pwd = md5($_POST['pwd']); 3 $query = "INSERT INTO users VALUES('$name','$pwd')"; 4 $result = mysql_query($query);
send write
user input database application
65 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.6 Multi-Step Exploits
Data from tainted database used in sensitive sink: 1 $query = "SELECT * FROM users WHERE id = 1"; 2 $result = mysql_query($query); 3 $user = mysql_fetch_assoc($result); 4 file_put_contents($user['pwd'] . '.txt', $data);
request read
database application
66 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.6.1 Multi-Step Exploit – osCommerce 2.3.4
3. load
Inject JavaScript (pXSS) Admin triggers payload Remote Command Execution 1. trigger
id key value gid function 1 COUNTRY 223 6 get_country 2. modify 2 ZONE 18 6 get_zone 3 PAYMENT Paypal 6 4 DB_RESTORE id 6 system SQL Injection (INSERT) oscommerce.configuration
67 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.6.2 Multi-Step Exploit – OpenConf 5.30
/data/papers/
1. upload 4. include
273.pdf Remote Code Execution PDF File Upload 3. reconfigure OC_headerFile
2. escalate
Pre-auth SQLi Second-Order LFI
68 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
3.7 Exceptional Vulnerability Types
✗ Authorization Bypass ✔ File Inclusion ✔ PHP Object Injection ✗ Cross-Site Request Forgery ✔ File Overwrite ✔ Reflection/Autoload Injection ✔ Cross-Site Scripting ✔ File System Manipulation ✗ Resource Contention ✔ Code Execution ✔ File Upload ✔ Server-Side JavaScript Injection ✔ Command Execution ✔ HTTP Response Splitting ✔ Server-Side Request Forgery ✔ Connection String Injection ✔ Information Leakage ✔ Session Fixation ✔ Denial of Service ✔ LDAP Injection ✔ SQL Injection ✔ Directory Listing ✔ Log Forgery ✔ Variable Manipulation ✔ Execution After Redirect ✔ Mass Assignment ✗ Weak Cryptography ✔ File Delete ✔ Memcached Injection ✔ XML/XXE Injection ✔ File Disclosure ✔ Open Redirect ✔ XPath Injection
69 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4. Open Challenges
✗ Authorization Bypass ✔ File Inclusion ✔ PHP Object Injection ✗ Cross-Site Request Forgery ✔ File Overwrite ✔ Reflection/Autoload Injection ✔ Cross-Site Scripting ✔ File System Manipulation ✗ Resource Contention ✔ Code Execution ✔ File Upload ✔ Server-Side JavaScript Injection ✔ Command Execution ✔ HTTP Response Splitting ✔ Server-Side Request Forgery ✔ Connection String Injection ✔ Information Leakage ✔ Session Fixation ✔ Denial of Service ✔ LDAP Injection ✔ SQL Injection ✔ Directory Listing ✔ Log Forgery ✔ Variable Manipulation ✔ Execution After Redirect ✔ Mass Assignment ✗ Weak Cryptography ✔ File Delete ✔ Memcached Injection ✔ XML/XXE Injection ✔ File Disclosure ✔ Open Redirect ✔ XPath Injection
70 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4.1 Loops
1 function insert_query($table, $array) { 2 foreach($array as $key => value) { 3 $fields .= $key . ","; 4 $values .= "'" . $value . "',"; 5 } 6 ... 7 $this->write_query("INSERT INTO {$table} (" . $fields . ") 8 VALUES ('" . $values . "')"); 9 return $this->insert_id(); 10 } 11 12 $new_profile_field = array( 13 "name" => $db->escape_string($mybb->input['name']), 14 "description" => $db->escape_string($mybb->input['description']) 15 ); 16 $fid = $db->insert_query("profile", $new_profile_field);
71 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4.1 Loops
1 function insert_query($table, $array) { 2 foreach($array as $key => value) { 3 $fields .= $key . ","; 4 $values .= "'" . $value . "',"; 5 } 6 ... 7 $this->write_query("INSERT INTO {$table} (" . $fields . ") 8 VALUES ('" . $values . "')"); 9 return $this->insert_id(); 10 } 11 12 $new_profile_field = array( 13 "name" => $db->escape_string($mybb->input['name']), 14 "description" => $db->escape_string($mybb->input['description']) 15 ); 16 $fid = $db->insert_query("profile", $new_profile_field);
72 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4.1 Loops
1 function insert_query($table, $array) { 2 foreach($array as $key => value) { 3 $fields .= $key . ","; 4 $values .= "'" . $value . "',"; 5 } 6 ... 7 $this->write_query("INSERT INTO {$table} (" . $fields . ") 8 VALUES ('" . $values . "')"); 9 return $this->insert_id(); 10 } 11 12 $new_profile_field = array( 13 "name" => $db->escape_string($mybb->input['name']), 14 "description" => $db->escape_string($mybb->input['description']) 15 ); 16 $fid = $db->insert_query("profile", $new_profile_field);
73 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4.1 Loops
1 function insert_query($table, $array) { 2 foreach($array as $key => value) { 3 $fields .= $key . ","; 4 $values .= "'" . $value . "',"; 5 } 6 ... 7 $this->write_query("INSERT INTO {$table} (" . $fields . ") 8 VALUES ('" . $values . "')"); 9 return $this->insert_id(); 10 } 11 12 $new_profile_field = array( 13 "name" => $db->escape_string($mybb->input['name']), 14 "description" => $db->escape_string($mybb->input['description']) 15 ); 16 $fid = $db->insert_query("profile", $new_profile_field);
INSERT INTO profile (name, description) VALUES ('$1', '$2')
74 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4.2 Frameworks
● Hard to analyze components lead to false negatives
● Query builders $db->select('users')->where(array('id', $var));
● Template engines $template->assign('B', $var)
● Reflection logic in configuration file $controller();
● Partial solution: Framework-specific configuration
● Problem: high maintainance overhead
● Drupageddon
75 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4.3 Path-sensitivity
● Infeasable paths lead to false positives
● Partial solution: satisfiability solvers (Z3-str, S3)
● Problem: Performance
1 ... 2 if(!is_numeric($_GET['id'])) { 3 $error = true; 4 } 5 6 if(!$error) { 7 echo $_GET['id']; 8 }
76 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
4.3 Path-sensitivity
● Infeasable paths lead to false positives
● Partial solution: satisfiability solvers (Z3-str, S3)
● Problem: Performance
1 $numeric = is_numeric($_GET['id']); 2 ... 3 if(!$numeric) { 4 $error = true; 5 } 6 7 if(!$error) { 8 echo $_GET['id']; 9 }
77 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
Questions? [email protected]
If you think you have a stupid question, just remember NASA engineers once asked Sally Ride if 100 tampons were enough for a 7 day mission.
78 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
References
● Simulation of Built-in PHP features for Precise Static Code Analysis Johannes Dahse, Thorsten Holz Annual Network & Distributed System Security Symposium (NDSS), San Diego, CA, USA, February 2014
● Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse, Thorsten Holz 23rd USENIX Security Symposium, San Diego, CA, USA, August 2014
● Code Reuse Attacks in PHP: Automated POP Chain Generation Johannes Dahse, Nikolai Krein, Thorsten Holz 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, AZ, USA, November 2014
79 1. Introduction Static Detection of Vulnerabilities 2. Static Code Analysis 3. Modern Vulnerabilities in Modern PHP Applications 4. Open Challenges
Join the RIPS project! (€ / CP)
80