0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

Slides:



Advertisements
Similar presentations
Past, Present and Future
Advertisements

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
Introducing JavaScript
JavaScript and AJAX Jonathan Foss University of Warwick
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
The Web Warrior Guide to Web Design Technologies
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic JavaScript: Introduction to Scripting.
Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.
DT211/3 Internet Application Development
Tutorial 10 Programming with JavaScript
DT228/3 Web Development JSP: Directives and Scripting elements.
Python and Web Programming
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
CST JavaScript Validating Form Data with JavaScript.
Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
4.1 JavaScript Introduction
JavaScript: Control Structures September 27, 2005 Slides modified from Internet & World Wide Web: How to Program (3rd) edition. By Deitel, Deitel,
JavaScript & jQuery the missing manual Chapter 11
Prevent Cross-Site Scripting (XSS) attack
JavaScript, Fifth Edition Chapter 1 Introduction to JavaScript.
Chapter 5 Java Script And Forms JavaScript, Third Edition.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Execution Environment for JavaScript " Java Script Window object represents the window in which the browser displays documents. " The Window object provides.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
Krishna Mohan Koyya Glarimy Technology Services
Client Scripting1 Internet Systems Design. Client Scripting2 n “A scripting language is a programming language that is used to manipulate, customize,
1 Accelerated Web Development Course JavaScript and Client side programming Day 2 Rich Roth On The Net
JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.
1 JavaScript in Context. Server-Side Programming.
XP Tutorial 10New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with JavaScript Creating a Programmable Web Page for North Pole.
Tutorial 10 Programming with JavaScript. XP Objectives Learn the history of JavaScript Create a script element Understand basic JavaScript syntax Write.
Tutorial 10 Programming with JavaScript
XP Tutorial 9 1 Working with XHTML. XP SGML 2 Standard Generalized Markup Language (SGML) A standard for specifying markup languages. Large, complex standard.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Development 101 Presented by John Valance
JSP BASICS AND ARCHITECTURE. Goals of JSP Simplify Creation of dynamic pages. Separate Dynamic and Static content.
1 JavaScript in Context. Server-Side Programming.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
Tutorial 10 Programming with JavaScript. 2New Perspectives on HTML, XHTML, and XML, Comprehensive, 3rd Edition Objectives Learn the history of JavaScript.
Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.
Tutorial 10 Programming with JavaScript. 2New Perspectives on HTML, XHTML, and XML, Comprehensive, 3rd Edition Objectives Learn the history of JavaScript.
1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.
JavaScript and Ajax (JavaScript Environment) Week 6 Web site:
XP Tutorial 10New Perspectives on HTML, XHTML, and DHTML, Comprehensive 1 Working with JavaScript Creating a Programmable Web Page for North Pole Novelties.
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
Introduction to.
An Introduction to Web Application Security
Unit M Programming Web Pages with
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Tutorial 10 Programming with JavaScript
Static Detection of Cross-Site Scripting Vulnerabilities
The Past, Present and Future of XSS Defense
4. Javascript Pemrograman Web I Program Studi Teknik Informatika
JavaScript an introduction.
PHP.
Tutorial 10 Programming with JavaScript
An Introduction to JavaScript
Exploring DOM-Based Cross Site Attacks
Web Application Development Using PHP
Presentation transcript:

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels

1 Jim Manico Managing Partner, Infrared Security Managing Partner, Infrared Security Web Developer, 15+ Years Web Developer, 15+ Years OWASP Connections Committee Chair OWASP Connections Committee Chair OWASP ESAPI Project Manager OWASP ESAPI Project Manager OWASP Podcast Series Producer/Host OWASP Podcast Series Producer/Host Kauai/Hawaii Resident with wife Tracey Kauai/Hawaii Resident with wife Tracey

XSS Defense, Past Exploitable Defenses Input Validation Alone ◦ Sometimes applications needs to support < ' " & … and other “dangerous” characters ◦ Can be very difficult  File upload input  HTML inputs HTML Entity Encoding Alone ◦ Works well for untrusted data placed in HTML “normal” contexts ◦ Does not stop XSS in unquoted HTML attribute and other contexts

XSS Defense Today: Quite Challenging 1. All untrusted data must first be canonicalized Reduced to simplest form 2. All untrusted data must be validated Positive Regular Expression Rule Blacklist Validation 3. Untrusted data must be contextually sanitized/encoded - HTML Body - HTML Attribute - URI Resource Locator - Style Tag - Event handler - Within Script tag 3

Danger: Multiple Contexts HTML Body HTML Attributes Context URL Context 4 Copyright AppSec Training LLC Version: Browsers have multiple contexts that must be considered!

Danger: DOM Based XSS 1. Untrusted data should only be treated as displayable text. 2. Always JavaScript encode and delimit untrusted data as quoted strings 3. Use document.createElement(“…”), element.setAttribute(“…”,”value”), element.appendChild(…), etc. to build dynamic interfaces. Avoid use of HTML rendering methods. 4. Understand the dataflow of untrusted data through your JavaScript code. If you do have to use the methods above remember to HTML and then JavaScript encode the untrusted data 5. Make sure that any untrusted data passed to eval() methods is delimited with string delimiters and enclosed within a closure or JavaScript encoded to N-levels based on usage, and wrapped in a custom function. 6. Limit the usage of dynamic untrusted data to right side operations. And be aware of data which may be passed to the application which look like code (eg. location, eval()). 7. When URL encoding in DOM be aware of character set issues as the character set in JavaScript DOM is not clearly defined. 8. Limit access to properties objects when using object[x] accessors 9. Don’t eval() JSON to convert it to native JavaScript objects. Instead use JSON.toJSON() and JSON.parse()

(1) Auto-Escaping Template Technologies XHP from Facebook ◦ Makes PHP understand XML document fragments similar to what E4X does for ECMAScript Context-Sensitive Auto-Sanitization (CSAS) from Google ◦ Runs during the compilation stage of the Google Closure Templates to add proper sanitization and runtime checks to ensure the correct sanitization. Java XML Templates (JXT) from OWASP ◦ Fast and secure XHTML-compliant context-aware auto-encoding template language that runs on a model similar to JSP. 6 Copyright AppSec Training LLC

Context-aware Auto-escaping Tradeoffs Developers need to write highly compliant templates ◦ No “free and loose” coding like JSP ◦ Requires extra time, but increased quality These technologies often do not support complex contexts ◦ Some choose to let developers disable auto-escaping on a case-by-case basis (really bad decision) ◦ Some choose to encode wrong (bad decision) ◦ Some choose to reject the template (better decision)

(2) Javascript Sandboxing Capabilities JavaScript (CAJA) from Google ◦ Applies an advanced security concept, capabilities, to define a version of JavaScript that can be safer than the sandbox JSReg by Gareth Heyes ◦ Javascript sandbox which converts code using regular expressions ◦ The goal is to produce safe Javascript from a untrusted source ECMAScript 5 ◦ Object.seal( obj ) Object.isSealed( obj ) ◦ Sealing an object prevents other code from deleting, or changing the descriptors of, any of the object's properties 8 Copyright AppSec Training LLC

JSReg: Protecting JavaScript with JavaScript JavaScript re-writing ◦ Parses untrusted HTML and returns trusted HTML ◦ Utilizes the browser JS engine and regular expressions ◦ No third-party code First layer is an iframe used as a safe throw away box The entire JavaScript objects/properties list was whitelisted by forcing all methods to use suffix/prefix of “$” Each variable assignment was then localized using var to force local variables Each object was also checked to ensure it didn’t contain a window reference

Google CAJA: Subset of JavaScript Caja sanitizes JavaScript into Cajoled JavaScript Caja uses multiple sanitization techniques ◦ Caja uses STATIC ANALYSIS when it can ◦ Caja modifies JavaScript to include additional run-time checks for additional defense 10 Copyright AppSec Training LLC

CAJA workflow The web app loads the Caja runtime library, which is written in JavaScript All un-trusted scripts must be provided as Caja source code, to be statically verified and cajoled by the Caja sanitizer The sanitizer's output is either included directly in the containing web page or loaded by the Caja runtime engine

CAJA Compliant Applications A Caja-compliant JavaScript program is one which ◦ is statically accepted by the Caja sanitizer ◦ does not provoke Caja-induced failures when run cajoled Such a program should have the same semantics whether run cajoled or not 12 Copyright AppSec Training LLC

This Most of Caja’s complexity is needed to defend against JavaScript's rules regarding the binding of “this". JavaScript's rules for binding “this“ depends on whether a function is invoked ◦ by construction ◦ by method call ◦ by function call ◦ or by reflection If a function written to be called in one way is instead called in another way, its “this" might be rebound to a different object or even to the global environment. 13 Copyright AppSec Training LLC

(3) Browser Protections Content Security Policy ◦ JavaScript policy standard Reflective Defense XSS in Chrome IE 8 Cross-Site Scripting Filter ◦ Blacklist browser-based URL filters ◦ Early versions of IE8’s browser-based filter actually made XSS possible on sites that did not even have XSS vulns due to errors in MS’s filter 14 Copyright AppSec Training LLC

Awesomeness: Content Security Policy Externalize all JavaScript within web pages ◦ No inline script tag ◦ No inline JavaScript for onclick or other handling events ◦ Push all JavaScript to formal.js files using event binding Define the policy for your site and whitelist the allowed domains where the externalized JavaScript is located Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use Will take 3-5 years for wide adoption and support

16 THANK YOU! OWASP Brussels

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.