Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides.

Slides:

Advertisements

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Advertisements

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

Bookshelf.EXE - BX A dynamic version of Bookshelf –Automatic submission of algorithm implementations, data and benchmarks into database Distributed computing.

CSC1016 Coursework Clarification Derek Mortimer March 2010.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

Python and Web Programming

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Escaping Characters document.write(). Learning Objectives By the end of this lecture, you should be able to: – Recognize some of the characters that can.

From legacy desktop application to Single Page Application By Jens Munk Freelance consultant.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Streams, Files. 2 Stream Stream is a sequence of bytes Input stream In input operations, the bytes are transferred from a device to the main memory Output.

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Sophia Antipolis, September 2006 Multilinguality, localization and internationalization Miruna Bădescu Finsiel Romania.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

INFM 603: Information Technology and Organizational Context Jimmy Lin The iSchool University of Maryland Thursday, October 18, 2012 Session 7: PHP.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

JavaScript Teppo Räisänen LIIKE/OAMK HTML, CSS, JavaScript HTML defines the structure CSS defines the layout JavaScript is used for scripting It.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

Chapter 4 User Experience Model. User experience model (Ux) Visual specification of the user interface Visual specification of the user interface Both.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

© 2006 IBM Corporation IBM WebSphere Portlet Factory Architecture.

LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,

Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Chapter 4 JavaScript and Dynamic Web pages. Objectives Static Web pages Dynamic Web pages JavaScript Variables Assignments. JavaScript Functions –(prompt(“”,””)

Murach’s ASP.NET 4.0/VB, C1© 2006, Mike Murach & Associates, Inc.Slide 1.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

JS Basics 1 Lecture JavaScript - Basics. JS Basics 2 What is JavaScript JavaScript is a “simple”, interpreted, programming language with elementary object-

C ANDID : P REVENTING SQL I NJECTION A TTACKS U SING D YNAMIC C ANDIDATE E VALUATIONS Presented by Jeong-hoon, Park 1.

Slide 1 Vitaly Shmatikov CS 380S Static Detection of Web Application Vulnerabilities.

Introduction to JavaScript CS101 Introduction to Computing.

1 A Balanced Introduction to Computer Science David Reed, Creighton University ©2005 Pearson Prentice Hall ISBN X Chapter 4 JavaScript and.

Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.

- Joiner Transformation. Introduction ►Transformations help to transform the source data according to the requirements of target system and it ensures.

4. Javascript M. Udin Harun Al Rasyid, S.Kom, Ph.D Lab Jaringan Komputer (C-307) Desain.

Sequencing The most simple type of program uses sequencing, a set of instructions carried out one after another. Start End Display “Computer” Display “Science”

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Servers- Apache Tomcat Server Server-side scripts- Java Server Pages.

JavaScript Introduction and Background. 2 Web languages Three formal languages HTML JavaScript CSS Three different tasks Document description Client-side.

Project 5: Customizing User Content Essentials for Design JavaScript Level Two Michael Brooks.

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,

Error-based SQL Injection

1 JavaScript and Dynamic Web Pages Lecture 7. 2 Static vs. Dynamic Pages  A Web page uses HTML tags to identify page content and formatting information.

111 State Management Beginning ASP.NET in C# and VB Chapter 4 Pages

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:

Static Detection of Cross-Site Scripting Vulnerabilities

Programming the Web Using Visual Studio .NET

Taint tracking Suman Jana.

Intro to PHP & Variables

Web Systems Development (CSC-215)

Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter,

Data Architecture DataView holds ref count on cache entry

Automatically Hardening Web Applications Using Precise Tainting

Spring 2019 Prof. Eric Rotenberg

Sampling Dynamic Dataflow Analyses

Presentation transcript:

Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides from presentation of Prateek Saxena UC Berkeley

Sanitization in WebApplication Small-Scale Apps Buggy Sanitizer Missing Sanitization – [ Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11 ] Large-Scale Applications 2 String Img.RenderControl() { Write(userimg); } String Img.RenderControl() { Write(Sanitize(userimg)); } New Sanitization Errors – [ CCS’11 ] S CRIPT G ARD

Error #1: Context-Mismatched Sanitization(CMS) 3

4

Why Does Context-Mismatch Happen? 5 Output Sink San Context is a Global Path-Sensitive Property But, developers select Sanitizers Locally

6 1,207 (4.7%) are CMS errors! Error #1: Context-Mismatched Sanitization(CMS)

Error #2: Inconsistent Multiple Sanitization(IMS) 7 Output Sink San 1 San 2 Attack Input Safe? San 1 San 2

Inconsistent Multiple Sanitization(IMS): How does it happen? 8 EcmaScriptStringEncode – transforms all characters that can break out of JavaScript string literals (like the “ character) to Unicode encoding \u0022 for “) HtmlAttribEncode - encodes characters (" for “)

Inconsistent Multiple Sanitization(IMS): How does it happen? 9 Document.write(“ ”) Document.write(" ")

Inconsistent Multiple Sanitization(IMS): How does it happen? 10 Document.write(" ") Big problem if xyz is);Onclick… Document.write(“ ’)

(8%) of multiple sanitizations are errors! Inconsistent Multiple Sanitization(IMS): Does it Really Happen?

S CRIPT G ARD Architecture 12

S CRIPT G ARD Analysis 13 1.Trace dynamic execution of application on test inputs 2.Identify all untrusted data embedded in application’s output 3.Map application trace to static program path 4.Map untrusted trace to the correct sequence of sanitizer to apply 5.Find out which part of string needs to be sanitized through positive taint analysis 6.If sequence doesn’t match, it add the correct sequence to sanitization cache

S CRIPT G ARD Analysis 14 1.Trace dynamic execution of application on test inputs 2.Identify all untrusted data embedded in application’s output 3.Map application trace to static program path 4.Map untrusted trace to the correct sequence of sanitizer to apply 5.Find out which part of string needs to be sanitized through positive taint analysis 6.If sequence doesn’t match, it add the correct sequence to sanitization cache

Positive Taint analysis 15 X = Untrusted input Z = unknown source A = safe input Y = X cZ = sanitize (Z) Write(X,Y,Z,A,cZ) Normal taint analysis kept track how the untrusted variable is used in the program, e.g. X, Y Positive taint analysis kept track of the safe data, e.g. A and cZ ScriptGard marks portion of server output which is not positively tainted e.g. X, Y, Z ScriptGard also records sequence of propagator and sanitizer applied

S CRIPT G ARD Runtime Auto-Correction 16 1.Apply the correct sanitizer sequence from the cache if analysis is done on the path 2.Administrator choice if analysis is not done on the path yet

S CRIPT G ARD : Performance Time to load first byte from URL increase by more than 100 times. Preferential path profiling can slightly reduce the overhead. 17

Questions? 18