Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
By Loukik Purohit & Rohit Ghatol
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.
The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Cookies Cross site scripting
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
CS526Topic 8: Web Security Part 11 Information Security CS 526 Topic 8 Web Security Part 1.
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
Cross-Site Attacks James Walden Northern Kentucky University.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
Crash Course in Web Hacking
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web2.0 Secure Development Practice Bruce Xia
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
Cookies Lack Integrity: Real-World Implications
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Web Applications on the battlefield Alain Abou Tass.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Javascript worms By Benjamin Mossé SecPro
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
Static Detection of Cross-Site Scripting Vulnerabilities
Cookies Cross site scripting
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
Cross-Site Request Forgeries: Exploitation and Prevention
Riding Someone Else’s Wave with CSRF
CSC 495/583 Topics of Software Security Intro to Web Security
Web Security Advanced Network Security Peter Reiher August, 2014
Protecting Against Common Web Application Vulnerabilities
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen Northwestern University, Evanston, IL SRI International, Menlo Park, CA NDSS Symposium /05/14 曾毓傑 1

Outline Introduction Design Implementation Evaluation Performance Discussion 2

INTRODUCTION 3

Self-Propagating XSS Attacks 4 Samy’s Page User’s Page (1) Access (2) Gain Page DOM Access MySpace (4) Post Malicious Data onto User’s Wall (5) Affect Other Users... (3) Send Forge Request User

XSS Taxonomy Server-side XSS Attacks Stored XSS (Persistent) Reflected XSS (Non-Persistent) Client-side XSS Attacks Plug-in XSS (e.g. Flash, Java) Content Sniffing XSS DOM-based XSS 5

Path Cutter Path Cutter can successfully block all kinds of XSS attack for self-propagation Easy implementation on both server-side and proxy server 6

Problem Definition Exploitation of a web application vulnerability that enables an attacker to inject client-side scripts into web pages owned by other users. Four steps of Self-Propagating XSS Attack: Step 1 – Enticement and Exploitation Step 2 – Privilege Escalation Step 3 – Replication Step 4 – Propagation 7

Related Work Spectator System – track propagation activity Sun et al. – Firefox plug-in Xu et al. – monitor social graph 8

DESIGN 9

Main Mechanisms View Separation Request Authentication 10

Key Concepts Views A form of a web page or a part of web page Actions An operation belonging to a view Access Control List (ACL) Actions which a view can perform Capability A secret key to validate a request 11

Dividing Web Applications into Views Based on semantics User A’s blog website User B’s blog website Based on URLs Based on elements Blogpost User Comments 12

View Separation Isolate different pages/views from the server at the client side Taking advantage of Same-Origin-Policy to prevent DOM access and request forgery 13 User B’s Blogpost User A Login User B’s Blogpost User A Login

Request Authentication Authenticate actions using: Secret Tokens/Capability A secret token per view which is not be able to guess, and server-side verify this token to accept the request Referer-based View Validation Check if an action is permitted from certain view in the access control list(ACL) 14 Referer: POST Referer: User B’s Blogpost User A Login

IMPLEMENTATION 15

Server-side Implementation WordPress Open Source Blog System Totally 43 lines of code modification URLs Separation Elgg Open Social Network Engine Totally 2 lines of code modification and 23 lines of plug-in Isolate comment add form into different view 16 echo "<iframe style = ’background:inherit;border:0;margin:0;padding:0’ sandbox=’allow-forms’ scrolling=’no’ height=’400pt’ width=’100%’ src=’ array(’body’ => $form_body, action’ => "{$vars[’url’]}action/comments/add")))."’/>";

Proxy Implementation Facebook Separate user comments into views, and use different URL to get comment contents 17 FacebookProxy (1) Request content.x.com (2) Redirect isolate.x.com (3) Request isolate.x.com (4) isolate.x.com contents (5) Request content.x.com/?token=*** (6)(7)

Proxy Implementation (Cont.) User comment separation using echo server user comment... Proxy content modification... <iframe scrolling="no" height="100%" sandbox src=“

EVALUATION 19

Case 1: Boonana Worm Java Applet worm released in October 2010 Propagation Steps: 1. Visit a profile with malicious Java Applet 2. Escalate privilege and inject JavaScript into page in client-side using Java vulnerability 3. Post itself on visitor's wall Path Cutter let Java Applet only gain privilege on isolated page 20

Case 2: Renren Worm Flash-based worm spread on the Renren Social Network in 2009 Propagation Steps: 1. Visit a profile with malicious Flash Object 2. Escalate privilege and inject JavaScript into page in client-side using Flash vulnerability 3. Replicate itself on the visitor’s wall Path Cutter block sharing request by isolated views 21

Case 3: MySpace Samy Worm First XSS worms in MySpace in 2005 Propagation Steps: 1. Visit a profile with malicious code in a style attribute of tag 2. Use XMLHttpRequest to get a secret token 3. Post itself on visitor’s profile using the secret token Path Cutter make XMLHttpRequest unaccessible by view isolation 22

Case 4: SpaceFlash Worm Flash-based worm on MySpace in 2006 Propagation Steps: 1. Visit a “About Me” page with malicious Flash Object 2. Access user’s profile to gain privilege 3. Send AJAX request to post itself on visitor’s “About Me” page Path Cutter block post request since referer is not “About Me” page 23

Case 5: Yamanner Worm JavaScript worm spreading in Yahoo! Mail in 2006 Propagation Steps: 1. Victim open a malicious and JavaScript executed due to a bug in Yahoo!’s script filter 2. Worm open victim’s address book and send to those who are listed in the book Path Cutter deny sending request because there is no secret token in the request 24

Experimental Worms Proof-of-Concept worm Implementation of worm template Apply on WordPress and Elgg 25 check_infected(); // check if the user is infected or not xmlhttp = new XMLHttpRequest; xmlhttp.open("POST", post_url,true); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { set_infected(); } xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.setRequestHeader("Content-length", payload.length); xmlhttp.send(payload); function xhr() {... } Object.prototype.post = function(uri,arg) { /*** usage: xhr().post(’foo.php’); ***/ this.open(’POST’, uri, true); this.setRequestHeader(’Content-type’,’application/x-www-form-urlencoded’);... this.send(arg); }; /*** source morphing component ***/ Object.prototype.morph = function(s) {... switch(morphtype) { case "unicode":... case "charcodes":... }

PERFORMANCE 26

Memory Overhead tags introduce memory overhead < 10 frames  < 10% memory overhead ~ 45 frames  ~ 30% memory overhead 27

Rendering Time Overhead Observing onload event in Webpage Elgg implementation: 1.14 secs  1.18 secs (3.5%) 28

DISSCUSSION 29

Limitation Cookie and Content Stealing Attacks Phishing and ClickJacking Attacks Drive-by Download Worms 30

Conclusion Implement view separation and http request authentication to severing self-propagating XSS attack 31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.