• No results found

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense"

Copied!
42
0
0

Loading.... (view fulltext now)

Download now ( 42 Page )

Full text

(1)

Document Structure Integrity:

A Robust Basis for Cross-Site Scripting Defense

Prateek Saxena

UC Berkeley

Yacin Nadji

Illinois Institute

Of Technology

Dawn Song

UC Berkeley

(2)

A Cross-Site Scripting Attack

Hi Joe, <img src=“…”> <script src=“”> Hi Joe, <img src=“…”> <script src=“”> Cookies, Password Policy: ALLOW

(3)

Limitations of Server-side Sanitization

<IMG SRC="javascript:alert('XSS')”> Hi Joe, <img src=…> Cookies, Password <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=&#106;&#97;&#118;&#97; &#115;&#99;&#114;&#105;&#112;&#1 16;&#58;&#97;&#108;&#101;&#114;& #116;&#40;&#39;&#88;&#83;&#83;&# 39;&#41;> Policy: ALLOW

(4)

Limitations of Server-side Sanitization

Hi Joe,

<img src=…>

Cookies, Password

Over 90 ways to inject JS

[RSnake07]

Multiple Languages

(5)

A Different Approach…

Previous defenses: XSS is a sanitization problem

Our view: XSS is a document structure integrity problem

IMG

javascript:

SRC

IMG

(6)

Concept of Document Structure

id

Joe; online

div STATIC DOCUMENT

STRUCTURE document.write() id Joe; online div DYNAMIC DOCUMENT STRUCTURE

DOCUMENT

STRUCTURE

JAVASCRIPT

(7)

Document Structure Integrity (DSI)

Definition:

Given a server’s policy P,

Restrict untrusted content to allowable syntactic elements

Policy in terms of client-side languages

Central idea for DSI enforcement

Dynamic information flow tracking (server & browser)

Policy based parser-level confinement

(8)

Talk Outline

Power of DSI Defense: Examples

Design Goals

Architecture

Implementation

Evaluation

(9)

Talk Outline

Power of DSI Defense: Examples

Design Goals

Architecture

Implementation

Evaluation

(10)

DSI Defense: A Powerful Approach

DSI enforcement prevents

Not just cookie-theft

» Form injection for phishing [Netcraft08]

» Profile Worms [Samy05, Yammaner06]

» Web site defacement through XSS

“DOM-Based” XSS (Attacks on client-side languages)

Vulnerabilities due to browser-server inconsistency

(11)

DOM-based client-side

XSS [Klein05]

<div id=“Joe; online”>

JAVASCRIPT

Joe

<div id=“Joe; online”>

online

+

DYNAMIC UPDATE

Example 1: DOM-Based XSS

id Joe; online div

(12)

Example 1: DOM-Based XSS

DOM-based client-side

XSS [Klein05]

<

div

id=“

Devil

; <script>..</script>”>

JAVASCRIPT

(13)

Example 1: DOM-Based XSS

DOM-based client-side

XSS [Klein05]

<

div

id=“

Devil

; <script>..</script>”>

JAVASCRIPT

DYNAMIC UPDATE

<div id=“Devil; <script>..</script>”>

script

“Devil” “..”

(14)

Browser-Server Inconsistency Bugs

<img onload:=alert(1)>

<img

onload=alert(1)>

<img onload:=alert(1)>

IMG ONLOAD alert (1) IMG onload:=alert(1)

(15)

Talk Outline

Defense in Depth: Examples

Design Goals

Architecture

Implementation

Evaluation

(16)

Design Goals

Clear separation between policy and mechanism

No dependence on sanitization

No changes to web application code

Minimize false positives

Minimizes impact to backwards compatibility

Robustness

Address static & dynamic integrity attacks

Defeat adaptive adversaries

(17)

Mechanisms

Client-server architecture

Server

Step 1: Identify trust boundaries in HTML response

Step 2: Serialize

» Encoding data & trust boundaries in HTML

Client

Step 3: De-serialize

» Initialize HTTP response page into static document structure

Step 4: Dynamic information flow tracking

(18)

Talk Outline

Defense in Depth: Examples

Design Goals

Architecture

Implementation

Evaluation

(19)

Approach Overview: Static DSI

SERIALIZER SERVER BROWSER <img src=“…”> <script src=“”> <a href = …> [[<img src=“…”> <script src=“”>]] <a href = …> img script DE-SERIALIZER P

(20)

Approach Overview: Dynamic DSI

SERIALIZER DE-SERIALIZER TAINT

TRACKING

<div id=“Devil;

<script>..</scri

pt>”>

<div id=“

[[Devil;

<script>..</scrip

t>]]

”>

id Devil;<script>.. </script> div

(21)

Approach Overview: Dynamic DSI (II)

SERIALIZER DE-SERIALIZER TAINT

TRACKING

SERVER BROWSER

<div id=“Devil;

<script>..</scri

pt>”>

<div id=“

[[Devil;

<script>..</scrip

t>]]

”>

id script “Devil” “..”

(22)

Serialization Design: Key Challenge

Safety against an adaptive adversary

USER BLOG <CONFINE> </CONFINE> <script>…</script> <CONFINE> </CONFINE> </CONFINE> </CONFINE>

(23)

Serialization: Key Challenge

Do not rely on sanitization

<CONFINE … ID=“N5”></CONFINE> <SCRIPT> document.getElementByID(“N5”).innerHTML = ”; </SCRIPT>

(24)

Serialization Design: Key Challenge

Attack on sanitization mechanism for JS strings

<CONFINE … ID=“N5”></CONFINE> <SCRIPT> document.getElementByID(“N5”).innerHTML = ”; </SCRIPT> </SCRIPT> <SCRIPT> Attack

(25)

Markup Randomization

Markup Randomization

Mechanism independent of the policy

Does not depend on any sanitization

R

[[

00101

R

]]

00101

Valid Nonces:

00101

,

11010

,01110

(26)

Markup Randomization

Markup Randomization

Mechanism independent of the policy

Does not depend on any sanitization

[[

00101

R

]]

00101

Policy: ALLOW {a, a@aref}

OK!

[[

00101

R

]]

00101

(27)

Markup Randomization

Markup Randomization

Mechanism independent of the policy

Does not depend on any sanitization

[[

00101

R

]]

00101

Policy: ALLOW {a, a@aref}

[[

00101

R

]]

10101

(28)

Browser-side Taint Tracking

Dynamic DSI

Client Language Interpreters enhanced

Ubiquitous tracking of untrusted data in

(29)

Talk Outline

Advantages of DSI in Attack Coverage

Design Goals

Architecture

Implementation

Evaluation

(30)

Implementation

Full Prototype Implementation

DSI-enable server

Utilized existing taint tracking in PHP [IBM07]

DSI-compliant browser

Implemented in KDE Konqueror 3.5.9

(31)
(32)

In a DSI-compliant Browser…

(33)

Talk Outline

Advantages of DSI in Attack Coverage

Design Goals

Architecture

Implementation

Evaluation

(34)

Evaluation: Attack Detection

Stored XSS attacks

Vulnerable phpBB forum application

25 public attack vectors [RSnake07]

30 benign posts

Results

100% attack prevention

No changes required to the application

No false positives

(35)

Evaluation: Real-World XSS Attacks

5,328 real-world vulnerabilities [xssed.com]

500 most popular benign web sites [alexa.com]

Default Policy:

Coerce untrusted data to leaf nodes

Results

98.4% attack prevention

False Negatives:

» Due to exact string matching in instrumentation

False Positives: 1%

(36)

Evaluation: Performance

Browser Overhead

1.8%

Server overhead

1-3%

(37)

Related Work

Client-server Approaches

» BEEP [Jim07]

» <jail> [Eich07]

» Hypertext Isolation [Louw08]

Client-side approaches

» IE 8 Beta XSS Filter [IE8Blog]

» Client-side Firewalls [Kirda06]

» Sensitive Info. Flow Tracking [Vogt07]

Server-side approaches

» Server-side taint-based defenses [Xu06, Nan07, Ngu05, Pie04]

» XSS-Guard [Bisht08]

» Program Analysis for XSS vulnerabilities [Balz08, Mar05, Mar08, Jov06, Hua04]

(38)

Conclusion

DSI: A fundamental integrity property for web applications

XSS as a DSI violation

Multifaceted Approach

Clearly separates mechanism and policy

Defeats adaptive adversaries

Markup randomization

Evaluation on a large real-world dataset

Low performance overhead

No web application code changes

(39)

Questions

(40)

Hi Joe!

Hi [[

Joe

]]!

www.site.com?user=Joe

user=Joe

Client-Side Proxy

(41)

Markup Randomization: Adaptive Attacks

Multiple valid parse trees

[[ N1

[[ N3

]] N1

[[ N2

]] N3 ]] N2

[[ N1

[[ N3

]] N1

[[ N2

]] N3

]] N2

[[ N1

[[ N3

]] N1

[[ N2

]] N3

]] N2

(42)

Attack Coverage (II): Inconsistency Bugs

Browser-Server Inconsistency Bugs

Browser Processing Server Processing Inconsistency Bugs

References

Download now ( PDF - 42 Page - 648.83 KB )

Related documents

ChemCatChem. Supporting Information

Catalytic test for phenylacetylene hydrogenation: The selective hydrogenation of phenylacetylene (PA) of the catalysts was tested in a 30 ml pressure bottle with 2.5 mg of

Learning in the Real World: Constraints on Cost, Space, and Privacy

We devise solutions for each of these problem categories including (i) a fast tree-based model for explicitly trading off accuracy and model evaluation time, (ii) a compression

CACI International Inc. Q1 FY21 Earnings Conference Call. October 29, CACI Proprietary Information. CACI Proprietary Information

federal agencies, current agreements with other nations, foreign events, or any other events which may affect the global economy, including the impact of global pandemics like COVID-19;

Treasuring the Diversity. Around You. Published exclusively by Kendall Hunt Publishing Company CHAPTER. Preparing to Embark

In other courses you take as part of your teacher preparation program, you will dig more deeply into the topic of special education and learn more about the federal laws that require

How should we (not) design empirical studies of software development?

Department at Simula Research Laboratory. The experiences are illustrated with study design and results from my own research on software cost estimation. Topics that I would like

Copyright by Bulent Guler 2009

If she decides to default, she receives any positive remaining balance - the selling price of the house to the lender minus the outstanding mortgage debt - from the lender, makes

Pewarisan Sifat Ketahanan Tanaman Melon (Cucumis Melo L.) terhadap Powdery Mildew (Podosphaera Xanthii (Castag.) Braun Et Shishkoff)

Berdasarkan hasil penelitian tersebut diketahui bahwa sifat ketahanan tanaman melon dengan induk betina PI 371795 dikendalikan oleh gen dominan tunggal ( pm-I ), sehingga induk

Environmental protection in the Nigerian oil and gas industry and Jonah Gbemre v Shell PDC Nigeria Limited: let the plunder continue?

First, the court should declare that the constitutionally guaranteed fundamental rights to life and dignity of human persons as provided in sections 33 (1) and 34 (1) of