Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.

Published byBerniece Amie Taylor Modified over 9 years ago

Similar presentations

Presentation on theme: "ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and."— Presentation transcript:

1 ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and Network Security

2 Background URLResultReason http://store.company.com/dir2/other.html Success http://store.company.com/dir/inner/another.html Success https://store.company.com/secure.html FailedDifferent protocol http://store.company.com:81/dir/etc.html FailedDifferent port http://news.company.com/dir/other.html FailedDifferent domain http://store.company.com/dir/page.html

3 Background Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

4 Background Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

5  While this provides much greater flexibility to application developers, it also opens the door for vulnerabilities to be introduced into web applications due to insufficient origin checks or other programming mistakes. Background

6 Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

7 Background Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf function listener(event){ if (event.origin.indexOf("domain.test") != -1){ eval(event.data); } Developer must verify origin correctly "domain.test.attacker.com"

8 Outline  Background  Motivation Example of webmail service  System overview Learning phrase Enforcement phrase  Invariant Detection and Enforcement  Program Generalization  Evaluation  Quiz

9 Motivation Email example

10

11 domain.test.attacker.comdomain.test

12 Motivation Email example domain.test.attacker.comdomain.test

13 Motivation Email example domain.test.attacker.comdomain.test Cookie leak

14 Goal  Secure JavaScript Apps Harden the buggy Apps the app like before: benign but buggy Fully automatic no developer interaction Detection /defense in browser alone no modification on browser Prevent unknown vulnerabilities

15 Zigzag overview  Anomaly detection system preventing CSV attacks  Instrumentation of client-side JavaScript  Generates model of benign behavior  Two phases Learning of benign behavior Prevent attacks

16 Learning Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

17 Learning Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

18 Learning Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

19 Learning Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

20 Learning Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

21 Learning Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

22 Learning Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

23 Enforcement Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

24 Enforcement Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

25 Enforcement Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

26 Enforcement Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

27 Enforcement Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

28 Enforcement Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

29 Enforcement Phrase Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

30 Invariant Detection Invariants supported by ZigZag

31 Invariant Detection Univariate invariants Multivariate invariants the length of a string the percentage of printable characters in a string the parity of a number x == y x+5 == y x < y

32 Instrumentation Details Image from:https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_weissbacher.pdf

33 Enforcement Details

34 Program Generalization

35 Programs differ, but AST is similar

36 Limitations  The system was not designed to be stealthy or protect its own integrity if an attacker manages to gain JavaScript code execution in the same origin.If attackers were able to perform arbitrary JavaScript commands, any kind of in-program defense would be futile without support from the browser.  anomaly detection relies on a benign training set of sufficient size to represent the range of runtime behaviors that could occur. If the training set contains attacks, the resulting invariants might be prone to false negatives.

37 Evaluation  Four real-world vulnerable sites  Synthetic webmail application  Attacks caught  Functionality retained

38 Performance Median overhead: 2.01s

39 Performance Median overhead: 112%

40 Performance 0.66ms overhead

41 Contributions  In-browser anomaly detection system for hardening against previously unknown CSV vulnerabilities  Invariant patching: extending invariant detection to server-side templates

42 Quiz:  1.What are the two phrases of Zigzag?  2.What are the basic processes of Zigzag?  3.What are the two limitations the author mentioned of Zigzag?

Download ppt "ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and."

Similar presentations

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Office 365 Platform Flexible Tools App Manifest Web Page HTML/CSS/JS App.

Office 365 Platform Flexible Tools App Manifest Web Page HTML/CSS/JS App.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Similar presentations

Ads by Google