1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn Song * ‡ Carnegie Mellon University * UC Berkeley

2 Client-side Validation(CSV) Vulnerabilities A new class of input validation vulnerabilities Analogous to server-side bugs –Unsafe data usage in the client-side JS code – Involves data flows –Purely client-side, data never sent to server –Returned from server, then used in client-side code

3 Rich Web Applications Lots of JS code Rich cross-domain interaction APP 1 APP 2 APP 3 APP 4

4 Outline CSV Vulnerability Examples FLAX: Tool and Techniques –Challenges & Key Idea –Tool Architecture –Design Real Attacks and Evaluation Results Related Work & Conclusion

5 Vulnerability Example (I): Origin Misattribution Cross-domain Communication –Example: HTML 5 postMessage facebook.comcnn.com postMessage Origin: Data: “Chatuser: Joe, Msg: Hi” Origin: Data: “Chatuser: Joe, Msg: onlinepharmacy.com”onlinepharmacy.com SenderReceiver

6 Vulnerability Example (II): Code Injection Code/data mixing Dynamic code evaluation –eval –DOM methods Eval also deserializes objects –JSON Data: “alert(‘0wned’);” …… eval (.. + event.data); Receiver facebook.com

7 Vulnerability Example (III): Application Command Injection Application-specific commands Example: Chat application Application JavaScript Application Server &cmd=addbuddy&user=evil “..=nba&cmd=addbuddy&user=evil” XMLHttpReq.open ( url ) Join this room Injected Command

8 Vulnerability Example (IV): Cookie Sink Vulnerabilities Cookies –Store session ids, user’s history and preferences –Have their own control format, using attributes Can be read/written in JavaScript Attacks –Session fixation –History and preference data manipulation –Cookie attribute manipulation, changes

9 Summary of Goals Systematic discovery techniques –FLAX: An Automatic tool for discovery –A new hybrid technique for JavaScript analysis Evaluate prevalence in real code –An empirical evaluation of real-world applications –Find several unknown CSV vulnerabilities

10 Outline CSV Vulnerabilities FLAX: Tool and Techniques –Challenges & Key Idea –Tool Architecture –Design Real Attacks and Evaluation Results Related Work & Conclusion

11 Problem Definition Definition –Unsafe usage of untrusted data in a critical sink Systematically discovery of CSV vulnerabilities Two sub-problems –Exploring program space –Finding bugs in some explored functionality Attacker Model –Web attacker (evil.com) –User-as-an-attacker

12 Challenges JavaScript complexity –Highly dynamic language –String-heavy Parsing ops. indistinguishable from validation checks –Custom sanity routines are common Hidden server-side logic –Assumes no knowledge of the server –Handles reflected flows: data flows to server and back End-to-end Web Application Analysis

13 Key Insight Taint-enhanced black-box fuzzing (TEBF) –A simple idea –Combine benefits of taint-tracking & fuzzing –Requires no source code annotations –No false positives FLAX: An End-to-end System –Simplifies JS first –Implements TEBF –Handles reflected flow using approximate tainting False Positives Efficiency of finding Bugs Black-box fuzzing Purely dynamic Taint-tracking TEBF Syntax-driven fuzzing

14 FLAX Tool Design Taint-tracking Execution Trace JavaScript Program Initial Input Source Acceptor Slice Sink SINK- AWARE FUZZER EXPLOIT ? function acceptor(input) { must_match = ’{]:],]:]}’; re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g; re2 =/"[ˆ"\\\n\r]*"|true|false|null| -?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g; re3 = /(?:ˆ|:|,)(?:\s*\[)+/g; rep1 = input.replace(re1, rep2 = rep1.replace(re2, "]"); rep3 = rep2.replace(re3,""); if(rep3 == must_match) { return true; } return false; } Transformation Operations Path Constraints

15 FLAX Implementation JAVASCRIPT INTERPRETER X = INPUT[4] Y = SubStr(X,0,4) Z = (Y==“http”) PC = IF (Z) THEN (T) ELSE (NEXT) TAINT ENGINE JASIL EXECUTION TRACE ACCEPTOR SLICE GENERATOR

16 Simplifying JavaScript JASIL : Our intermediate language –A simple type system –Small set of operations Enables string-centric, fine-grained taint tracking on JS

17 Simplifying JavaScript (II) Benefits of JASIL simplification to taint-tracking Example: Taint semantics for replace are difficult! rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, R R subString @ INPUT OUTPUT Emitted JASIL Instructions

18 Outline CSV Vulnerabilities FLAX: Tool and Techniques –Challenges & Key Idea –Tool Architecture –Design Attacks and Evaluation Results Related Work & Conclusion

19 Evaluation 40 Subjects –iGoogle gadgets –AJAX applications and web sites Setup –Untrusted sources »All cross-domain channels »Text boxes –Critical sinks »Code evaluation constructs »XHR url data »Cookies

20 Summary –Taint observed in 18 / 40 subjects – FLAX found 11 previously unknown vulnerabilities Examples –Origin Misattribution leading to XSS in Facebook Connect –Gadget Overwriting Attacks on Google/IG –Application Command Injection on AjaxIM –Code injection and cookie attribute manipulation via cookie sinks Results (I) Vulnerability TypeNumber of vulnerabilities Code Injection8 Origin Misattribution1 Application Command Injection1 Cookie Sink1 TOTAL FOUND BY FLAX11

21 Example Attacks: Gadget Overwriting Compromised Gadget with Overwritten Contents Legitimate URL bar

22 Effectiveness Character-level precise taint-tracking helps fuzzing Reduction in input sizes

23 Effectiveness (II) Reduction in false positives, TEBF vs. pure taint-tracking

24 Conclusion A new class of vulnerabilities: CSV Example attacks A systematic discovery tool: FLAX –No annotations, no false positives –Employs a simple TEBF techniques –Robust analysis using JASIL CSV vulnerabilities are actually prevalent today –Found 11 previously unknown vulns –Demonstrate proof-of-concept exploits

25 Contact Contact: –Prateek Saxena Please visit our project web site – THANKS FOR LISTENING