Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

Published byAmber Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008."— Presentation transcript:

1 Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008

2 Script Injection Unauthorized script is added to web page, is executed by browser Methods of attack: Stored – Unvalidated user-generated content Reflected – Embedded in URL DOM based http://vulnerable.site/welcome.html?name=Joe

3 Why is it still an issue? Need to display content provided by users Filtering is complicated Need for rich content Browsers work differently

4 Preventing Script Execution Escape every ' ' Effective, but restricts rich content Detect scripts Difficult Multiple Vectors Encoding and Quoting Browser Quirks

5 1. 2. 3.... 4.... 5..bar{background-image:url("javascript:alert(’JavaScript’)");} 6. 7. 8. 9. 10.... 11. ]]> 12. <meta http-equiv="refresh" content="0;url=data:text/html;base64,data:text/html;base64 PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 13. <img src=javascript :alert('XSS')> 14. javascript:alert("3&quot 15. <img src='java script:alert(1)'> 16.

6 Creating a Solution Observations: Browsers perform script detection Web developer knows which scripts are legit. Solution: Browser-Enforced Embedded Policies (BEEP)‏ Browser only runs scripts deemed 'OK' by web app

7 Security Hook Script added to head of each document Evaluates each scripts before JS Interpreter Makes decisions based on predefined policies Hook must be run before all other scripts

8 Types of Policies Whitelist Hash of legit script DOM Sandbox App marks areas where malicious scripts possible Unexpected Script Reporting Script Classes

9 Complete Coverage All approved scripts must be marked Security hook must be implemented first Set as first script in document

10 Deployment Modify Browser Insert handler where JS interpreter is called Modify Server Add security hook to each page Incremental Implementation

11 Assumptions Attacker has no special access to web app. Attacker cannot modify data in transit User trusts site enough to execute scripts Site will tactfully endorse scripts

12 Whitelists All valid scripts are known by developer SHA-1 hash of each script is embedded in page Hook compares generated hash to one provided Hashing function provided by JS or browser lib. Alternate Implementation: Use full content of each script instead of hash Reduces overhead, avoids collisions, larger pages

13 DOM Sandboxing Developer knows areas where malicious content possible Mark these areas with special tag - “noexecute” Browser checks script's location in DOM tree for “noexecute” Allows for unknown but trusted scripts 3 rd party ads

14 Implementing DOM Sandboxing Place content into container marked as “noexecute” Problem: Easy to break out of container... possibly-malicious content... malicious script

15 Improved DOM Sandboxing Content encoded as JavaScript string String embedded into document Prevents escape from container document.getElementById("n5").innerHTML = "quoted possibly-malicious content "

16 Other Issues Scripts Generating Scripts If parent script trusted, child is also Third Party Scripts Trust place holder script All subsequent scripts will be trusted

17 Browser Implementation Konqueror & Safari 650 lines of code, plus 650 for hash implementation Opera Partial implementation in 79 lines, + 137 for hash User JavaScripts Firefox and Internet Exploder Not currently implemented Both have extensions similar to User JavaScripts, but allow other scripts to execute first

18 Web Application Implementation Whitelist Policy Find scripts in page elements, event handlers, hyperlinks Insert whitelist and hook into document's head DOM Sandboxing Policy Pages must be in certain structure Identify areas where user input can appear Escape content of these areas Insert security hook into document's head

19 Effectiveness 100%, when implemented accurately Verified by 61 known browser execution vectors Possible weakness – Hash collision

20 Browser Overhead Benchmarks All tests done in Safari 2.0.4 Whitelists – 14.4% (0.2 seconds)‏ DOM Sandboxing – 6.6% (.1 seconds)‏ Delays would be maskd by network latency Server Overhead Benchmarks - ?

21 Similar Projects Script Keys – Gervase Markham http://www.gerv.net/security/script-keys/ Add random string to each valid script Execute only those which contained string Content Security Policy – Bsterne http://people.mozilla.org/~bsterne/content-security-policy/ Firefox extension - https://addons.mozilla.org/en- US/firefox/addon/7478https://addons.mozilla.org/en- US/firefox/addon/7478 Valid scripts placed in external file Blocks all other scripts

Download ppt "Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008."

Similar presentations

Building Fast 3rd-Party Webapps O'Reilly Velocity Web Performance and Operations Conference 24 June 2010 Lessons.

Building Fast 3rd-Party Webapps O'Reilly Velocity Web Performance and Operations Conference 24 June Lessons.
17 HTML, Scripting, and Interactivity Section 17.1 Add an audio file using HTML Create a form using HTML Add text boxes using HTML Add radio buttons and.

17 HTML, Scripting, and Interactivity Section 17.1 Add an audio file using HTML Create a form using HTML Add text boxes using HTML Add radio buttons and.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.

HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.
Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.

Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google