Presentation is loading. Please wait.

Presentation is loading. Please wait.

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

Published byDeonte Moran Modified over 9 years ago

Similar presentations

Presentation on theme: "PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and."— Presentation transcript:

1 PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and Yan Chen § § Northwestern Lab for Internet and Security Technology, Northwestern University, Evanston, IL † SRI International, Menlo Park, CA 1

2 Social web networks – Platforms where people share their perspectives, opinions, thoughts and experiences – OSNs, Blogs, Social bookmarking etc. XSS worm threat is severe. – First worm: MySpace Samy (2005) – More and more prevalent: Renren, Yamanner, etc. – Akin to virus: human need to visit infected pages – Characteristic: Fast spreading In this paper, – Target: Prevent XSS worm propagation – Method: View separation & Request authentication Introduction Number of infected clients after 20 hours (Social Networks’ XSS Worms, Faghani et al.) 2

3 Roadmap Introduction Background – Attack Steps – XSS Taxonomy Related Work Our Approach Implementation Evaluation 3

4 Background Step 1 – Enticement and Exploitation Step 2 – Privilege Escalation Step 3 – Replication Step 4 – Propagation Download Modify benign user’s account Get infected Benign User Samy’s page Repeat Process Other Users 4

5 XSS Attacks Server-side XSS Content Sniffing XSS Stored XSS Reflected XSS Client-side XSS Plugin XSS DOM-based XSS Flash XSS Java XSS MySpace Samy Worm Yamanner Worm Renren Worm SpaceFlash Worm Our Experimental Worm XSS Taxonomy 5

6 Related Work Group one: Prevent XSS vulnerabilities – Incomplete coverage (BluePrint, Plug-in Patches, Barth et al., and Saxena et al.) Group two: Prevent XSS worms – No early-stage prevention (Spectator and Xu et al.) – Not resistant to polymorphic worm (Sun et al.) Our goal: Prevent all the XSS worms with early-stage prevention and resistance to polymorphic worms 6

7 Our Approach Two key concepts: (1) request authentication and (2) view separation Download Samy’s page Modify benign user’s account Benign User Access We use request authentication. View separation is always enforced. 7

8 For example, blog A, blog B, blog C and so on. Or more fine-grained, different pages in the same blog. Isolating contents from the same origin – iframe tag with sandbox properties in HTML5 – Pseudodomain encapsulation (mentioned later) View Separation View OneView Two 8

9 Request Authentication For example, requests from blog A does not have permissions to modify blog B Identifying which view a client-side request is from. – Secret token – Referer header Check if the view has the permission 9

10 Our Approach Download View One Modify benign user’s account Benign User Access View one does not have the permission. Isolating views at client side. View Two Identify that it is from View One. If we cannot identify, deny. 10

11 Roadmap Introduction Background Related Work Our Approach Implementation – Implementation One (Server Modification) – Implementation Two (Proxy) Evaluation – Case Study of Five Real-world Worms and Two Experimental Worms (only two covered in the talk) – Performance 11

12 Implementation One (Server Modification) Prototype examples: WordPress, Elgg Dividing views: by blogs Permissions for different views: can only modify its own blog. 12

13 View Isolation for Server Modification Isolating views at client side. – Pseudodomain encapsulation. isolate.x.com content.x.com isolate.x.com content.x.com attacker content.x.com It cannot break isolate.x.com (different origin). Secret token is required. 13

14 Request Authentication for Server Modification Identifying requests from client-side – Secret token Insertion position: Each request that will modify server- side contents. Checking requests’ permission – Checking position: Database operation. (A narrow interface that each modifying request will go through.) 14

15 Implementation Two (Proxy) Dividing views: by different client-side URLs. Permissions for different views: – Possible outgoing post URL from those URLs 15

16 View Isolation for Proxy Isolating views at client side – The same as implementation one. Request content.x.com/y.php isolate.x.com <iframe src = “content.x.com/y.php?t oken = *** isolate.x.com content.x.com Proxy Web Server Redirect to isolate.x.com 16

17 Request Authentication for Proxy Identifying requests from client-side – Referer header Specified by the browser. Attackers cannot change it. Checking requests’ permissions – Checking position: Proxy. – Method: See if the view has the permission to send the request. 17

18 Case Study for Real World Worms XSS Worm in Renren (Facebook in China) Flash insert malicious scripts inside the web page Share on the behalf of current user 18

19 share View One View Two click Request to share 19

20 Yamanner Worm Click Send emails to all your contacts 20

21 Compose email Email body Different views Send email 21

22 Memory Overhead – Normally, # of frames is not high since comments can be hidden. Rendering Time Overhead. – Less than 3.5% for Elgg Evaluation 22

23 Conclusions We cut off the propagation path of XSS worms through view separation by psuedodomain encapsulation and request authentication. We implement PathCutter by proxy assistance and server modification. We evaluate PathCutter on 5 real-world worms and 2 proof-of-concept worms. 23

24 Thanks! Questions? 24

25 Backup 25

26 Comparison with Existing Works Spectator Sun et al. Xu et al. BluePrint Plug-in Patches Barth et al. Saxena et al. PathCutter Blocking Step43411112 Polymorphic WormYes No Yes Early-Stage PreventionNoYesNo Yes Types of XSS that Can Be DefendedAll Passively Observable Worms Traditional Server-side XSS Worms Plug-in XSS Worms Content Sniffing XSS Worms DOM-Based XSS WormsAll Deployment Server or ProxyClientServer Client Server or Proxy Passive/Active MonitoringActivePassive Active Group One: Mitigating XSSGroup Two: Worm prevention 26

27 Limitation Need to know the semantics of web application Only prevent worm behavior but not all the damages 27

28 Existing solutions Spectator … if it reaches a threshold, report it. the same injected tag proxy But it can only detect the worm when it spreads for a while! 28

29 Existing solutions Esorics 09 Firefox Plugin malicious benign Payload: abcdefg The same payload Deny! But (1) Payload may change. (2) Pure client-side solution. 29

30 URL graph provided by the server or a third-party blogX/index.php blogX/post-comment.php blogX/options.php blogX/update- options.php blogX/x.php … blogY/index.php 30

Download ppt "PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Mitigating Malware Collin Jackson CS142 – Winter 2009.

Mitigating Malware Collin Jackson CS142 – Winter 2009.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits

March Intensive: XSS Exploits

Similar presentations

Ads by Google