skip to main content
10.1145/2046707.2046736acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Fear the EAR: discovering and mitigating execution after redirect vulnerabilities

Published: 17 October 2011 Publication History

Abstract

The complexity of modern web applications makes it difficult for developers to fully understand the security implications of their code. Attackers exploit the resulting security vulnerabilities to gain unauthorized access to the web application environment. Previous research into web application vulnerabilities has mostly focused on input validation flaws, such as cross site scripting and SQL injection, while logic flaws have received comparably less attention. In this paper, we present a comprehensive study of a relatively unknown logic flaw in web applications, which we call Execution After Redirect, or EAR. A web application developer can introduce an EAR by calling a redirect method under the assumption that execution will halt. A vulnerability occurs when server-side execution continues after the developer's intended halting point, which can lead to broken/insufficient access controls and information leakage. We start with an analysis of how susceptible applications written in nine web frameworks are to EAR vulnerabilities. We then discuss the results from the EAR challenge contained within the 2010 International Capture the Flag Competition. Finally, we present an open-source, white-box, static analysis tool to detect EARs in Ruby on Rails web applications. This tool found 3,944 EAR instances in 18,127 open-source applications. Finally, we describe an approach to prevent EARs in web frameworks.

References

[1]
ASP.NET MVC. http://www.asp.net/mvc.
[2]
Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., and Kruegel, C. A Solution for the Automated Detection of Clickjacking Attacks. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS) (Beijing, China, April 2010).
[3]
Balduzzi, M., Gimenez, C., Balzarotti, D., and Kirda, E. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the 18th Network and Distributed System Security Symposium (2011).
[4]
Balzarotti, D., Cova, M., Felmetsger, V. V., and Vigna, G. Multi-module vulnerability analysis of web-based applications. In Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), CCS '07, ACM, pp. 25--35.
[5]
Barth, A., Jackson, C., and Mitchell, J. C. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008) (2008).
[6]
Boe, B. UCSB's International Capture The Flag Competition 2010 Challenge 6: Fear The EAR. http://cs.ucsb.edu/ bboe/r/ictf10, December 2010.
[7]
Boe, B. Using StackOverflow's API to Find the Top Web Frameworks. http://cs.ucsb.edu/ bboe/r/top-web-frameworks, February 2011.
[8]
Boehm, B. W. Software Engineering Economics, 1st ed. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1981.
[9]
Include exit with a redirect call. http://replay.web.archive.org/20061011152124/https://trac.cakephp.org/t%icket/1076, August 2006.
[10]
docs should mention redirect does not "exit" a script. http://replay.web.archive.org/20061011180440/https://trac.cakephp.org/t%icket/1358, August 2006.
[11]
Cake Software Foundation, Inc. The CakePHP 1.3 Book. http://book.cakephp.org/view/982/redirect, 2011.
[12]
Carettoni, L., and Di Paola, S. HTTP Parameter Pollution. OWASP AppSec Europe 2009, May 2009.
[13]
Chaudhuri, A., and Foster, J. Symbolic security analysis of ruby-on-rails web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10) (2010), ACM, pp. 585--594.
[14]
Childers, N., Boe, B., Cavallaro, L., Cavedon, L., Cova, M., Egele, M., and Vigna, G. Organizing large scale hacking competitions. In Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment (Berlin, Heidelberg, 2010), DIMVA'10, Springer-Verlag, pp. 132--152.
[15]
Django Software Foundation. Django shortcut functions. http://docs.djangoproject.com/en/dev/topics/http/shortcuts/#django.shor%tcuts.redirect, 2011.
[16]
EllisLab, Inc. CodeIgniter User Guide Version 2.0.2. http://codeigniter.com/user_guide/helpers/url_helper.html, 2011.
[17]
Felmetsger, V., Cavedon, L., Kruegel, C., and Vigna, G. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium (Washington, DC, August 2010).
[18]
Furr, M., hoon (David) An, J., Foster, J. S., and Hicks, M. The Ruby intermediate language. In Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS) (Oct. 2009).
[19]
GitHub. http://github.com.
[20]
Indictment in U.S. v. Albert Gonzalez. http://www.justice.gov/usao/ma/news/IDTheft/Gonzalez,%20Albert%20-%2%0Indictment%20080508.pdf, August 2008.
[21]
Hansen, R. Clickjacking. http://ha.ckers.org/blog/20080915/clickjacking/, September 2008.
[22]
Hofstetter, D. Don't forget to exit after a redirect. http://cakebaker.wordpress.com/2006/08/28/dont-forget-to-exit-after-a-redirect/, August 2006.
[23]
hoon An, J., Chaudhuri, A., and Foster, J. Static typing for ruby on rails. In Proceedings of the 24th IEEE/ACM Conference on Automated Software Engineering (ASE'09) (2009), IEEE, pp. 590--594.
[24]
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web (New York, NY, USA, 2004), WWW '04, ACM, pp. 40--52.
[25]
Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (2006), pp. 258--263.
[26]
Jovanovic, N., Kruegel, C., and Kirda, E. Precise alias analysis for static detection of web application vulnerabilities. In Proceedings of the 2006 workshop on Programming languages and analysis for security (New York, NY, USA, 2006), PLAS '06, ACM, pp. 27--36.
[27]
Klein, A. Divide and conquer: HTTP response splitting, Web cache poisoning attacks, and related topics. http://www.packetstormsecurity.org/papers/general/whitepaper/httprespon%se.pdf, 2004.
[28]
Livshits, V. B., and Lam, M. S. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium - Volume 14 (Berkeley, CA, USA, 2005), USENIX Association, pp. 18--18.
[29]
Open Web Application Security Project (OWASP). OWASP Top Ten Project. http://www.owasp.org/index.php/Top_10, 2010.
[30]
Ortiz, C. Outcome of sentencing in U.S. v. Albert Gonzalez. http://www.justice.gov/usao/ma/news/IDTheft/09-CR-10382/GONZALEZ%20web%site%20info%205--11--10.pdf, March 2010.
[31]
R. Fielding, J. Gettys, J. M. H. F. L. M. P. L. T. B.-L. RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 Header Field Definitions. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30, June 1999.
[32]
R. Fielding, J. Gettys, J. M. H. F. L. M. P. L. T. B.-L. RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 Status Code Definitions. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html, June 1999.
[33]
Reenskaug, T. Models - views - controllers. Tech. rep., Xerox Parc, 1979.
[34]
SpringSource. Contollers - Redirects. http://www.grails.org/Controllers-Redirects, 2010.
[35]
Wang, R., Chen, S., Wang, X., and Qadeer, S. How to shop for free online - security analysis of cashier-as-a-service based web stores. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland, CA, May 2011), IEEE.
[36]
Zend Technologies Ltd. Zend Framework: Documentation: Action Helpers - Zend Framework Manual. http://framework.zend.com/manual/en/zend.controller.actionhelpers.html zend.controller.actionhelpers.redirector, 2011.

Cited By

View all
  • (2024)URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.333588519(1251-1266)Online publication date: 2024
  • (2023)Role Models: Role-based Debloating for Web ApplicationsProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583647(251-262)Online publication date: 24-Apr-2023
  • (2023)Exploring the Effectiveness of Web Application Firewalls Against Diverse Attack Vectors2023 7th International Conference on Electronics, Communication and Aerospace Technology (ICECA)10.1109/ICECA58529.2023.10395379(1798-1806)Online publication date: 22-Nov-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security
October 2011
742 pages
ISBN:9781450309486
DOI:10.1145/2046707
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. execution after redirect
  2. static analysis
  3. web applications

Qualifiers

  • Research-article

Conference

CCS'11
Sponsor:

Acceptance Rates

CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)11
  • Downloads (Last 6 weeks)1
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.333588519(1251-1266)Online publication date: 2024
  • (2023)Role Models: Role-based Debloating for Web ApplicationsProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583647(251-262)Online publication date: 24-Apr-2023
  • (2023)Exploring the Effectiveness of Web Application Firewalls Against Diverse Attack Vectors2023 7th International Conference on Electronics, Communication and Aerospace Technology (ICECA)10.1109/ICECA58529.2023.10395379(1798-1806)Online publication date: 22-Nov-2023
  • (2021)Spinner: Automated Dynamic Command Subsystem PerturbationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484577(1839-1860)Online publication date: 12-Nov-2021
  • (2021)Critical Understanding of Security Vulnerability Detection Plugin Evaluation Reports2021 28th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC53868.2021.00035(275-284)Online publication date: Dec-2021
  • (2020)Finding client-side business flow tampering vulnerabilitiesProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380355(222-233)Online publication date: 27-Jun-2020
  • (2019)TAP: A static analysis model for PHP vulnerabilities based on token and deep learning technologyPLOS ONE10.1371/journal.pone.022519614:11(e0225196)Online publication date: 18-Nov-2019
  • (2018)Method Using Command Abstraction Library for Iterative Testing Security of Web ApplicationsApplication Development and Design10.4018/978-1-5225-3422-8.ch008(192-215)Online publication date: 2018
  • (2017)Visualizing the New Zealand Cyber Security Challenge for Attack Behaviors2017 IEEE Trustcom/BigDataSE/ICESS10.1109/Trustcom/BigDataSE/ICESS.2017.362(1123-1130)Online publication date: Aug-2017
  • (2017)LomInternational Journal of Automation and Computing10.1007/s11633-016-1051-x14:1(106-118)Online publication date: 1-Feb-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media