1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn.

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Team Members: Brad Stancel,

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

March Intensive: XSS Exploits

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

INTRODUCTION TO WEB DATABASE PROGRAMMING

Workshop 3 Web Application Security Li Weichao March

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Prevent Cross-Site Scripting (XSS) attack

HTML Forms and Scripts. Session overview What are forms? Static vs dynamic Client-side scripts –JavaScript.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

AJAX Making Dynamic Web pages more Dynamic Jim Hendricks April 25th, 2006.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.

Cross-Site Attacks James Walden Northern Kentucky University.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Cross Site Scripting and its Issues By Odion Oisamoje.

ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Client-side & Server-side Scripting ©Richard L. Goldman August 5, 2003 Requires PowerPoint 2002 or later for full functionality.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Spectator: Detection and Containment of JavaScriptWorms

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.

Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

//liveVirtualacademy2011/ What’s New for ASP.NET 4.5 and Web Development in Visual Studio 11 Developer Preview Γιώργος Καπνιάς MVP, MCT, MCDP, MCDBA, MCTS,

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Group 18: Chris Hood Brett Poche

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Static Detection of Cross-Site Scripting Vulnerabilities

Marking Scheme for Semantic-aware Web Application Security

BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML

Exploring DOM-Based Cross Site Attacks

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology Dawn Song UC Berkeley

2 A Cross-Site Scripting Attack Hi Joe, Hi Joe, Cookies, Password Policy: ALLOW {a, img, }

3 Limitations of Server-side Sanitization Hi Joe, Cookies, Password Policy: ALLOW {a, img, }

4 Limitations of Server-side Sanitization Hi Joe, Cookies, Password Over 90 ways to inject JS [RSnake07] Multiple Languages »JS, Flash, CSS, XUL, VBScript

5 A Different Approach… Previous defenses: XSS is a sanitization problem Our view: XSS is a document structure integrity problem IMG javascript: SRC IMG String SRC

6 Concept of Document Structure id Joe; online div STATIC DOCUMENT STRUCTURE document.write() id Joe; online div DYNAMIC DOCUMENT STRUCTURE DOCUMENT STRUCTURE JAVASCRIPT

7 Document Structure Integrity (DSI) Definition: –Given a server’s policy P, –Restrict untrusted content to allowable syntactic elements –Policy in terms of client-side languages Central idea for DSI enforcement –Dynamic information flow tracking (server & browser) –Policy based parser-level confinement Default policy: Only leaf nodes untrusted

8 Talk Outline Power of DSI Defense: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

9 Talk Outline Power of DSI Defense: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

10 DSI Defense: A Powerful Approach DSI enforcement prevents –Not just cookie-theft »Form injection for phishing [Netcraft08] »Profile Worms [Samy05, Yammaner06] »Web site defacement through XSS –“DOM-Based” XSS (Attacks on client-side languages) –Vulnerabilities due to browser-server inconsistency

11 DOM-based client-side XSS [Klein05] JAVASCRIPT Joe online + DYNAMIC UPDATE Example 1: DOM-Based XSS id Joe; online div

12 Example 1: DOM-Based XSS DOM-based client-side XSS [Klein05].. ”> JAVASCRIPT.. ”>

13 Example 1: DOM-Based XSS DOM-based client-side XSS [Klein05].. ”> JAVASCRIPT DYNAMIC UPDATE.. ”> script “Devil” “..”

14 Browser-Server Inconsistency Bugs Assumed Parse Tree IMG ONLOAD alert (1) IMG onload:=alert(1) Example 2: Inconsistency Bugs

15 Talk Outline Defense in Depth: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

16 Design Goals Clear separation between policy and mechanism No dependence on sanitization No changes to web application code Minimize false positives Minimizes impact to backwards compatibility Robustness –Address static & dynamic integrity attacks –Defeat adaptive adversaries

17 Mechanisms Client-server architecture Server –Step 1: Identify trust boundaries in HTML response –Step 2: Serialize » Encoding data & trust boundaries in HTML Client –Step 3: De-serialize »Initialize HTTP response page into static document structure –Step 4: Dynamic information flow tracking »Modified semantics of client-side interpretation

18 Talk Outline Defense in Depth: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

19 Approach Overview: Static DSI SERIALIZER SERVERBROWSER [[ ]] imgscript DE-SERIALIZER P

20 Approach Overview: Dynamic DSI SERIALIZERDE-SERIALIZER TAINT TRACKING SERVERBROWSER.. ”>.. ]]”> id Devil;.. div

21 Approach Overview: Dynamic DSI (II) SERIALIZERDE-SERIALIZER TAINT TRACKING SERVERBROWSER.. ”>.. ]]”> id script “Devil” “..”

22 Serialization Design: Key Challenge Safety against an adaptive adversary USER BLOG …

23 Serialization: Key Challenge Do not rely on sanitization document.getElementByID(“N5”).innerHTML = “ ”; USER BLOG What to disallow?

24 Serialization Design: Key Challenge Attack on sanitization mechanism for JS strings document.getElementByID(“N5”).innerHTML = “ ”; Attack

25 Markup Randomization –Mechanism independent of the policy –Does not depend on any sanitization R [[ R ]] Valid Nonces: 00101,11010,01110 Policy: ALLOW {a, }

26 Markup Randomization –Mechanism independent of the policy –Does not depend on any sanitization [[ R ]] Policy: ALLOW {a, OK! [[ R ]] Valid Nonces: 00101,11010,01110

27 Markup Randomization –Mechanism independent of the policy –Does not depend on any sanitization [[ R ]] Policy: ALLOW {a, [[ R ]] Valid Nonces: 00101,11010,01110

28 Browser-side Taint Tracking Dynamic DSI Client Language Interpreters enhanced Ubiquitous tracking of untrusted data in the browser

29 Talk Outline Advantages of DSI in Attack Coverage Design Goals Architecture Implementation Evaluation Conclusion & Related Work

30 Implementation Full Prototype Implementation DSI-enable server –Utilized existing taint tracking in PHP [IBM07] DSI-compliant browser –Implemented in KDE Konqueror –Client side taint tracking in JS interpreter of KDE 3.5.9

31 You are 0wned!

32 In a DSI-compliant Browser… alert(document.cookie)

33 Talk Outline Advantages of DSI in Attack Coverage Design Goals Architecture Implementation Evaluation Conclusion & Related Work

34 Evaluation: Attack Detection Stored XSS attacks Vulnerable phpBB forum application 25 public attack vectors [RSnake07] 30 benign posts Results –100% attack prevention –No changes required to the application –No false positives

35 Evaluation: Real-World XSS Attacks 5,328 real-world vulnerabilities [xssed.com] 500 most popular benign web sites [alexa.com] Default Policy: –Coerce untrusted data to leaf nodes Results –98.4% attack prevention –False Negatives: »Due to exact string matching in instrumentation –False Positives: 1% »Due to instrumentation for tainting ( on Slashdot)

36 Evaluation: Performance Browser Overhead 1.8% Server overhead 1-3% Server overhead 1.1%

37 Related Work Client-server Approaches »BEEP [Jim07] » [Eich07] » Hypertext Isolation [Louw08] Client-side approaches »IE 8 Beta XSS Filter [IE8Blog] »Client-side Firewalls [Kirda06] »Sensitive Info. Flow Tracking [Vogt07] Server-side approaches »Server-side taint-based defenses [Xu06, Nan07, Ngu05, Pie04] »XSS-Guard [Bisht08] »Program Analysis for XSS vulnerabilities [Balz08, Mar05, Mar08, Jov06, Hua04]

38 Conclusion DSI: A fundamental integrity property for web applications XSS as a DSI violation Multifaceted Approach –Clearly separates mechanism and policy Defeats adaptive adversaries –Markup randomization Evaluation on a large real-world dataset –Low performance overhead –No web application code changes –No false positives with configurable policies

39 Questions Thank you!

40 Hi Joe! Hi [[Joe]]! user=Joe Client-Side Proxy Hi Joe!

41 Markup Randomization: Adaptive Attacks Multiple valid parse trees [[ N1]] N3]] N2[[ N3[[ N2]] N1 [[ N1]] N3]] N2[[ N3[[ N2]] N1 [[ N1]] N3]] N2[[ N3[[ N2]] N1 OR

42 Attack Coverage (II): Inconsistency Bugs Browser-Server Inconsistency Bugs Browser Processing Server Processing Inconsistency Bugs