Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology."— Presentation transcript:

1 1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology Dawn Song UC Berkeley

2 2 A Cross-Site Scripting Attack Hi Joe, Hi Joe, Cookies, Password Policy: ALLOW {a, a@href, img, img@src }

3 3 Limitations of Server-side Sanitization Hi Joe, Cookies, Password Policy: ALLOW {a, a@href, img, img@src }

4 4 Limitations of Server-side Sanitization Hi Joe, Cookies, Password Over 90 ways to inject JS [RSnake07] Multiple Languages »JS, Flash, CSS, XUL, VBScript

5 5 A Different Approach… Previous defenses: XSS is a sanitization problem Our view: XSS is a document structure integrity problem IMG javascript: SRC IMG String SRC

6 6 Concept of Document Structure id Joe; online div STATIC DOCUMENT STRUCTURE document.write() id Joe; online div DYNAMIC DOCUMENT STRUCTURE DOCUMENT STRUCTURE JAVASCRIPT

7 7 Document Structure Integrity (DSI) Definition: –Given a server’s policy P, –Restrict untrusted content to allowable syntactic elements –Policy in terms of client-side languages Central idea for DSI enforcement –Dynamic information flow tracking (server & browser) –Policy based parser-level confinement Default policy: Only leaf nodes untrusted

8 8 Talk Outline Power of DSI Defense: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

9 9 Talk Outline Power of DSI Defense: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

10 10 DSI Defense: A Powerful Approach DSI enforcement prevents –Not just cookie-theft »Form injection for phishing [Netcraft08] »Profile Worms [Samy05, Yammaner06] »Web site defacement through XSS –“DOM-Based” XSS (Attacks on client-side languages) –Vulnerabilities due to browser-server inconsistency

11 11 DOM-based client-side XSS [Klein05] JAVASCRIPT Joe online + DYNAMIC UPDATE Example 1: DOM-Based XSS id Joe; online div

12 12 Example 1: DOM-Based XSS DOM-based client-side XSS [Klein05].. ”> JAVASCRIPT.. ”>

13 13 Example 1: DOM-Based XSS DOM-based client-side XSS [Klein05].. ”> JAVASCRIPT DYNAMIC UPDATE.. ”> script “Devil” “..”

14 14 Browser-Server Inconsistency Bugs Assumed Parse Tree IMG ONLOAD alert (1) IMG onload:=alert(1) Example 2: Inconsistency Bugs

15 15 Talk Outline Defense in Depth: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

16 16 Design Goals Clear separation between policy and mechanism No dependence on sanitization No changes to web application code Minimize false positives Minimizes impact to backwards compatibility Robustness –Address static & dynamic integrity attacks –Defeat adaptive adversaries

17 17 Mechanisms Client-server architecture Server –Step 1: Identify trust boundaries in HTML response –Step 2: Serialize » Encoding data & trust boundaries in HTML Client –Step 3: De-serialize »Initialize HTTP response page into static document structure –Step 4: Dynamic information flow tracking »Modified semantics of client-side interpretation

18 18 Talk Outline Defense in Depth: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work

19 19 Approach Overview: Static DSI SERIALIZER SERVERBROWSER [[ ]] imgscript DE-SERIALIZER P

20 20 Approach Overview: Dynamic DSI SERIALIZERDE-SERIALIZER TAINT TRACKING SERVERBROWSER.. ”>.. ]]”> id Devil;.. div

21 21 Approach Overview: Dynamic DSI (II) SERIALIZERDE-SERIALIZER TAINT TRACKING SERVERBROWSER.. ”>.. ]]”> id script “Devil” “..”

22 22 Serialization Design: Key Challenge Safety against an adaptive adversary USER BLOG …

23 23 Serialization: Key Challenge Do not rely on sanitization document.getElementByID(“N5”).innerHTML = “ ”; USER BLOG What to disallow?

24 24 Serialization Design: Key Challenge Attack on sanitization mechanism for JS strings document.getElementByID(“N5”).innerHTML = “ ”; Attack

25 25 Markup Randomization –Mechanism independent of the policy –Does not depend on any sanitization R [[ 00101 R ]] 00101 Valid Nonces: 00101,11010,01110 Policy: ALLOW {a, a@aref... }

26 26 Markup Randomization –Mechanism independent of the policy –Does not depend on any sanitization [[ 00101 R ]] 00101 Policy: ALLOW {a, a@aref} OK! [[ 00101 R ]] 00101 Valid Nonces: 00101,11010,01110

27 27 Markup Randomization –Mechanism independent of the policy –Does not depend on any sanitization [[ 00101 R ]] 00101 Policy: ALLOW {a, a@aref} [[ 00101 R ]] 10101 Valid Nonces: 00101,11010,01110

28 28 Browser-side Taint Tracking Dynamic DSI Client Language Interpreters enhanced Ubiquitous tracking of untrusted data in the browser

29 29 Talk Outline Advantages of DSI in Attack Coverage Design Goals Architecture Implementation Evaluation Conclusion & Related Work

30 30 Implementation Full Prototype Implementation DSI-enable server –Utilized existing taint tracking in PHP [IBM07] DSI-compliant browser –Implemented in KDE Konqueror 3.5.9 –Client side taint tracking in JS interpreter of KDE 3.5.9

31 31 You are 0wned!

32 32 In a DSI-compliant Browser… alert(document.cookie)

33 33 Talk Outline Advantages of DSI in Attack Coverage Design Goals Architecture Implementation Evaluation Conclusion & Related Work

34 34 Evaluation: Attack Detection Stored XSS attacks Vulnerable phpBB forum application 25 public attack vectors [RSnake07] 30 benign posts Results –100% attack prevention –No changes required to the application –No false positives

35 35 Evaluation: Real-World XSS Attacks 5,328 real-world vulnerabilities [xssed.com] 500 most popular benign web sites [alexa.com] Default Policy: –Coerce untrusted data to leaf nodes Results –98.4% attack prevention –False Negatives: »Due to exact string matching in instrumentation –False Positives: 1% »Due to instrumentation for tainting ( on Slashdot)

36 36 Evaluation: Performance Browser Overhead 1.8% Server overhead 1-3% Server overhead 1.1%

37 37 Related Work Client-server Approaches »BEEP [Jim07] » [Eich07] » Hypertext Isolation [Louw08] Client-side approaches »IE 8 Beta XSS Filter [IE8Blog] »Client-side Firewalls [Kirda06] »Sensitive Info. Flow Tracking [Vogt07] Server-side approaches »Server-side taint-based defenses [Xu06, Nan07, Ngu05, Pie04] »XSS-Guard [Bisht08] »Program Analysis for XSS vulnerabilities [Balz08, Mar05, Mar08, Jov06, Hua04]

38 38 Conclusion DSI: A fundamental integrity property for web applications XSS as a DSI violation Multifaceted Approach –Clearly separates mechanism and policy Defeats adaptive adversaries –Markup randomization Evaluation on a large real-world dataset –Low performance overhead –No web application code changes –No false positives with configurable policies

39 39 Questions Thank you!

40 40 Hi Joe! Hi [[Joe]]! www.site.com?user=Joe user=Joe Client-Side Proxy Hi Joe!

41 41 Markup Randomization: Adaptive Attacks Multiple valid parse trees [[ N1]] N3]] N2[[ N3[[ N2]] N1 [[ N1]] N3]] N2[[ N3[[ N2]] N1 [[ N1]] N3]] N2[[ N3[[ N2]] N1 OR

42 42 Attack Coverage (II): Inconsistency Bugs Browser-Server Inconsistency Bugs Browser Processing Server Processing Inconsistency Bugs

Download ppt "1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago

Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.
1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn.

1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.
1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits

March Intensive: XSS Exploits

Similar presentations

Ads by Google