deDacota: Toward Preventing
Server-Side XSS via Automatic
Code and Data Separation
Adam Doupé, Weidong Cui€, Mariusz H. Ja...
XSS Vulnerabilities Still Exist Today

Doupé - 11/7/13
Doupé - 11/7/13
Courtesy of Ashar Javed
Doupé - 11/7/13
Test.aspx
<html>
<body>
<p>Hello <%= this.Name %></p>
</body>
</html>
Doupé - 11/7/13
http://example.com/Test.aspx?name=adam

<html>
<body>
<p>Hello <%= this.Name %></p>
</body>
</html>
Doupé - 11/7/13

Ask
T...
http://example.com/Test.aspx?name=adam

Ask
Test.dll
for output

<html>
<body>
<p>Hello adam</p>
</body>
</html>
Doupé - 1...
http://example.com/Test.aspx?name=adam

Ask
Test.dll
for output

<html>
<body>
<p>Hello adam</p>
</body>
</html>
Doupé - 1...
http://example.com/Test.aspx?name=adam
<html>
<body>
<p>Hello adam</p>
</body>
</html>

Ask
Test.dll
for output

Doupé - 1...
http://example.com/Test.aspx?name=adam
<html>
<body>
<p>Hello adam</p>
</body>
</html>

Ask
Test.dll
for output

Doupé - 1...
Test.aspx
http://example.com/Test.aspx?name=<script>alert("xss");</script>

<html>
<body>
<p>Hello <%= this.Name %>
</scri...
Test.aspx
http://example.com/Test.aspx?name=<script>alert("xss");</script>

<html>
<body>
<p>Hello <script>alert("xss");
<...
Test.aspx
http://example.com/Test.aspx?name=<script>alert("xss");</script>

<html>
<body>
<p>Hello <script>alert("xss");
<...
XSS – Impact
• Steal cookies

• Perform actions as user
• Exploit user’s browser
• Fake login form
Doupé - 11/7/13
Fixing XSS – Sanitization
<html>
<body>
<p>Hello
<%= HtmlEncode(this.Name) %>
</p>
</body>
</html>
Doupé - 11/7/13
Fixing XSS – Sanitization
<html>
<script>alert("xss");</script>
<body>
<p>Hello
<%= HtmlEncode(this.Name) %>
</p>
</body>
...
XSS as Input Validation

Doupé - 11/7/13
XSS as Input Validation
Problem
Find All Paths
Many Different Contexts

Research
WWW 2004, USENIX 2005,
Oakland 2006
CCS 2...
XSS as Input Validation
Problem
Find All Paths
Different Context

Is Sanitization Correct?
Parsing Quirks

Research
WWW 20...
XSS as Input Validation
Problem
Find All Paths
Different Context

Is Sanitization Correct?
Parsing Quirks

Research
WWW 20...
XSS as Input Validation
Problem
Find All Paths
Different Context

Is Sanitization Correct?
Parsing Quirks

Research
WWW 20...
XSS as Input Validation
Problem
Find All Paths

Research
WWW 2004, USENIX 2005,
Oakland 2006
CCS 2011, CCS 2011

We want t...
Another Example
<html>
<body>
<script>
alert("welcome to example.com!");
</script>
<p>Hello <%= this.Name %></p>
</body>
<...
Another Example

Developer indented for this code to be executed on the
browser
<html>

<body>
<script>
alert("welcome to ...
Another Example
http://example.com/Test.aspx?name=<script>alert("xss");</script>

<html>
<body>
<script>
alert("welcome to...
Another Example
http://example.com/Test.aspx?name=<script>alert("xss");</script>

<html>
<body>
<script>
alert("welcome to...
The Fundamental Problem

Developer indented for this code to be executed on the
http://example.com/Test.aspx?name=<script>...
The Fundamental Problem

Developer indented for this code to be executed on the
http://example.com/Test.aspx?name=<script>...
The Fundamental Solution
Data
<html>
<body>
<script>
alert("welcome to example.com!");
</script>
<p>Hello <%= this.Name %>...
The Fundamental Solution
Data
To fundamentally solve XSS
<html>
<body>
vulnerabilities, we must apply the
Code
<script>
al...
Content Security Policy (CSP)
• Mechanism for the website to communicate a policy to the browser
about what JavaScript to ...
Content Security Policy
Data
Content-Security-Policy: script-src
http://example.com/0cc111eb135.js
<html>
<body>
<script>
...
Content Security Policy
Data
Content-Security-Policy: script-src
http://example.com/0cc111eb135.js
<html>
<body>
<script s...
Code and Data Separation
• Code and Data separation from start
– No legacy applications

• Manually rewrite application
– ...
Threat Model
• Benign web application
– The developer has not obfuscated the web application

• Server-side XSS
– Our appr...
DESIGN
Doupé - 11/7/13
deDacota Process

Approximate
HTML Output

Extract Inline
JavaScript

Doupé - 11/7/13

Rewrite Web
Application
deDacota Process
The goal is to rewrite the web
application so that it is
Approximate
Extract Inline
Rewrite Web
semantica...
Approximate HTML Output
<%@ Page Language="C#"
CodeBehind="CodeBehind.cs" Inherits="Test" %>
<html>
<body>
<p>Hello <%= th...
Approximate HTML Output
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request.QueryString["name...
Approximate HTML Output
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request.QueryString["name...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
Now that we have constructed
the approximation graph, we
must determine what is being
output by ea...
Approximate HTML Output
"<html><body><p>"
class test_aspx : System.Web.UI.Page {
public test_aspx () {
this.Name = Request...
Approximate HTML Output
"<html><body><p>"
<html><body><p>
class test_aspx : System.Web.UI.Page {
public test_aspx () {
thi...
In this case,
Approximate HTML Output
Request.QueryString["name"]
is statically undecidable because
it comes from user inp...
Approximate HTML Output
"<html><body><p>"
<html><body><p>
class test_aspx : System.Web.UI.Page {
public test_aspx () {
thi...
Approximate HTML Output
"<html><body><p>"
<html><body><p>
class test_aspx : System.Web.UI.Page {
public test_aspx () {
thi...
Approximate HTML Output
"<html><body><p>"
<html><body><p>
class test_aspx : System.Web.UI.Page {
public test_aspx () {
thi...
Approximate HTML Output
"<html><body><p>"
<html><body><p>
class test_aspx : System.Web.UI.Page {
public test_aspx () {
thi...
<html><body><p>

*

<script>alert('

2013

');</script>

</p></body></html>
Doupé - 11/7/13
<html><body><p>

*
This approximation graph
contains a static approximation of
<script>alert('
the HTML content of the web...
In this example approximation graph from a real-world
application, the branch in the graph comes from a
conditional branch...
Statically undecidable content, represented here as a *,
can come from two different areas:
1. Statically undecidable acco...
Extract Inline JavaScript

Doupé - 11/7/13
In the second step, we simply extract the inline JavaScript
(aka the developer intended code) from the approximation
graph...
Rewrite Web Application
<html>
<body>
<script>
alert("welcome to example.com!");
</script>
<p>Hello <%= this.Name %>
</p>
...
Rewrite Web Application
Data
Content-Security-Policy: script-src
http://example.com/0cc111eb135.js
<html>
<body>
<script s...
Rewrite Web Application
At this
Data point, if the inline
JavaScript code is static, we have
<html>
protected the applicat...
Rewrite Web Application
Unfortunately, developers
Data
sometimes dynamically generate
<html> the Code of an application. I...
Dynamic Inline JavaScript
<html>
<script>
var username = "<%= Username %>";
</script>
</html>

Doupé - 11/7/13
Dynamic Inline JavaScript
Data
<html>
<script>
var username = "<%= Username %>";
</script>
</html>

Code
var username = "<...
Dynamic Inline JavaScript
Data
<html>
<script>
var username = "<%= Username %>";
</script>
</html>

Code
var username = "<...
We developed a technique to safely
Dynamic Inline JavaScript
transform cases of dynamic inline
Data
JavaScript. If the sta...
EVALUATION
Doupé - 11/7/13
Applications
Application

Lines of Code

Known
Vulnerability

BugTracker.NET
BlogEngine.NET
BlogSA.NET
ScrewTurn Wiki
WebG...
Evaluation
• Security
– Crafted exploits for applications with known
vulnerabilities
– Transformed applications, along wit...
100%
90%
80%
70%
60%

Unsafe Dynamic

50%

Safe Dynamic
Static

40%
30%
20%
10%
0%
BugTracker.NET BlogEngine.NET

BlogSA.N...
100%
90%
80%
70%
60%
50%

Here we are going to look at what
percentage of the inline
JavaScript in each application is
eit...
100%
90%
80%
70%
60%

6

50%
40%

41

10

5

20%

4

0%
BugTracker.NET BlogEngine.NET

BlogSA.NET

ScrewTurn Wiki

Doupé -...
100%
90%

3

1

80%

4

70%
60%
50%
40%

41

10

6
10

5

20%

4

0%
BugTracker.NET BlogEngine.NET

BlogSA.NET

ScrewTurn ...
100%
90%

3

1

80%

4

70%
60%
50%
40%

41

10

6
10

27

5

Unsafe Dynamic
Safe Dynamic
Static

30%
20%

4
In these safe...
100%
90%

2
3

4

1
1

80%

4

4

70%
60%
50%
40%

41

10

6
10

5

20%

4

0%
BugTracker.NET BlogEngine.NET

BlogSA.NET

...
100%
90%

2
3

4

80%

1
1

4

4

70%
60%
50%

10

6

5

Unsafe Dynamic
Safe Dynamic

41
In
10
40% cases of unsafe dynamic...
Limitations
• Might miss inline JavaScript
– Loops
– Dynamic code execution

• Does not handle HTML attributes and CSS

Do...
Summary
• Code and Data separation necessary to
prevent XSS
• deDacota can automatically separate
Code and Data of web app...
Adam Doupé
Email:
Twitter:

adoupe@cs.ucsb.edu
@adamdoupe

DEDACOTA: TOWARD
PREVENTING SERVER-SIDE XSS
VIA AUTOMATIC CODE ...
Upcoming SlideShare
Loading in...5
×

deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

1,796

Published on

Talk I gave at the ACM Conference on Computer and Communications Security (CCS) 2013 on the paper "deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation" which describes an approach to solving Cross-Site Scripting (XSS) vulnerabilities via applying the security principles of Code and Data separation.

The paper is located here:
http://cs.ucsb.edu/~adoupe/static/dedacota-ccs2013.pdf

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,796
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • ----- Meeting Notes (11/7/13 11:22) -----3
  • We want to fundamentally solve XSS vulnerabilities.
  • We want to fundamentally solve XSS vulnerabilities.
  • ----- Meeting Notes (11/7/13 11:22) -----8:30
  • ----- Meeting Notes (11/7/13 11:22) -----8:30
  • Server-side: Traditional XSS attacks. Result of server-side code.
  • ----- Meeting Notes (11/7/13 11:22) -----12
  • Branches.Loops.
  • Branches.Loops.
  • Just say we extract all the possible inline JavaScript from the approximation graph.
  • We solved the problem!Hurray!Then talk about dynamic JS.
  • The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  • The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  • The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  • Missing inline JavaScript - dynamic code - loops
  • deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

    1. 1. deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation Adam Doupé, Weidong Cui€, Mariusz H. Jakubowski€, Marcus Peinado€, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara €Microsoft Research CCS 2013 – 11/7/13
    2. 2. XSS Vulnerabilities Still Exist Today Doupé - 11/7/13
    3. 3. Doupé - 11/7/13
    4. 4. Courtesy of Ashar Javed Doupé - 11/7/13
    5. 5. Test.aspx <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
    6. 6. http://example.com/Test.aspx?name=adam <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13 Ask Test.dll for output
    7. 7. http://example.com/Test.aspx?name=adam Ask Test.dll for output <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/7/13
    8. 8. http://example.com/Test.aspx?name=adam Ask Test.dll for output <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/7/13
    9. 9. http://example.com/Test.aspx?name=adam <html> <body> <p>Hello adam</p> </body> </html> Ask Test.dll for output Doupé - 11/7/13
    10. 10. http://example.com/Test.aspx?name=adam <html> <body> <p>Hello adam</p> </body> </html> Ask Test.dll for output Doupé - 11/7/13
    11. 11. Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <%= this.Name %> </script></p> </body> </html> Doupé - 11/7/13
    12. 12. Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <script>alert("xss"); </script></p> </body> </html> Doupé - 11/7/13
    13. 13. Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <script>alert("xss"); </script></p> </body> </html> Doupé - 11/7/13
    14. 14. XSS – Impact • Steal cookies • Perform actions as user • Exploit user’s browser • Fake login form Doupé - 11/7/13
    15. 15. Fixing XSS – Sanitization <html> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> </html> Doupé - 11/7/13
    16. 16. Fixing XSS – Sanitization <html> <script>alert("xss");</script> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> &lt;script&gt;alert("xss"); </html> &lt;/script&gt; Doupé - 11/7/13
    17. 17. XSS as Input Validation Doupé - 11/7/13
    18. 18. XSS as Input Validation Problem Find All Paths Many Different Contexts Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009 Doupé - 11/7/13
    19. 19. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
    20. 20. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
    21. 21. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009, CCS 2013 Doupé - 11/7/13
    22. 22. XSS as Input Validation Problem Find All Paths Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 We want to fundamentally Different Context solve XSS vulnerabilities Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009, CCS 2013 Doupé - 11/7/13
    23. 23. Another Example <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
    24. 24. Another Example Developer indented for this code to be executed on the browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
    25. 25. Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13
    26. 26. Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> </html> Doupé - 11/7/13
    27. 27. The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser Doupé - 11/7/13
    28. 28. The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> The <script> browser can’t tell the alert("welcome to example.com!"); difference! </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser Doupé - 11/7/13
    29. 29. The Fundamental Solution Data <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
    30. 30. The Fundamental Solution Data To fundamentally solve XSS <html> <body> vulnerabilities, we must apply the Code <script> alert("welcome to example.com!"); alert("welcome to example.com!"); basic security principles of Code </script> <p>Hello <%= this.Name %> and Data separation! </p> </body> </html> Doupé - 11/7/13
    31. 31. Content Security Policy (CSP) • Mechanism for the website to communicate a policy to the browser about what JavaScript to execute • The browser then enforces this policy • Supported by many modern browsers (68% of users use one of these browsers – – – – – – – Firefox Chrome IE (10) Safari Opera iOS Android Doupé - 11/7/13
    32. 32. Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
    33. 33. Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
    34. 34. Code and Data Separation • Code and Data separation from start – No legacy applications • Manually rewrite application – Difficult and error-prone (HotSec 2011) deDacota: Automatically separate code and data of a web application Doupé - 11/7/13
    35. 35. Threat Model • Benign web application – The developer has not obfuscated the web application • Server-side XSS – Our approach will only address traditional XSS, in other words, XSS where the resulting bug is in the server-side code • Inline JavaScript – For the deDacota prototype, we focused only on inline JavaScript – We ignore JavaScript in HTML attributes and CSS Doupé - 11/7/13
    36. 36. DESIGN Doupé - 11/7/13
    37. 37. deDacota Process Approximate HTML Output Extract Inline JavaScript Doupé - 11/7/13 Rewrite Web Application
    38. 38. deDacota Process The goal is to rewrite the web application so that it is Approximate Extract Inline Rewrite Web semantically equivalent yet HTML Output JavaScript Application separates the code and data. Doupé - 11/7/13
    39. 39. Approximate HTML Output <%@ Page Language="C#" CodeBehind="CodeBehind.cs" Inherits="Test" %> <html> <body> <p>Hello <%= this.Name %></p> <%= Scripts() %> </body> </html> Doupé - 11/7/13
    40. 40. Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
    41. 41. Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } The goal here is to create a graph that approximates the HTML content of the web page. We use static analysis techniques to construct the graph. Doupé - 11/7/13
    42. 42. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
    43. 43. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
    44. 44. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
    45. 45. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we need to analyze the control flow of the application, which means following the control flow into the Scripts() method. Doupé - 11/7/13
    46. 46. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
    47. 47. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we encounter string concatenation, which our analysis is able to handle. Doupé - 11/7/13
    48. 48. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    49. 49. Approximate HTML Output Now that we have constructed the approximation graph, we must determine what is being output by each node in the graph. Here we use data-flow analysis and points-to analysis. "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    50. 50. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    51. 51. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    52. 52. In this case, Approximate HTML Output Request.QueryString["name"] is statically undecidable because it comes from user input. In the approximation graph we represent this as a * which means the output at this node could be anything. "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    53. 53. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    54. 54. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    55. 55. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
    56. 56. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" ');</script> Doupé - 11/7/13
    57. 57. <html><body><p> * <script>alert(' 2013 ');</script> </p></body></html> Doupé - 11/7/13
    58. 58. <html><body><p> * This approximation graph contains a static approximation of <script>alert(' the HTML content of the web page. Any path 2013 through this graph is one possible output of the ');</script> page. </p></body></html> Doupé - 11/7/13
    59. 59. In this example approximation graph from a real-world application, the branch in the graph comes from a conditional branch in the control-flow of the application. Doupé - 11/7/13
    60. 60. Statically undecidable content, represented here as a *, can come from two different areas: 1. Statically undecidable according to the static analysis. 2. To make our analysis conservative, we treat all loops as outputting a *, because we cannot statically determine how many times a loop will execute. Doupé - 11/7/13
    61. 61. Extract Inline JavaScript Doupé - 11/7/13
    62. 62. In the second step, we simply extract the inline JavaScript (aka the developer intended code) from the approximation graph. Doupé - 11/7/13
    63. 63. Rewrite Web Application <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 alert("welcome to example.com!");
    64. 64. Rewrite Web Application Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
    65. 65. Rewrite Web Application At this Data point, if the inline JavaScript code is static, we have <html> protected the application. No <body> Code <script src="0cc111eb135.js"> attacked data inalert("welcome to example.com!"); the Data </script> <p>Hello <%= this.Name %> </p>segment will ever be interpreted </body> as Code. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
    66. 66. Rewrite Web Application Unfortunately, developers Data sometimes dynamically generate <html> the Code of an application. If this <body> Code <script src="0cc111eb135.js"> happens with untrusted Data, </script> alert("welcome to example.com!"); <p>Hello <%= this.Name %> there can still be a XSS </p> </body> vulnerability. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
    67. 67. Dynamic Inline JavaScript <html> <script> var username = "<%= Username %>"; </script> </html> Doupé - 11/7/13
    68. 68. Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; Here, the developer has chosen to dynamically generate the Code from untrusted data. Doupé - 11/7/13
    69. 69. Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; var username = "*"; Doupé - 11/7/13
    70. 70. We developed a technique to safely Dynamic Inline JavaScript transform cases of dynamic inline Data JavaScript. If the statically undecidable <html> content is used in a known Code JavaScript <script> var username = "<%= Username %>"; var username = "<%= Username %>"; </script> context (JavaScript string or comment), </html> we can safely rewrite thevar username = "*"; application. We call these cases “safe dynamic inline JavaScript.” Doupé - 11/7/13
    71. 71. EVALUATION Doupé - 11/7/13
    72. 72. Applications Application Lines of Code Known Vulnerability BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 35,674 29,512 6,994 12,155 11,993 21,261 CVE-2010-3266 CVE-2008-6476 CVE-2009-0814 CVE-2008-3483 2 Intentional N/A Doupé - 11/7/13
    73. 73. Evaluation • Security – Crafted exploits for applications with known vulnerabilities – Transformed applications, along with CSP, blocked the exploits • Functional correctness – ChronoZoom had 160 JavaScript tests and all passed after the transformation – Manually browsed the application and source code looking for missing inline JavaScript Doupé - 11/7/13
    74. 74. 100% 90% 80% 70% 60% Unsafe Dynamic 50% Safe Dynamic Static 40% 30% 20% 10% 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
    75. 75. 100% 90% 80% 70% 60% 50% Here we are going to look at what percentage of the inline JavaScript in each application is either: static, safe dynamic, or unsafe dynamic. Unsafe Dynamic Safe Dynamic 40% 30% 20% 10% Static 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
    76. 76. 100% 90% 80% 70% 60% 6 50% 40% 41 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
    77. 77. 100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
    78. 78. 100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 27 5 Unsafe Dynamic Safe Dynamic Static 30% 20% 4 In these safe dynamic situations, we are able to safely 0% transform the dynamic inline JavaScript code. BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 10% Doupé - 11/7/13
    79. 79. 100% 90% 2 3 4 1 1 80% 4 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
    80. 80. 100% 90% 2 3 4 80% 1 1 4 4 70% 60% 50% 10 6 5 Unsafe Dynamic Safe Dynamic 41 In 10 40% cases of unsafe dynamic inline JavaScript, we alert the Static 27 developer that the transformation could potentially contain 30% an XSS vulnerability. After the developer confirms the 20% absence of an XSS vulnerability in the unsafe dynamic 4 10% inline JavaScript, then the application is guaranteed free of 0% BugTracker.NET BlogEngine.NET BlogSA.NET vulnerabilities. XSS ScrewTurn Wiki WebGoat.NET ChronoZoom Doupé - 11/7/13
    81. 81. Limitations • Might miss inline JavaScript – Loops – Dynamic code execution • Does not handle HTML attributes and CSS Doupé - 11/7/13
    82. 82. Summary • Code and Data separation necessary to prevent XSS • deDacota can automatically separate Code and Data of web application • deDacota works in practice Doupé - 11/7/13
    83. 83. Adam Doupé Email: Twitter: adoupe@cs.ucsb.edu @adamdoupe DEDACOTA: TOWARD PREVENTING SERVER-SIDE XSS VIA AUTOMATIC CODE AND DATA SEPARATION Doupé - 11/7/13
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×