Presentation is loading. Please wait.

Presentation is loading. Please wait.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Published byClare Buckmaster Modified over 9 years ago

Similar presentations

Presentation on theme: "Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen."— Presentation transcript:

1 Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen Northwestern University, Evanston, IL SRI International, Menlo Park, CA NDSS Symposium 2012 2012/05/14 曾毓傑 1

2 Outline Introduction Design Implementation Evaluation Performance Discussion 2

3 INTRODUCTION 3

4 Self-Propagating XSS Attacks 4 Samy’s Page User’s Page (1) Access (2) Gain Page DOM Access MySpace (4) Post Malicious Data onto User’s Wall (5) Affect Other Users... (3) Send Forge Request User

5 XSS Taxonomy Server-side XSS Attacks Stored XSS (Persistent) Reflected XSS (Non-Persistent) Client-side XSS Attacks Plug-in XSS (e.g. Flash, Java) Content Sniffing XSS DOM-based XSS 5

6 Path Cutter Path Cutter can successfully block all kinds of XSS attack for self-propagation Easy implementation on both server-side and proxy server 6

7 Problem Definition Exploitation of a web application vulnerability that enables an attacker to inject client-side scripts into web pages owned by other users. Four steps of Self-Propagating XSS Attack: Step 1 – Enticement and Exploitation Step 2 – Privilege Escalation Step 3 – Replication Step 4 – Propagation 7

8 Related Work Spectator System – track propagation activity Sun et al. – Firefox plug-in Xu et al. – monitor social graph 8

9 DESIGN 9

10 Main Mechanisms View Separation Request Authentication 10

11 Key Concepts Views A form of a web page or a part of web page Actions An operation belonging to a view Access Control List (ACL) Actions which a view can perform Capability A secret key to validate a request 11

12 Dividing Web Applications into Views Based on semantics User A’s blog website User B’s blog website Based on URLs http://blog.com/options http://blog.com/update Based on elements Blogpost User Comments 12

13 View Separation Isolate different pages/views from the server at the client side Taking advantage of Same-Origin-Policy to prevent DOM access and request forgery 13 User B’s Blogpost User A Login http://isolate.blog.com/user/B User B’s Blogpost User A Login http://isolate.blog.com/user/B http://contents.blog.com/user/B/post/1

14 Request Authentication Authenticate actions using: Secret Tokens/Capability A secret token per view which is not be able to guess, and server-side verify this token to accept the request Referer-based View Validation Check if an action is permitted from certain view in the access control list(ACL) 14 Referer: http://isolate.blog.com/user/B POST http://isolate.blog.com/user/post Referer: http://contents.blog.com/user/B/post/1 User B’s Blogpost User A Login

15 IMPLEMENTATION 15

16 Server-side Implementation WordPress Open Source Blog System Totally 43 lines of code modification URLs Separation Elgg Open Social Network Engine Totally 2 lines of code modification and 23 lines of plug-in Isolate comment add form into different view 16 echo "<iframe style = ’background:inherit;border:0;margin:0;padding:0’ sandbox=’allow-forms’ scrolling=’no’ height=’400pt’ width=’100%’ src=’http://other.com/echo.php?content=".urlencode(elgg_view(’input/form’, array(’body’ => $form_body, action’ => "{$vars[’url’]}action/comments/add")))."’/>";

17 Proxy Implementation Facebook Separate user comments into views, and use different URL to get comment contents 17 FacebookProxy (1) Request content.x.com (2) Redirect isolate.x.com (3) Request isolate.x.com (4) isolate.x.com contents (5) Request content.x.com/?token=*** (6)(7)

18 Proxy Implementation (Cont.) User comment separation using echo server 18... user comment... http://content.x.com Proxy content modification... <iframe scrolling="no" height="100%" sandbox src=“http://foo.com/echo.php?content=user%20coment">... http://content.x.com

19 EVALUATION 19

20 Case 1: Boonana Worm Java Applet worm released in October 2010 Propagation Steps: 1. Visit a profile with malicious Java Applet 2. Escalate privilege and inject JavaScript into page in client-side using Java vulnerability 3. Post itself on visitor's wall Path Cutter let Java Applet only gain privilege on isolated page 20

21 Case 2: Renren Worm Flash-based worm spread on the Renren Social Network in 2009 Propagation Steps: 1. Visit a profile with malicious Flash Object 2. Escalate privilege and inject JavaScript into page in client-side using Flash vulnerability 3. Replicate itself on the visitor’s wall Path Cutter block sharing request by isolated views 21

22 Case 3: MySpace Samy Worm First XSS worms in MySpace in 2005 Propagation Steps: 1. Visit a profile with malicious code in a style attribute of tag 2. Use XMLHttpRequest to get a secret token 3. Post itself on visitor’s profile using the secret token Path Cutter make XMLHttpRequest unaccessible by view isolation 22

23 Case 4: SpaceFlash Worm Flash-based worm on MySpace in 2006 Propagation Steps: 1. Visit a “About Me” page with malicious Flash Object 2. Access user’s profile to gain privilege 3. Send AJAX request to post itself on visitor’s “About Me” page Path Cutter block post request since referer is not “About Me” page 23

24 Case 5: Yamanner Worm JavaScript worm spreading in Yahoo! Mail in 2006 Propagation Steps: 1. Victim open a malicious email and JavaScript executed due to a bug in Yahoo!’s script filter 2. Worm open victim’s address book and send email to those who are listed in the book Path Cutter deny email sending request because there is no secret token in the request 24

25 Experimental Worms Proof-of-Concept worm Implementation of worm template Apply on WordPress and Elgg 25 check_infected(); // check if the user is infected or not xmlhttp = new XMLHttpRequest; xmlhttp.open("POST", post_url,true); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { set_infected(); } xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.setRequestHeader("Content-length", payload.length); xmlhttp.send(payload); function xhr() {... } Object.prototype.post = function(uri,arg) { /*** usage: xhr().post(’foo.php’); ***/ this.open(’POST’, uri, true); this.setRequestHeader(’Content-type’,’application/x-www-form-urlencoded’);... this.send(arg); }; /*** source morphing component ***/ Object.prototype.morph = function(s) {... switch(morphtype) { case "unicode":... case "charcodes":... }

26 PERFORMANCE 26

27 Memory Overhead tags introduce memory overhead < 10 frames  < 10% memory overhead ~ 45 frames  ~ 30% memory overhead 27

28 Rendering Time Overhead Observing onload event in Webpage Elgg implementation: 1.14 secs  1.18 secs (3.5%) 28

29 DISSCUSSION 29

30 Limitation Cookie and Content Stealing Attacks Phishing and ClickJacking Attacks Drive-by Download Worms 30

31 Conclusion Implement view separation and http request authentication to severing self-propagating XSS attack 31

Download ppt "Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.

Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
By Loukik Purohit & Rohit Ghatol

By Loukik Purohit & Rohit Ghatol
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.
The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.

The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Cookies Cross site scripting

Cookies Cross site scripting
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google