Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn.

Published byPhilip Sanders Modified over 9 years ago

Similar presentations

Presentation on theme: "1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn."— Presentation transcript:

1 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn Song * ‡ Carnegie Mellon University * UC Berkeley

2 2 Client-side Validation(CSV) Vulnerabilities A new class of input validation vulnerabilities Analogous to server-side bugs –Unsafe data usage in the client-side JS code – Involves data flows –Purely client-side, data never sent to server –Returned from server, then used in client-side code

3 3 Rich Web Applications Lots of JS code Rich cross-domain interaction APP 1 APP 2 APP 3 APP 4

4 4 Outline CSV Vulnerability Examples FLAX: Tool and Techniques –Challenges & Key Idea –Tool Architecture –Design Real Attacks and Evaluation Results Related Work & Conclusion

5 5 Vulnerability Example (I): Origin Misattribution Cross-domain Communication –Example: HTML 5 postMessage facebook.comcnn.com postMessage Origin: www.facebook.comwww.facebook.com Data: “Chatuser: Joe, Msg: Hi” Origin: www.evil.com Data: “Chatuser: Joe, Msg: onlinepharmacy.com”onlinepharmacy.com SenderReceiver

6 6 Vulnerability Example (II): Code Injection Code/data mixing Dynamic code evaluation –eval –DOM methods Eval also deserializes objects –JSON Data: “alert(‘0wned’);” …… eval (.. + event.data); Receiver facebook.com

7 7 Vulnerability Example (III): Application Command Injection Application-specific commands Example: Chat application Application JavaScript Application Server http://chat.com?cmd=joinroom&room=nba &cmd=addbuddy&user=evil “..=nba&cmd=addbuddy&user=evil” http://chat.com/roomname=nba http://chat.com?cmd=joinroom&room=nba XMLHttpReq.open ( url ) Join this room Injected Command

8 8 Vulnerability Example (IV): Cookie Sink Vulnerabilities Cookies –Store session ids, user’s history and preferences –Have their own control format, using attributes Can be read/written in JavaScript Attacks –Session fixation –History and preference data manipulation –Cookie attribute manipulation, changes

9 9 Summary of Goals Systematic discovery techniques –FLAX: An Automatic tool for discovery –A new hybrid technique for JavaScript analysis Evaluate prevalence in real code –An empirical evaluation of real-world applications –Find several unknown CSV vulnerabilities

10 10 Outline CSV Vulnerabilities FLAX: Tool and Techniques –Challenges & Key Idea –Tool Architecture –Design Real Attacks and Evaluation Results Related Work & Conclusion

11 11 Problem Definition Definition –Unsafe usage of untrusted data in a critical sink Systematically discovery of CSV vulnerabilities Two sub-problems –Exploring program space –Finding bugs in some explored functionality Attacker Model –Web attacker (evil.com) –User-as-an-attacker

12 12 Challenges JavaScript complexity –Highly dynamic language –String-heavy Parsing ops. indistinguishable from validation checks –Custom sanity routines are common Hidden server-side logic –Assumes no knowledge of the server –Handles reflected flows: data flows to server and back End-to-end Web Application Analysis

13 13 Key Insight Taint-enhanced black-box fuzzing (TEBF) –A simple idea –Combine benefits of taint-tracking & fuzzing –Requires no source code annotations –No false positives FLAX: An End-to-end System –Simplifies JS first –Implements TEBF –Handles reflected flow using approximate tainting False Positives Efficiency of finding Bugs Black-box fuzzing Purely dynamic Taint-tracking TEBF Syntax-driven fuzzing

14 14 FLAX Tool Design Taint-tracking Execution Trace JavaScript Program Initial Input Source Acceptor Slice Sink SINK- AWARE FUZZER EXPLOIT ? function acceptor(input) { must_match = ’{]:],]:]}’; re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g; re2 =/"[ˆ"\\\n\r]*"|true|false|null| -?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g; re3 = /(?:ˆ|:|,)(?:\s*\[)+/g; rep1 = input.replace(re1, "@"); rep2 = rep1.replace(re2, "]"); rep3 = rep2.replace(re3,""); if(rep3 == must_match) { return true; } return false; } Transformation Operations Path Constraints

15 15 FLAX Implementation JAVASCRIPT INTERPRETER X = INPUT[4] Y = SubStr(X,0,4) Z = (Y==“http”) PC = IF (Z) THEN (T) ELSE (NEXT) TAINT ENGINE JASIL EXECUTION TRACE ACCEPTOR SLICE GENERATOR

16 16 Simplifying JavaScript JASIL : Our intermediate language –A simple type system –Small set of operations Enables string-centric, fine-grained taint tracking on JS

17 17 Simplifying JavaScript (II) Benefits of JASIL simplification to taint-tracking Example: Taint semantics for replace are difficult! rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@"); R R subString convert @@@ concat @ @ @ INPUT OUTPUT Emitted JASIL Instructions

18 18 Outline CSV Vulnerabilities FLAX: Tool and Techniques –Challenges & Key Idea –Tool Architecture –Design Attacks and Evaluation Results Related Work & Conclusion

19 19 Evaluation 40 Subjects –iGoogle gadgets –AJAX applications and web sites Setup –Untrusted sources »All cross-domain channels »Text boxes –Critical sinks »Code evaluation constructs »XHR url data »Cookies

20 20 Summary –Taint observed in 18 / 40 subjects – FLAX found 11 previously unknown vulnerabilities Examples –Origin Misattribution leading to XSS in Facebook Connect –Gadget Overwriting Attacks on Google/IG –Application Command Injection on AjaxIM –Code injection and cookie attribute manipulation via cookie sinks Results (I) Vulnerability TypeNumber of vulnerabilities Code Injection8 Origin Misattribution1 Application Command Injection1 Cookie Sink1 TOTAL FOUND BY FLAX11

21 21 Example Attacks: Gadget Overwriting Compromised Gadget with Overwritten Contents Legitimate URL bar

22 22 Effectiveness Character-level precise taint-tracking helps fuzzing Reduction in input sizes

23 23 Effectiveness (II) Reduction in false positives, TEBF vs. pure taint-tracking

24 24 Conclusion A new class of vulnerabilities: CSV Example attacks A systematic discovery tool: FLAX –No annotations, no false positives –Employs a simple TEBF techniques –Robust analysis using JASIL CSV vulnerabilities are actually prevalent today –Found 11 previously unknown vulns –Demonstrate proof-of-concept exploits

25 25 Contact Contact: –Prateek Saxena (prateeks@cs.berkeley.edu) Please visit our project web site –http://webblaze.cs.berkeley.eduhttp://webblaze.cs.berkeley.edu THANKS FOR LISTENING

Download ppt "1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn."

Similar presentations

Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.

Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.

1 The Emperor’s New APIs On the (In)Secure Usage of New Client-side Primitives Devdatta AkhaweSteve HannaEui Chul Richard Shin Dawn Song Arman BoehmPrateek.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.

1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Services & Widgets Godmar Back. Mash-Ups Applications that combine information from different sources in one web page Different architectural choices.

Web Services & Widgets Godmar Back. Mash-Ups Applications that combine information from different sources in one web page Different architectural choices.

Similar presentations

Ads by Google