Reliable Mitigation of DOM-based XSS

Similar documents
A Tale of the Weaknesses of Current Client-Side XSS Filtering

25 Million Flows Later Large- scale Detec6on of DOM- based XSS. Published at ACM CCS 2013 Sebas5an Lekies, Ben Stock, Mar6n Johns

A Tale of the Weaknesses of Current Client-side XSS Filtering

Precise client-side protection against DOM-based Cross-Site Scripting

Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Relax Everybody: HTML5 Is Securer Than You Think

25 Million Flows Later - Large-scale Detection of DOM-based XSS

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

Project 2: Web Security Pitfalls

Example. Represent this as XML

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Analysis of Browser Defenses against XSS Attack Vectors

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Network Security Web Security

Protection, Usability and Improvements in Reflected XSS Filters

A tale of the weaknesses of current client-side XSS filtering

Alhambra: A System for Creating, Enforcing, and Testing Browser Security Policies

Web-Application Security

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

(WAPT) Web Application Penetration Testing

The Past, Present and Future of XSS Defense Jim Manico. HITB 2011 Amsterdam

Universal XSS via IE8s XSS Filters

Advanced XSS. Nicolas Golubovic

AMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM

Client Side Cross Site Scripting

HTML5. Eoin Keary CTO BCC Risk Advisory.

Cross-site site Scripting Attacks on Android WebView

Finding XSS in Real World

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

JavaScript static security analysis made easy with JSPrime

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

The Top Web Application Attacks: Are you vulnerable?

HTTPParameter Pollution. ChrysostomosDaniel

Cross Site Scripting Prevention

PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script

Attacks on Clients: Dynamic Content & XSS

Are AJAX Applications Vulnerable to Hack Attacks?

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Seminar: Cryptographic Protocols Staged Information Flow for JavaScript

Web Application Security

Criteria for web application security check. Version

Uploaded images filter evasion for carrying out XSS attacks

Exploitation of Cross-Site Scripting (XSS) Vulnerability on Real World Web Applications and its Defense

Chapter 1 Web Application (In)security 1

Thomas Röthlisberger IT Security Analyst

1000 Projects later. Security Code Scans at SAP

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

elearning for Secure Application Development

What is Web Security? Motivation

Recent Web Security Technology. Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar DKK. Læs mere og tilmeld dig på

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

A Survey on Threats and Vulnerabilities of Web Services

Security in Offline Web Applications

Web attacks and security: SQL injection and cross-site scripting (XSS)

A Study on Dynamic Detection of Web Application Vulnerabilities

Towards Automated Malicious Code Detection and Removal on the Web

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

Intrusion detection for web applications

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Web Application Security

xjs: Practical XSS Prevention for Web Application Development

Penetration Test Report

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Enhancing JavaScript Engine to Detect and Prevent XSS

Challenges of Automated Web Application Scanning

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Smart (and safe) Lighting:

Web Application Vulnerability Scanning. VITA Commonwealth Security & Risk Management. April 8, 2016

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Security Tools - Hands On

Security features of ZK Framework

Security Model for the Client-Side Web Application Environments

AjaxScope: Remotely Monitoring Client-side Web-App Behavior

External Network & Web Application Assessment. For The XXX Group LLC October 2012

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Robust Defence against XSS through Context Free Grammar

Web Application Exploits

Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output

Performance Testing for Ajax Applications

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

A Multi agent Scanner to Detect Stored XSS Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

How to Build a Trusted Application. John Dickson, CISSP

Complete Cross-site Scripting Walkthrough

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Cross-Site Scripting

JVA-122. Secure Java Web Development

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

Transcription:

Intro XSS Implementation Evaluation Q&A Reliable Mitigation of DOM-based XSS Tobias Mueller 2014-09-07 1 / 39

Intro XSS Implementation Evaluation Q&A About me The results Motivation about:me MSc. cand. Dipl. Inf. presenting results of diploma thesis / USENIX paper 45 min. presentation ask immediately, Q&A afterwards 2 / 39

Intro XSS Implementation Evaluation Q&A About me The results Motivation Spoiler Is it possible to reliably defend against DOM-based XSS without breaking the Web? recognise new code from attacker-provided strings modified V8 s scanner, WebKit s strings, and the bindings for Chromium evaluated protection, compatibility, and speed yes, with some exceptions 3 / 39

Intro XSS Implementation Evaluation Q&A About me The results Motivation 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 4 / 39

Motivation 10.000 feet

Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS 2004: OWASP Top 4 2007: OWASP Top 1 2010: OWASP Top 2 2013: OWASP Top 3 6 / 39

Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS - 10% of CVEs are XSS 7 / 39

Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS XSS is very common and dangerous 8 / 39

Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS - 2 mio user records 9 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Overview of section 2 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 10 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Cross-Site Scripting (XSS) Code Execution in the victim s browser (JavaScript) Code execution use all browser APIs use Web app in the name of the user obtain credentials spy on behaviour 11 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS <?php // returning unsanitised data echo $_GET[ bar ];?> Attack: http://foo/?bar=<script>alert("xss")</script> 12 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 http://vuln/?param=xss Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 http://vuln/?param=xss Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 http://vuln/?param=xss Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 http://vuln/?param=xss Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS <?php // store.php store_in_db ( some_key, $_POST[ bar ]);?> <?php // retrieve.php // returning unsanitised data echo get_from_db ( some_key );?> Attack: 1 POST http://foo/?bar=<script>alert(1)</script> 2 http://foo/retrieve.php 14 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> http://vuln/ Sensitive Data GET / 2 4 1 POST vuln/?param=xss Attacker Web Server 15 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> http://vuln/ Sensitive Data GET / 2 4 1 POST vuln/?param=xss Attacker Web Server 15 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> http://vuln/ Sensitive Data GET / 2 4 1 POST vuln/?param=xss Attacker Web Server 15 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> http://vuln/ Sensitive Data GET / 2 4 1 POST vuln/?param=xss Attacker Web Server 15 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> http://vuln/ Sensitive Data GET / 2 4 1 POST vuln/?param=xss Attacker Web Server 15 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos = document.url.indexof("name=")+5; document.write(document.url.substring(pos,document.url.length)); </SCRIPT> <BR> Welcome to our system... </HTML> Attack: http://vuln/welcome.html#name=<script>alert(1)</script> 16 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Neither Stored- nor Reflected-XSS!!111elfeins Client-side vulnerability Read from (attacker controlled) properties of the loaded document document.location, window.name, etc... Write to security sensitive sinks eval, document.write, etc... eval(document.location.hash.substring(1)) http://lolcathost:8000/#alert(1) 17 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 http://vuln/#xss Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 http://vuln/#xss Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 http://vuln/#xss Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 http://vuln/#xss Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-XSS protection mechanisms server-side solutions inappropriate as data does not leave the client turn off JavaScript... breaks the Web WebKit s XSS Auditor Only smarter string matching inherent weaknesses, e.g. in WebKit, not V8 eval Block tainted JavaScript code too coarse grained, breaks the Web: var name=d.url.substring(d.url.indexof("name=")) use knowledge of data flows to only allow data values and forbid code 19 / 39

Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Interlude: Recap XSS is a problem DOM-XSS is a client-side problem The client is the appropriate place for a fix The idea is to observe data flows to allow literals but block new code 20 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Overview of section 3 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 21 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Taint Tracking Annotate data and track it throughout perl -T navigator.taintenabled() 22 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Automated data flow detection WebKit DOM Tree Initialize v8 with JS code Tainted value t1 V8 Javascript Engine x = document.location.hash Store taint t1 in node document.title Tainted value t1 V8 Bindings Pass on taint inside v8 document.title = x y = document.title We still know the actual, unsecure source! (document.location.hash) 23 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer var foo = bar ; Parser Code Generator Program 24 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer var foo = bar ; VAR ID EQ STR SEMI Parser Code Generator Program 24 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer Parser var foo = bar ; VAR ID EQ STR SEMI VariableStatement: var VariableDeclarationList Code Generator Program 24 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer Parser var foo = bar ; VAR ID EQ STR SEMI VariableStatement: var VariableDeclarationList Code Generator sub esp, 4 Program 24 / 39

Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Architecture Chromium 12,000k SLoC WebKit HTML Rendering 800k SLoC C++ V8 JavaScript Execution 700k SLoC C++ 25 / 39

Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Overview of section 4 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 30 / 39

Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Evaluation Protection: Test cases and vulnerable top 10000 Web apps ( 8% vuln.) Compatibility: Test cases and top 10000 Execution speed: standard benchmarks against baseline 31 / 39

Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Protection - Setup in vitro (test suite) Pre-existing test suite in vivo (real world large-scale study) Find existing vulnerability + Sites with DOM-based XSS vulnerabilities Regression test + Create witness inputs Test with proposed implementation # rejections ˆ= protection capability 32 / 39

Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Protection - Results Without XSS Auditor Taint Aware browser Exploitable 757 545 0 Domains Protection Rate 0% 28.01% 100% Table : Protection Capabilities of the XSS Auditor and the taint browser 33 / 39

Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Compatibility - Setup Obtain list of top 10000 Web sites Browse Web sites Collect block reports #rejects ˆ= compatibility 34 / 39

Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Compatibility - Results 8 (out of 10000) wrongfully blocked Web apps: al.com, blogger.com, elpais.com, google.com, ixian.cn, miami.com, mlive.com, toyota.jp 35 / 39

Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Execution Speed - Setup Run Experiment Select Browser Chromium Vanilla Chromium Taint Firefox Internet Explorer Opera Select Benchmark Kraken Sunspider Dromaeo Octane Run Benchmark create fresh profile 10 times 20 times run benchmark collect results 36 / 39

Execution Speed - Results - 23% vs. 39%, 49%, and 63% 5.4 5.2 5.0 4.8 4.6 3.0 5.00 Patched Chrome Firefox Internet Explorer Epiphany Opera 2.68 2.5 2.45 2.10 2.0 1.89 Slowdown factor 1.59 1.5 1.08 1.63 1.75 1.36 1.12 1.14 1.66 1.48 1.37 1.09 1.0 0.91 0.93 0.5 0.50 0.69 0.0 Kraken Sunspider Dromaeo Octane v2

Intro XSS Implementation Evaluation Q&A Overview of section 5 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 38 / 39

Intro XSS Implementation Evaluation Q&A Q&A Client-side protection mechanism against DOM-XSS Thorough evaluation of the proposed implementation Review of existing XSS protection mechanisms to be read in Precise Client-side Protection against DOM-based XSS, in: 23rd USENIX Security Symposium (USENIX Security 14). Questions? 39 / 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information