Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago
Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection
EECS 354 Network Security Cross Site Scripting (XSS)
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
INTRODUCTION TO DHTML. TOPICS TO BE DISCUSSED……….  Introduction Introduction  UsesUses  ComponentsComponents  Difference between HTML and DHTMLDifference.
Prevent Cross-Site Scripting (XSS) attack
Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Cross Site Integration “mashups” cross site scripting.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
JavaScript Overview Developer Essentials How to Code Language Constructs The DOM concept- API, (use W3C model) Objects –properties Methods Events Applications;
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Brief Look InTo JavaScript Dr. Thomas Hicks Computer Science Department Trinity University.
How Angular Protects Us From XSS Attacks? XSS (Cross-Site Scripting) is one of the assaults that can influence your site. So as to adapt to the attack,
XSS 101 Jason Clark 12/20.
DHTML.
COMP9321 Web Application Engineering Semester 2, 2017
Introduction to Information Security
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)
CSCE 548 Student Presentation Ryan Labrador
NodeJS Security Using PassportJS and HelmetJS:
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
JavaScript, Sixth Edition
WWW and HTTP King Fahd University of Petroleum & Minerals
World Wide Web policy.
Introduction and Principles
Static Detection of Cross-Site Scripting Vulnerabilities
Lecture 11. Web Standards Continued
Michael Robertson Yuta Takayama Google Closure Tools.
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Jon Peppler, Menlo Security Channels
CSC 495/583 Topics of Software Security Intro to Web Security
Secure Web Programming
Introduction to World Wide Web
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Client-Server Model: Requesting a Web Page
Exploring DOM-Based Cross Site Attacks
Brief Look InTo JavaScript
Security and JavaScript
Cross-Site Scripting Attack (XSS)
Presentation transcript:

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago IEEE Symposium on Security and Privacy, 2009 1

Outline Cross-site Scripting Overview BLUEPRINT References Overview Specifics Experiment / Results Contributions Weakness / Improvement References 2 2

Trusted vs. Untrusted HTML 3 3

Trusted vs. Untrusted HTML 4 4

Cross-site Scripting (XSS) Code injection into untrusted HTML which exploits client-side browser parsing Hacker injects code into untrusted section, innocent user visits the web page, client browser displays all content, user encounters unintended content / hack JavaScript (HTML, CSS, Java, Flash, etc.) Non-persistent (reflected), Persistent (stored) 5 5

XSS Example http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Healthcare/PCI_AppD.html#wp1026905 6 6

XSS Example http://www.zdnet.com/blog/security/facebook-vulnerable-to-critical-xss-could-lead-to-malware-attacks/1175 7 7

XSS Example Many web applications also store user preferences in JavaScript variables directly… 8 8

XSS vulnerability found at these domains. www.xssed.com XSS vulnerability found at these domains. Not yet fixed… 9

BLUEPRINT Goals W3C + dev cycle slow. Need solution now! Solution should be transparent to user, support current browsers, no plug-ins, etc. Retain expressiveness of untrusted HTML Do not rely on browser to parse this data! Enable web apps. to create a “blueprint” of untrusted web content free of XSS attacks, bridging divide between app. & browser 10 10

HTML Interpretation Process 11

Document Object Model (DOM) http://www.wdvl.com/Authoring/DHTML/DOM/NS.html http://www.codeguru.com/csharp/csharp/cs_misc/userinterface/article.php/c12267 12

BLUEPRINT Approach model interpreter ( _bp_ ) Reduce browser influence of parsing: HTML, CSS, URI, JavaScript Server encodes chunks as models, Server API uses whitelist to vet models, data encoded w/ syntactically inert chars Transmit encoded data via <code> nodes, so browser ignores them, + script calls to model interpreter ( _bp_ ) 13 13

BLUEPRINT API 14 14

HTML presented to client BLUEPRINT Model HTML presented to client Encoded to… old new 15 15

HTML Interpretation Process _bp_ script + encoded models A, B, C, D, E Normal path: A, B, C, D, E Untrusted data: A, B’, Q, P, E, R 16

Reduce HTML Parser Influence Models encoded in syntactically inert lang: {a,…,z,A,…,Z,0,…,9,/,+,=}* Decode model w/ model interpreter _bp_, link embedded in <head> element Use of DOM API to create elements Original rendering order preserved, models embedded near original location, decoded synchronously as page renders 17 17

BLUEPRINT Model Generator 18

Results 19 19

Contributions W3C / browser development cycle is slow, offers effective XSS defense solution now No required plug-ins, browser, ext., etc., empowers web developers, user benefits Innovative thinking: Web developers bypass browser parsing 20 20

Weaknesses All websites now have to update their libraries of code to use BLUEPRINT… HTML interpretation process may change, especially on embedded browsers Large script (15.6kB) downloaded / cached, How safe is this script? One for each site? Client browser may disable JavaScript Page size overhead due to text encoding 21 21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.