Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2011, Pages 251-261

  Doupé, Adam ^a   Boe, Bryce ^a   Kruegel, Christopher ^a   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Execution after redirect; Static analysis; Web applications

Indexed keywords

CAPTURE THE FLAG; COMPREHENSIVE STUDIES; CROSS SITE SCRIPTING; EXECUTION AFTER REDIRECT; INFORMATION LEAKAGE; INPUT VALIDATION; OPEN-SOURCE; RUBY ON RAILS; SECURITY IMPLICATIONS; SECURITY VULNERABILITIES; SQL INJECTION; WEB APPLICATION; WEB APPLICATION VULNERABILITY;

ACCESS CONTROL; NETWORK SECURITY; STATIC ANALYSIS; USER INTERFACES;

WORLD WIDE WEB;

EID: 80755187811     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2046707.2046736     Document Type: Conference Paper

References (36)

1. ASP.NET MVC. http://www.asp.net/mvc.
2. BALDUZZI, M., EGELE, M., KIRDA, E., BALZAROTTI, D., AND KRUEGEL, C. A Solution for the Automated Detection of Clickjacking Attacks. In Proceedings of the A CM Symposium on Information, Computer and Communications Security (AsiaCCS) (Beijing, China, April 2010).
3. BALDUZZI, M., GIMENEZ, C, BALZAROTTI, D., AND KIRDA, E. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the 18th Network and Distributed System Security Symposium (2011).
4. BALZAROTTI, D., COVA, M., FELMETSGER, V. V., AND VIGNA, G. Multi-module vulnerability analysis of web-based applications. In Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), CCS '07, ACM, pp. 25-35.
5. BARTH, A., JACKSON, C., AND MITCHELL, J. C. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008) (2008).
6. BOE, B. UCSB's International Capture The Flag Competition 2010 Challenge 6: Fear The EAR. http://cs.ucsb.edu/~bboe/r/ictf10, December 2010.
7. BOE, B. Using StackOverflow's API to Find the Top Web Frameworks. http://cs.ucsb.edU/~bboe/r/top-web-frameworks, February 2011.
8. BOEHM, B. W. Software Engineering Economics, 1st ed. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1981.
9. Include exit with a redirect call, http://replay.web.archive.org/ 20061011152124/ https://trac.cakephp.org/ticket/1076, August 2006.
10. docs should mention redirect does not "exit" a script. http://replay.web.archive.org/20061011180440/ https://trac.cakephp.org/ticket/ 1358, August 2006.
11. CAKE SOFTWARE FOUNDATION, INC. The CakePHP 1.3 Book. http://book.cakephp. org/view/982/redirect, 2011.
12. CARETTONI, L., AND DI PAOLA, S. HTTP Parameter Pollution. OWASP AppSec Europe 2009, May 2009.
13. CHAUDHURI, A., AND FOSTER, J. Symbolic security analysis of ruby-on-rails web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10) (2010), ACM, pp. 585-594.
14. CHILDERS, N., BOE, B., CAVALLARO, L., CAVEDON, L., COVA, M., EGELE, M., AND VIGNA, G. Organizing large scale hacking competitions. In Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment (Berlin, Heidelberg, 2010), DIMVA'10, Springer-Verlag, pp. 132-152.
15. DJANGO SOFTWARE FOUNDATION. Django shortcut functions. http://docs.djangoproject.com/en/dev/topics/http/shortcuts/#django.shortcuts. redirect, 2011.
16. ELLISLAB, INC. Codelgniter User Guide Version 2.0.2. http://codeigniter. com/user-guide/helpers/url-helper.html, 2011.
17. FELMETSGER, V., CAVEDON, L., KRUEGEL, C., AND VIGNA, G. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium (Washington, DC, August 2010).
18. FURR, M., HOON (DAVID) AN, J., FOSTER, J. S., AND HICKS, M. The Ruby intermediate language. In Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS) (Oct. 2009).
19. GitHub. http://github.com.
20. Indictment in U.S. v. Albert Gonzalez. http://www.justice.gov/usao/ma/ news/IDTheft/Gonzalez,720Albert720-720Indictment720080508.pdf, August 2008.
21. HANSEN, R. Clickjacking. http://ha.ckers.org/blog/20080915/clickjacking/, September 2008.
22. HOFSTETTER, D. Don't forget to exit after a redirect. http://cakebaker.wordpress.com/2006/08/28/dont-forget-to-exit-after-a-redirect/, August 2006.
23. HOON AN, J., CHAUDHURI, A., AND FOSTER, J. Static typing for ruby on rails. In Proceedings of the 24th IEEE/ACM Conference on Automated Software Engineering (ASE'09) (2009), IEEE, pp. 590-594.
24. HUANG, Y.-W., YU, F., HANG, C, TSAI, C.-H., LEE, D.-T., AND KUO, S.-Y. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web (New York, NY, USA, 2004), WWW '04, ACM, pp. 40-52. (Pubitemid 40752739)
25. JOVANOVIC, N., KRUEGEL, C, AND KIRDA, E. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (2006), pp. 258-263. (Pubitemid 44753727)
26. JOVANOVIC, N., KRUEGEL, C., AND KIRDA, E. Precise alias analysis for static detection of web application vulnerabilities. In Proceedings of the 2006 workshop on Programming languages and analysis for security (New York, NY, USA, 2006), PLAS '06, ACM, pp. 27-36. (Pubitemid 44059944)
27. KLEIN, A. Divide and conquer: HTTP response splitting, Web cache poisoning attacks, and related topics. http://www.packetstormsecurity.org/ papers/general/whitepaper/httpresponse.pdf, 2004.
28. LIVSHITS, V. B., AND LAM, M. S. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium - Volume 14 (Berkeley, CA, USA, 2005), USENIX Association, pp. 18-18.
29. OPEN WEB APPLICATION SECURITY PROJECT (OWASP). OWASP Top Ten Project. http://www.owasp.org/index.php/Top-10, 2010.
30. ORTIZ, C. Outcome of sentencing in U.S. v. Albert Gonzalez. http://www.justice.gov/usao/ma/news/IDTheft/09-CR-10382/ G0NZALEZ%20website%20info%205-11-10.pdf, March 2010.
31. R. FIELDING, J. GETTYS, J. M. H. F. L. M. P. L. T. B.-L. RFC 2616: Hypertext Transfer Protocol - HTTP/1.1 Header Field Definitions. http://www.w3.org/Protocols/rfc2616/rfc2616-secl4.html# secl4.30, June 1999.
32. R. FIELDING, J. GETTYS, J. M. H. F. L. M. P. L. T. B.-L. RFC 2616: Hypertext Transfer Protocol - HTTP/1.1 Status Code Definitions. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html, June 1999.
33. REENSKAUG, T. Models - views - controllers. Tech. rep., Xerox Pare, 1979.
34. SPRINGSOURCE. Contollers - Redirects. http://www.grails.org/Controllers+- +Redirects, 2010.
35. WANG, R., CHEN, S., WANG, X., AND QADEER, S. How to shop for free online - security analysis of cashier-as-a-service based web stores. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland, CA, May 2011), IEEE.
36. ZEND TECHNOLOGIES LTD. Zend Framework: Documentation: Action Helpers - Zend Framework Manual. http://framework.zend.com/manual/en/zend.controller. actionhelpers.html#zend.controller.actionhelpers.redirector, 2011.