S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

Slides:



Advertisements
Similar presentations
Cross Site Scripting (XSS)
Advertisements

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
Testing Web Applications & Services Testing Web Applications & Web Services.
Java Script Session1 INTRODUCTION.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Languages for Dynamic Web Documents
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides.
Basic Web Application Security. User Input Kick Your Arse.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
4.1 JavaScript Introduction
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
CSCI 6962: Server-side Design and Programming Secure Web Programming.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
Krishna Mohan Koyya Glarimy Technology Services
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Ideas to Improve SharePoint Usage 4. What are these 4 Ideas? 1. 7 Steps to check SharePoint Health 2. Avoid common Deployment Mistakes 3. Analyze SharePoint.
XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
Process of interface design Instant Saxon XML/XSLT to JavaScript Design process, sampling Class time for work on user projects Homework: complete user.
Isolating JavaScript in Dynamic Code Environments Execution Environments for Cloud Applications – Spring 2011.
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Cross-Site Attacks James Walden Northern Kentucky University.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Fast and Precise Sanitizer Analysis with B EK Pieter Hooimeijer Ben Livshits David Molnar Prateek Saxena Margus Veanes USENIX Security.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
4. Javascript M. Udin Harun Al Rasyid, S.Kom, Ph.D Lab Jaringan Komputer (C-307) Desain.
 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
XSS Horror Show scary XSS vectors About me Researcher for Portswigger (makers of Burp suite) JavaScript XSS hacker I love JavaScript sandboxes Built.
Java Script. What is JavaScript ? It is an scripting language, developed by Netscape Navigator. It can be used to replace CGI scripts for client-side.
JavaScript and Ajax (JavaScript Environment) Week 6 Web site:
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Blackbox Reversing of XSS Filters
Building Secure ColdFusion Applications
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
Static Detection of Cross-Site Scripting Vulnerabilities
Intro to JavaScript CS 1150 Spring 2017.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
4. Javascript Pemrograman Web I Program Studi Teknik Informatika
JavaScript an introduction.
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter,
An Introduction to JavaScript
Client-Server Model: Requesting a Web Page
CNIT 133 Interactive Web Pags – JavaScript and AJAX
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research Ben Livshits Microsoft Research

Large-Scale Legacy Applications Step-up in Scale – Half a Million LOC – Shared Development by teams of 100+ What’s The Difference? – Shifting Platforms isn’t practical – Long Program Paths, Many sanitizers Applied 2 How to Secure Legacy Apps?

XSS in Large-Scale Applications Small-Scale Apps Buggy Sanitizer Missing Sanitization – [ Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11 ] Large-Scale Applications 3 String Img.RenderControl() { Write(userimg); } String Img.RenderControl() { Write(Sanitize(userimg)); } New Sanitization Errors – [ CCS’11 ] S CRIPT G ARD

Contributions Does Sanitization Defense Fail In Practice? – 7 Commercial Applications, 400 KLOC 2 New Classes of Errors in Sanitizer Use – How Often & Why S CRIPT G ARD : Automated Sanitizer Use Analysis 4 Legacy.NET Minimal Specs Concrete Test Cases Can Auto-Correct Sanitization During Deployment

Error #1: Context-Mismatched Sanitization(CMS) 5 Diapers var name=‘Stewie’; JS String Context HtmlEncode JSStringEncode Which Sanitizer To Apply Where? \r\n; alert(document.cookie); HTML Tag Context 1,207 (4.7%) are CMS errors!

Why Does Context-Mismatch Happen? 6 Output Sink San Context is a Global Path-Sensitive Property But, developers select Sanitizers Locally

Error #2: Inconsistent Multiple Sanitization(IMS) 7 Output Sink San 1 San 2 Attack Input Safe? San 1 San 2 Does the Order Matter?

Inconsistent Multiple Sanitization(IMS): Does it Really Happen? 8 Attack Input HtmlEncode JSStringEncodeHtmlEncode JSStringEncode 285 (8%) of multiple sanitizations are errors!

Why Does IMS Happen? 9 Output Sink document.write (‘ ’); <a href=" userlink "> SERVER - SIDE OUTPUT

Why Does IMS Happen: Nested Contexts 10 document.write (‘ ’); <a href=" userlink JS String Context "> URL Attribute Context JS Parser HTML Parser JS Unicode Decode \u0022 " Html-Entity Decode " "

Why Does IMS Happen: Nested Contexts 11 JS Parser HTML Parser JS Unicode Decode Html-Entity Decode \u0022 \u0026quot; " " Correct Sanitizer Order Wrong Sanitizer Order " Nested Contexts Cause Developer Confusion!

How Common Are Nested Contexts? 12 Nesting Depth: Up to 4 Nesting Depth: Up to 4

Take-Aways… Small-Scale Apps Buggy Sanitizer Missing Sanitization – [ Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11 ] Large-Scale Applications 13 Shared Paths lead to… CMS & IMS Developers apply correct sanitizers wrongly

How Do We Find Sanitization Errors In Legacy Applications At Scale? 14

S CRIPT G ARD Analysis 15 S CRIPT G ARD HTTP Requests Inconsistently Sanitized Test Cases Instrumented Server-side DLLs Legacy.NET Sanitizer Specification

Browser Model S CRIPT G ARD Analysis: Key Ideas Path 1 Path 2 Path 3Path 4 Path-Sensitive Positive Taint-Tracking Determine Contexts

S CRIPT G ARD Analysis: Key Ideas 17 Trusted? +-+- Sanitizer Sequence HtmlAttributeEncode, JSStringEncode HtmlEncode, JSStringEncode HtmlAttributeEncodeJSStringEncode, HtmlEncode CMS IMS Path 1 Path 2 Path 3Path 4 Path-Sensitive Positive Taint-Tracking Determine Contexts

Precise Context Determination: Browser Parser Model 18 T Context s

How Can We Correct Sanitization Errors Automatically? How Can We Correct Sanitization Errors Automatically? 19

S CRIPT G ARD : Can We Auto-Patch Sanitization Errors? The Bad News: Large slowdown Observation: Less than 10% paths problematic Yes! – Preferential Path Profiling [ POPL’06 ] – Negligible Overhead 20 Can We Detect When A Problematic Path Is Executed?

S CRIPT G ARD Auto-Correction 21 SCRIPTGARD Pre-Release Analysis Sanitization CacheSanitizer Patch Deployment Preferential Path Profiler Server Code With Light-weight Instrumentation Sanitizer Patch

Conclusions 2 New Patterns of Errors in Sanitizer Use S CRIPT G ARD – Effective Analysis Tool – Auto-Correction with Negligible Overhead 22

You have been a wonderful audience 23 …you stayed… Prateek Saxena

Sanitizer Correction is Challenging 24 Output Sink San HtmlEncode Can We Just Replace HtmlEncode with another Sanitizer? Contexts Vary By Path Executed

Context Determination: An Abstract Browser Model 25 HTML URI JavaScript CSS …… ……… … document.write javascript: alert() alert() T

Browser Contexts 26 <img src=‘ String Img.RenderControl() { Write(“<img src=‘”); Write(userimg); Write(“’> ”); } Sunset.gif’> Expect < Expect URL Expect ’ Img Tag Src Attribute Attribute Value Start Parsing “Context”

27 <img src=‘ String Img.RenderControl() { Write(“<img src=‘”); Write(userimg); Write(“’> ”); } ’ onerror=alert(“XSS”):… Expect < Expect URL Img Tag Src Attribute Attribute Value Start Parsing “Context” Malicious string closes enclosing parsing context javascript: alert(“XSS”); Malicious string introduces new parsing context JS URL Context In a Scripting Attack…

Sanitizers & Contexts 28 Diapers var name=‘Stewie’; Quoted resource attribute Html-entity encode qoutes (" for “), Neuter javascript: URI CSS attribute Prevent moz-bindings, behavior: URLs Html Content Convert,&,”,’ to Html-entities JS String Literal Encode ‘,”,&,\n,\r,(,),,\ to Unicode encoding \u00XX

Insight #1: Why does it happen…. Nested Contexts Browser Model is Intricate 29 HTML Parser JavaScript Parser D HTML Parser D

Challenges Non-Solutions – “Rewrite The Application…” – “Use Favorite Static Auditing Tool…” – “Write Interface Specifications…” 30 How to Secure Against XSS? Code Specifications

Observation #2: The Browser Model Complexity 31 T Context s Can we Expect Developers To Retain This Model Mentally?

Contexts & Sanitizers 32 Diapers var name=‘Stewie’; Quoted URI attribute Html-entity encode qoutes (" for “), Neuter javascript: URI CSS attribute Prevent moz-bindings, behavior: URLs Html Content Convert,&,”,’ to Html-entities JS String Literal Encode ‘,”,&,\n,\r,(,),,\ to Unicode encoding \u00XX

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.