Presentation is loading. Please wait.

Presentation is loading. Please wait.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

Published bySherman Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago."— Presentation transcript:

1 BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago IEEE Symposium on Security and Privacy, 2009 --- Presented by Joseph Del Rocco University of Central Florida

2 2 Outline Cross-site Scripting Overview BLUEPRINT –Overview –Specifics –Experiment / Results –Contributions –Weakness / Improvement References

3 3 Trusted vs. Untrusted HTML

4 4

5 5 Cross-site Scripting (XSS) Code injection into untrusted HTML which exploits client-side browser parsing Hacker injects code into untrusted section, innocent user visits the web page, client browser displays all content, user encounters unintended content / hack JavaScript (HTML, CSS, Java, Flash, etc.) Non-persistent (reflected), Persistent (stored)

6 6 XSS Example http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Healthcare/PCI_AppD.html#wp1026905

7 7 XSS Example http://www.zdnet.com/blog/security/facebook-vulnerable-to-critical-xss-could-lead-to-malware-attacks/1175

8 8 XSS Example http://news.netcraft.com/archives/2008/04/24/clinton_and_obama_xss_battle_develops.html

9 9 XSS Example Many web applications also store user preferences in JavaScript variables directly…

10 10 www.xssed.com XSS vulnerability found at these domains. Not yet fixed…

11 11 BLUEPRINT Goals W3C + dev cycle slow. Need solution now! Solution should be transparent to user, support current browsers, no plug-ins, etc. Retain expressiveness of untrusted HTML Do not rely on browser to parse this data! Enable web apps. to create a “blueprint” of untrusted web content free of XSS attacks, bridging divide between app. & browser

12 12 HTML Interpretation Process

13 13 Document Object Model (DOM) http://www.wdvl.com/Authoring/DHTML/DOM/NS.html http://www.codeguru.com/csharp/csharp/cs_misc/userinterface/article.php/c12267

14 14 BLUEPRINT Approach Reduce browser influence of parsing: HTML, CSS, URI, JavaScript Server encodes chunks as models, Server API uses whitelist to vet models, data encoded w/ syntactically inert chars Transmit encoded data via nodes, so browser ignores them, + script calls to model interpreter ( _bp_ )

15 15 BLUEPRINT API

16 16 BLUEPRINT Model Encoded to… oldnew HTML presented to client

17 17 HTML Interpretation Process Normal path: A, B, C, D, E Untrusted data: A, B’, Q, P, E, R _bp_ script + encoded models A, B, C, D, E

18 18 Reduce HTML Parser Influence Models encoded in syntactically inert lang: {a,…,z,A,…,Z,0,…,9,/,+,=} * Decode model w/ model interpreter _bp_, link embedded in element Use of DOM API to create elements Original rendering order preserved, models embedded near original location, decoded synchronously as page renders

19 19 Reduce CSS Parser Influence element.style obj. vetted by whitelist, only known static properties allowed expression() allows any dynamic property to contain exec code, so use setExpression() to function using whitelist to return valid static property Whitelist behavior and –moz-binding @import (CSS files) not supported

20 20 Reduce URI Parser Influence javascript: scheme very dangerous, no API exists for controlling the browser, scheme selection by browser URI parser. Use whitelist of schemes: http: https: ftp: mailto: Additional steps include testing browser scheme interpretation, and rewriting URIs, paper defers to previous work…

21 21 Reduce JS Parser Influence Common for web apps to store user prefs. in JavaScript variables for customization, so allow this but convert to _bp_ call

22 22 BLUEPRINT Model Generator

23 23 Results

24 24 Contributions W3C / browser development cycle is slow, offers effective XSS defense solution now No required plug-ins, browser, ext., etc., empowers web developers, user benefits Innovative thinking: Web developers bypass browser parsing

25 25 Weaknesses All websites now have to update their libraries of code to use BLUEPRINT… HTML interpretation process may change, especially on embedded browsers Large script ( 15.6kB ) downloaded / cached, How safe is this script? One for each site? Client browser may disable JavaScript Page size overhead due to text encoding

26 26 Improvement / Future Work Securely transfer script & keep up-to-date Perhaps different encoding scheme or compress w/ fast codec Maybe a scheme that empowers user?

27 27 References 1M. Ter Louw, V.N. Venkatakrishnan. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers, IEEE Symposium on Security & Privacy, 2009 2DP, KF, et al. www.xssed.com, Cross-site Scripting Attacks Information, 2007-presentwww.xssed.com 3UIC, http://sisl.rites.uic.edu/blueprint, BLUEPRINT information site (Wiki), 2009http://sisl.rites.uic.edu/blueprint 4Wikipedia, http://en.wikipedia.org/wiki/Cross-site_scriptinghttp://en.wikipedia.org/wiki/Cross-site_scripting 5W3C, http://www.w3.org/2002/07/26-dom-article, 2002http://www.w3.org/2002/07/26-dom-article

Download ppt "BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago

Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Similar presentations

Ads by Google