Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Published byAnna Czajka Modified over 5 years ago

Similar presentations

Presentation on theme: "Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago"— Presentation transcript:

1 BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago IEEE Symposium on Security and Privacy, 2009 1

2 Outline Cross-site Scripting Overview BLUEPRINT References Overview
Specifics Experiment / Results Contributions Weakness / Improvement References 2 2

3 Trusted vs. Untrusted HTML
3 3

4 Trusted vs. Untrusted HTML
4 4

5 Cross-site Scripting (XSS)
Code injection into untrusted HTML which exploits client-side browser parsing Hacker injects code into untrusted section, innocent user visits the web page, client browser displays all content, user encounters unintended content / hack JavaScript (HTML, CSS, Java, Flash, etc.) Non-persistent (reflected), Persistent (stored) 5 5

6 XSS Example 6 6

7 XSS Example 7 7

8 XSS Example Many web applications also store user preferences in JavaScript variables directly… 8 8

9 XSS vulnerability found at these domains.
XSS vulnerability found at these domains. Not yet fixed… 9

10 BLUEPRINT Goals W3C + dev cycle slow. Need solution now!
Solution should be transparent to user, support current browsers, no plug-ins, etc. Retain expressiveness of untrusted HTML Do not rely on browser to parse this data! Enable web apps. to create a “blueprint” of untrusted web content free of XSS attacks, bridging divide between app. & browser 10 10

11 HTML Interpretation Process
11

12 Document Object Model (DOM)
12

13 BLUEPRINT Approach model interpreter ( _bp_ )
Reduce browser influence of parsing: HTML, CSS, URI, JavaScript Server encodes chunks as models, Server API uses whitelist to vet models, data encoded w/ syntactically inert chars Transmit encoded data via <code> nodes, so browser ignores them, + script calls to model interpreter ( _bp_ ) 13 13

14 BLUEPRINT API 14 14

15 HTML presented to client
BLUEPRINT Model HTML presented to client Encoded to… old new 15 15

16 HTML Interpretation Process
_bp_ script + encoded models A, B, C, D, E Normal path: A, B, C, D, E Untrusted data: A, B’, Q, P, E, R 16

17 Reduce HTML Parser Influence
Models encoded in syntactically inert lang: {a,…,z,A,…,Z,0,…,9,/,+,=}* Decode model w/ model interpreter _bp_, link embedded in <head> element Use of DOM API to create elements Original rendering order preserved, models embedded near original location, decoded synchronously as page renders 17 17

18 BLUEPRINT Model Generator
18

19 Results 19 19

20 Contributions W3C / browser development cycle is slow, offers effective XSS defense solution now No required plug-ins, browser, ext., etc., empowers web developers, user benefits Innovative thinking: Web developers bypass browser parsing 20 20

21 Weaknesses All websites now have to update their libraries of code to use BLUEPRINT… HTML interpretation process may change, especially on embedded browsers Large script (15.6kB) downloaded / cached, How safe is this script? One for each site? Client browser may disable JavaScript Page size overhead due to text encoding 21 21

Download ppt "Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago

Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
INTRODUCTION TO DHTML. TOPICS TO BE DISCUSSED……….  Introduction Introduction  UsesUses  ComponentsComponents  Difference between HTML and DHTMLDifference.

INTRODUCTION TO DHTML. TOPICS TO BE DISCUSSED……….  Introduction Introduction  UsesUses  ComponentsComponents  Difference between HTML and DHTMLDifference.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.

Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Similar presentations

Ads by Google