SlideShare a Scribd company logo

deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

‱Download as PPTX, PDF‱
‱
Adam Doupe
Adam Doupe

Talk I gave at the ACM Conference on Computer and Communications Security (CCS) 2013 on the paper "deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation" which describes an approach to solving Cross-Site Scripting (XSS) vulnerabilities via applying the security principles of Code and Data separation. The paper is located here: http://cs.ucsb.edu/~adoupe/static/dedacota-ccs2013.pdf

Technology
1 of 83
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation Adam DoupĂ©, Weidong Cui€, Mariusz H. Jakubowski€, Marcus Peinado€, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara €Microsoft Research CCS 2013 – 11/7/13
XSS Vulnerabilities Still Exist Today Doupé - 11/7/13
Doupé - 11/7/13
Courtesy of Ashar Javed Doupé - 11/7/13
Test.aspx <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
http://example.com/Test.aspx?name=adam <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13 Ask Test.dll for output
http://example.com/Test.aspx?name=adam Ask Test.dll for output <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/7/13
http://example.com/Test.aspx?name=adam Ask Test.dll for output <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/7/13
http://example.com/Test.aspx?name=adam <html> <body> <p>Hello adam</p> </body> </html> Ask Test.dll for output Doupé - 11/7/13
http://example.com/Test.aspx?name=adam <html> <body> <p>Hello adam</p> </body> </html> Ask Test.dll for output Doupé - 11/7/13
Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <%= this.Name %> </script></p> </body> </html> Doupé - 11/7/13
Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <script>alert("xss"); </script></p> </body> </html> Doupé - 11/7/13
Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <script>alert("xss"); </script></p> </body> </html> Doupé - 11/7/13
XSS – Impact ‱ Steal cookies ‱ Perform actions as user ‱ Exploit user’s browser ‱ Fake login form DoupĂ© - 11/7/13
Fixing XSS – Sanitization <html> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> </html> DoupĂ© - 11/7/13
Fixing XSS – Sanitization <html> <script>alert("xss");</script> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> &lt;script&gt;alert("xss"); </html> &lt;/script&gt; DoupĂ© - 11/7/13
XSS as Input Validation Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Many Different Contexts Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009, CCS 2013 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 We want to fundamentally Different Context solve XSS vulnerabilities Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009, CCS 2013 Doupé - 11/7/13
Another Example <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
Another Example Developer indented for this code to be executed on the browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13
Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> </html> Doupé - 11/7/13
The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser Doupé - 11/7/13
The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> The <script> browser can’t tell the alert("welcome to example.com!"); difference! </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser DoupĂ© - 11/7/13
The Fundamental Solution Data <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
The Fundamental Solution Data To fundamentally solve XSS <html> <body> vulnerabilities, we must apply the Code <script> alert("welcome to example.com!"); alert("welcome to example.com!"); basic security principles of Code </script> <p>Hello <%= this.Name %> and Data separation! </p> </body> </html> Doupé - 11/7/13
Content Security Policy (CSP) ‱ Mechanism for the website to communicate a policy to the browser about what JavaScript to execute ‱ The browser then enforces this policy ‱ Supported by many modern browsers (68% of users use one of these browsers – – – – – – – Firefox Chrome IE (10) Safari Opera iOS Android DoupĂ© - 11/7/13
Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
Code and Data Separation ‱ Code and Data separation from start – No legacy applications ‱ Manually rewrite application – Difficult and error-prone (HotSec 2011) deDacota: Automatically separate code and data of a web application DoupĂ© - 11/7/13
Threat Model ‱ Benign web application – The developer has not obfuscated the web application ‱ Server-side XSS – Our approach will only address traditional XSS, in other words, XSS where the resulting bug is in the server-side code ‱ Inline JavaScript – For the deDacota prototype, we focused only on inline JavaScript – We ignore JavaScript in HTML attributes and CSS DoupĂ© - 11/7/13
DESIGN Doupé - 11/7/13
deDacota Process Approximate HTML Output Extract Inline JavaScript Doupé - 11/7/13 Rewrite Web Application
deDacota Process The goal is to rewrite the web application so that it is Approximate Extract Inline Rewrite Web semantically equivalent yet HTML Output JavaScript Application separates the code and data. Doupé - 11/7/13
Approximate HTML Output <%@ Page Language="C#" CodeBehind="CodeBehind.cs" Inherits="Test" %> <html> <body> <p>Hello <%= this.Name %></p> <%= Scripts() %> </body> </html> Doupé - 11/7/13
Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } The goal here is to create a graph that approximates the HTML content of the web page. We use static analysis techniques to construct the graph. Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we need to analyze the control flow of the application, which means following the control flow into the Scripts() method. Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we encounter string concatenation, which our analysis is able to handle. Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output Now that we have constructed the approximation graph, we must determine what is being output by each node in the graph. Here we use data-flow analysis and points-to analysis. "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
In this case, Approximate HTML Output Request.QueryString["name"] is statically undecidable because it comes from user input. In the approximation graph we represent this as a * which means the output at this node could be anything. "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" ');</script> Doupé - 11/7/13
<html><body><p> * <script>alert(' 2013 ');</script> </p></body></html> Doupé - 11/7/13
<html><body><p> * This approximation graph contains a static approximation of <script>alert(' the HTML content of the web page. Any path 2013 through this graph is one possible output of the ');</script> page. </p></body></html> Doupé - 11/7/13
In this example approximation graph from a real-world application, the branch in the graph comes from a conditional branch in the control-flow of the application. Doupé - 11/7/13
Statically undecidable content, represented here as a *, can come from two different areas: 1. Statically undecidable according to the static analysis. 2. To make our analysis conservative, we treat all loops as outputting a *, because we cannot statically determine how many times a loop will execute. Doupé - 11/7/13
Extract Inline JavaScript Doupé - 11/7/13
In the second step, we simply extract the inline JavaScript (aka the developer intended code) from the approximation graph. Doupé - 11/7/13
Rewrite Web Application <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 alert("welcome to example.com!");
Rewrite Web Application Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
Rewrite Web Application At this Data point, if the inline JavaScript code is static, we have <html> protected the application. No <body> Code <script src="0cc111eb135.js"> attacked data inalert("welcome to example.com!"); the Data </script> <p>Hello <%= this.Name %> </p>segment will ever be interpreted </body> as Code. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
Rewrite Web Application Unfortunately, developers Data sometimes dynamically generate <html> the Code of an application. If this <body> Code <script src="0cc111eb135.js"> happens with untrusted Data, </script> alert("welcome to example.com!"); <p>Hello <%= this.Name %> there can still be a XSS </p> </body> vulnerability. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
Dynamic Inline JavaScript <html> <script> var username = "<%= Username %>"; </script> </html> Doupé - 11/7/13
Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; Here, the developer has chosen to dynamically generate the Code from untrusted data. Doupé - 11/7/13
Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; var username = "*"; Doupé - 11/7/13
We developed a technique to safely Dynamic Inline JavaScript transform cases of dynamic inline Data JavaScript. If the statically undecidable <html> content is used in a known Code JavaScript <script> var username = "<%= Username %>"; var username = "<%= Username %>"; </script> context (JavaScript string or comment), </html> we can safely rewrite thevar username = "*"; application. We call these cases “safe dynamic inline JavaScript.” DoupĂ© - 11/7/13
EVALUATION Doupé - 11/7/13
Applications Application Lines of Code Known Vulnerability BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 35,674 29,512 6,994 12,155 11,993 21,261 CVE-2010-3266 CVE-2008-6476 CVE-2009-0814 CVE-2008-3483 2 Intentional N/A Doupé - 11/7/13
Evaluation ‱ Security – Crafted exploits for applications with known vulnerabilities – Transformed applications, along with CSP, blocked the exploits ‱ Functional correctness – ChronoZoom had 160 JavaScript tests and all passed after the transformation – Manually browsed the application and source code looking for missing inline JavaScript DoupĂ© - 11/7/13
100% 90% 80% 70% 60% Unsafe Dynamic 50% Safe Dynamic Static 40% 30% 20% 10% 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
100% 90% 80% 70% 60% 50% Here we are going to look at what percentage of the inline JavaScript in each application is either: static, safe dynamic, or unsafe dynamic. Unsafe Dynamic Safe Dynamic 40% 30% 20% 10% Static 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
100% 90% 80% 70% 60% 6 50% 40% 41 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 27 5 Unsafe Dynamic Safe Dynamic Static 30% 20% 4 In these safe dynamic situations, we are able to safely 0% transform the dynamic inline JavaScript code. BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 10% Doupé - 11/7/13
100% 90% 2 3 4 1 1 80% 4 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
100% 90% 2 3 4 80% 1 1 4 4 70% 60% 50% 10 6 5 Unsafe Dynamic Safe Dynamic 41 In 10 40% cases of unsafe dynamic inline JavaScript, we alert the Static 27 developer that the transformation could potentially contain 30% an XSS vulnerability. After the developer confirms the 20% absence of an XSS vulnerability in the unsafe dynamic 4 10% inline JavaScript, then the application is guaranteed free of 0% BugTracker.NET BlogEngine.NET BlogSA.NET vulnerabilities. XSS ScrewTurn Wiki WebGoat.NET ChronoZoom Doupé - 11/7/13
Limitations ‱ Might miss inline JavaScript – Loops – Dynamic code execution ‱ Does not handle HTML attributes and CSS DoupĂ© - 11/7/13
Summary ‱ Code and Data separation necessary to prevent XSS ‱ deDacota can automatically separate Code and Data of web application ‱ deDacota works in practice DoupĂ© - 11/7/13
Adam Doupé Email: Twitter: adoupe@cs.ucsb.edu @adamdoupe DEDACOTA: TOWARD PREVENTING SERVER-SIDE XSS VIA AUTOMATIC CODE AND DATA SEPARATION Doupé - 11/7/13

Recommended

Web-Performance
Web-PerformanceWeb-Performance
Web-Performance
Walter Ebert
 
Turbogears Presentation
Turbogears PresentationTurbogears Presentation
Turbogears Presentation
didip
 
How do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML TricksHow do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML Tricks
Compare Infobase Limited
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Aduci
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian Thilmany
Christian Thilmany
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
Joseph Scott
 
Flask patterns
Flask patternsFlask patterns
Flask patterns
it-people
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Edureka!
 

Recommended

Web-Performance
Web-PerformanceWeb-Performance
Web-Performance
Walter Ebert
 
Turbogears Presentation
Turbogears PresentationTurbogears Presentation
Turbogears Presentation
didip
 
How do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML TricksHow do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML Tricks
Compare Infobase Limited
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Aduci
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian Thilmany
Christian Thilmany
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
Joseph Scott
 
Flask patterns
Flask patternsFlask patterns
Flask patterns
it-people
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Edureka!
 
Flask – Python
Flask – PythonFlask – Python
Flask – Python
Max Claus Nunes
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
Julien Lecomte
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
Dave Bouwman
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture Introduction
Haiqi Chen
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
Eric Steele
 
LvivPy - Flask in details
LvivPy - Flask in detailsLvivPy - Flask in details
LvivPy - Flask in details
Max Klymyshyn
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
JSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederJSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael Greifeneder
Christoph Pickl
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli Aro
Javier Toledo
 
Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemy
Alessandro Cucci
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Library
jeresig
 
Quick flask an intro to flask
Quick flask an intro to flaskQuick flask an intro to flask
Quick flask an intro to flask
juzten
 
OSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialOSDC 2009 Rails Turtorial
OSDC 2009 Rails Turtorial
Yi-Ting Cheng
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for you
Simon Willison
 
GAEO
GAEOGAEO
GAEO
guest1d183d
 
Pragmatics of Declarative Ajax
Pragmatics of Declarative AjaxPragmatics of Declarative Ajax
Pragmatics of Declarative Ajax
davejohnson
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
davejohnson
 
Ditching jQuery Madison
Ditching jQuery MadisonDitching jQuery Madison
Ditching jQuery Madison
Hao Luo
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
Nathan Eror
 
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LABHTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
priya Nithya
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
Sam Keen
 
Testable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascriptTestable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascript
Timothy Oxley
 

More Related Content

What's hot

High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
Julien Lecomte
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
Dave Bouwman
 
OSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialOSDC 2009 Rails Turtorial
OSDC 2009 Rails Turtorial
Yi-Ting Cheng
 

What's hot (20)

Flask – Python
Flask – PythonFlask – Python
Flask – Python
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture Introduction
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
 
LvivPy - Flask in details
LvivPy - Flask in detailsLvivPy - Flask in details
LvivPy - Flask in details
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
 
JSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederJSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael Greifeneder
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli Aro
 
Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemy
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Library
 
Quick flask an intro to flask
Quick flask an intro to flaskQuick flask an intro to flask
Quick flask an intro to flask
 
OSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialOSDC 2009 Rails Turtorial
OSDC 2009 Rails Turtorial
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for you
 
GAEO
GAEOGAEO
GAEO
 
Pragmatics of Declarative Ajax
Pragmatics of Declarative AjaxPragmatics of Declarative Ajax
Pragmatics of Declarative Ajax
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
 
Ditching jQuery Madison
Ditching jQuery MadisonDitching jQuery Madison
Ditching jQuery Madison
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
 
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LABHTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
 

Similar to deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)
Joao Lucas Santana
 
Spca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_librariesSpca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_libraries
NCCOMMS
 
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
Tech in Asia ID
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5
Web Directions
 
Web applications with Catalyst
Web applications with CatalystWeb applications with Catalyst
Web applications with Catalyst
svilen.ivanov
 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design
Christopher Schmitt
 

Similar to deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation (20)

Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Testable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascriptTestable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascript
 
Java script
Java scriptJava script
Java script
 
Svelte JS introduction
Svelte JS introductionSvelte JS introduction
Svelte JS introduction
 
All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...
 
A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08
 
Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)
 
Google App Engine with Gaelyk
Google App Engine with GaelykGoogle App Engine with Gaelyk
Google App Engine with Gaelyk
 
Spca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_librariesSpca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_libraries
 
The A to Z of developing for the web
The A to Z of developing for the webThe A to Z of developing for the web
The A to Z of developing for the web
 
Use Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile AppsUse Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile Apps
 
Mojolicious
MojoliciousMojolicious
Mojolicious
 
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
 
Progressive Web Apps. What, why and how
Progressive Web Apps. What, why and howProgressive Web Apps. What, why and how
Progressive Web Apps. What, why and how
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5
 
Implementation of GUI Framework part3
Implementation of GUI Framework part3Implementation of GUI Framework part3
Implementation of GUI Framework part3
 
Nodejs.meetup
Nodejs.meetupNodejs.meetup
Nodejs.meetup
 
Web applications with Catalyst
Web applications with CatalystWeb applications with Catalyst
Web applications with Catalyst
 
Adriano Di Luzio - Davvy - PyconSEI Talk
Adriano Di Luzio - Davvy - PyconSEI TalkAdriano Di Luzio - Davvy - PyconSEI Talk
Adriano Di Luzio - Davvy - PyconSEI Talk
 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

  • 1. deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation Adam DoupĂ©, Weidong Cui€, Mariusz H. Jakubowski€, Marcus Peinado€, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara €Microsoft Research CCS 2013 – 11/7/13
  • 2. XSS Vulnerabilities Still Exist Today DoupĂ© - 11/7/13
  • 4. Courtesy of Ashar Javed DoupĂ© - 11/7/13
  • 5. Test.aspx <html> <body> <p>Hello <%= this.Name %></p> </body> </html> DoupĂ© - 11/7/13
  • 6. http://example.com/Test.aspx?name=adam <html> <body> <p>Hello <%= this.Name %></p> </body> </html> DoupĂ© - 11/7/13 Ask Test.dll for output
  • 14. XSS – Impact ‱ Steal cookies ‱ Perform actions as user ‱ Exploit user’s browser ‱ Fake login form DoupĂ© - 11/7/13
  • 15. Fixing XSS – Sanitization <html> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> </html> DoupĂ© - 11/7/13
  • 16. Fixing XSS – Sanitization <html> <script>alert("xss");</script> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> &lt;script&gt;alert("xss"); </html> &lt;/script&gt; DoupĂ© - 11/7/13
  • 17. XSS as Input Validation DoupĂ© - 11/7/13
  • 18. XSS as Input Validation Problem Find All Paths Many Different Contexts Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009 DoupĂ© - 11/7/13
  • 19. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 DoupĂ© - 11/7/13
  • 20. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 DoupĂ© - 11/7/13
  • 21. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009, CCS 2013 DoupĂ© - 11/7/13
  • 22. XSS as Input Validation Problem Find All Paths Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 We want to fundamentally Different Context solve XSS vulnerabilities Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009, CCS 2013 DoupĂ© - 11/7/13
  • 23. Another Example <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> DoupĂ© - 11/7/13
  • 24. Another Example Developer indented for this code to be executed on the browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> DoupĂ© - 11/7/13
  • 25. Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> DoupĂ© - 11/7/13
  • 26. Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> </html> DoupĂ© - 11/7/13
  • 27. The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser DoupĂ© - 11/7/13
  • 28. The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> The <script> browser can’t tell the alert("welcome to example.com!"); difference! </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser DoupĂ© - 11/7/13
  • 29. The Fundamental Solution Data <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> DoupĂ© - 11/7/13 Code alert("welcome to example.com!");
  • 30. The Fundamental Solution Data To fundamentally solve XSS <html> <body> vulnerabilities, we must apply the Code <script> alert("welcome to example.com!"); alert("welcome to example.com!"); basic security principles of Code </script> <p>Hello <%= this.Name %> and Data separation! </p> </body> </html> DoupĂ© - 11/7/13
  • 31. Content Security Policy (CSP) ‱ Mechanism for the website to communicate a policy to the browser about what JavaScript to execute ‱ The browser then enforces this policy ‱ Supported by many modern browsers (68% of users use one of these browsers – – – – – – – Firefox Chrome IE (10) Safari Opera iOS Android DoupĂ© - 11/7/13
  • 32. Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> DoupĂ© - 11/7/13 Code alert("welcome to example.com!");
  • 33. Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> DoupĂ© - 11/7/13 Code alert("welcome to example.com!");
  • 34. Code and Data Separation ‱ Code and Data separation from start – No legacy applications ‱ Manually rewrite application – Difficult and error-prone (HotSec 2011) deDacota: Automatically separate code and data of a web application DoupĂ© - 11/7/13
  • 35. Threat Model ‱ Benign web application – The developer has not obfuscated the web application ‱ Server-side XSS – Our approach will only address traditional XSS, in other words, XSS where the resulting bug is in the server-side code ‱ Inline JavaScript – For the deDacota prototype, we focused only on inline JavaScript – We ignore JavaScript in HTML attributes and CSS DoupĂ© - 11/7/13
  • 37. deDacota Process Approximate HTML Output Extract Inline JavaScript DoupĂ© - 11/7/13 Rewrite Web Application
  • 38. deDacota Process The goal is to rewrite the web application so that it is Approximate Extract Inline Rewrite Web semantically equivalent yet HTML Output JavaScript Application separates the code and data. DoupĂ© - 11/7/13
  • 39. Approximate HTML Output <%@ Page Language="C#" CodeBehind="CodeBehind.cs" Inherits="Test" %> <html> <body> <p>Hello <%= this.Name %></p> <%= Scripts() %> </body> </html> DoupĂ© - 11/7/13
  • 40. Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } DoupĂ© - 11/7/13
  • 41. Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } The goal here is to create a graph that approximates the HTML content of the web page. We use static analysis techniques to construct the graph. DoupĂ© - 11/7/13
  • 42. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } DoupĂ© - 11/7/13
  • 43. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } DoupĂ© - 11/7/13
  • 44. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } DoupĂ© - 11/7/13
  • 45. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we need to analyze the control flow of the application, which means following the control flow into the Scripts() method. DoupĂ© - 11/7/13
  • 46. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } DoupĂ© - 11/7/13
  • 47. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we encounter string concatenation, which our analysis is able to handle. DoupĂ© - 11/7/13
  • 48. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 49. Approximate HTML Output Now that we have constructed the approximation graph, we must determine what is being output by each node in the graph. Here we use data-flow analysis and points-to analysis. "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 50. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 51. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 52. In this case, Approximate HTML Output Request.QueryString["name"] is statically undecidable because it comes from user input. In the approximation graph we represent this as a * which means the output at this node could be anything. "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 53. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 54. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 55. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" DoupĂ© - 11/7/13
  • 56. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" ');</script> DoupĂ© - 11/7/13
  • 58. <html><body><p> * This approximation graph contains a static approximation of <script>alert(' the HTML content of the web page. Any path 2013 through this graph is one possible output of the ');</script> page. </p></body></html> DoupĂ© - 11/7/13
  • 59. In this example approximation graph from a real-world application, the branch in the graph comes from a conditional branch in the control-flow of the application. DoupĂ© - 11/7/13
  • 60. Statically undecidable content, represented here as a *, can come from two different areas: 1. Statically undecidable according to the static analysis. 2. To make our analysis conservative, we treat all loops as outputting a *, because we cannot statically determine how many times a loop will execute. DoupĂ© - 11/7/13
  • 62. In the second step, we simply extract the inline JavaScript (aka the developer intended code) from the approximation graph. DoupĂ© - 11/7/13
  • 63. Rewrite Web Application <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> DoupĂ© - 11/7/13 alert("welcome to example.com!");
  • 64. Rewrite Web Application Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> DoupĂ© - 11/7/13 Code alert("welcome to example.com!");
  • 65. Rewrite Web Application At this Data point, if the inline JavaScript code is static, we have <html> protected the application. No <body> Code <script src="0cc111eb135.js"> attacked data inalert("welcome to example.com!"); the Data </script> <p>Hello <%= this.Name %> </p>segment will ever be interpreted </body> as Code. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js DoupĂ© - 11/7/13
  • 66. Rewrite Web Application Unfortunately, developers Data sometimes dynamically generate <html> the Code of an application. If this <body> Code <script src="0cc111eb135.js"> happens with untrusted Data, </script> alert("welcome to example.com!"); <p>Hello <%= this.Name %> there can still be a XSS </p> </body> vulnerability. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js DoupĂ© - 11/7/13
  • 67. Dynamic Inline JavaScript <html> <script> var username = "<%= Username %>"; </script> </html> DoupĂ© - 11/7/13
  • 68. Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; Here, the developer has chosen to dynamically generate the Code from untrusted data. DoupĂ© - 11/7/13
  • 69. Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; var username = "*"; DoupĂ© - 11/7/13
  • 70. We developed a technique to safely Dynamic Inline JavaScript transform cases of dynamic inline Data JavaScript. If the statically undecidable <html> content is used in a known Code JavaScript <script> var username = "<%= Username %>"; var username = "<%= Username %>"; </script> context (JavaScript string or comment), </html> we can safely rewrite thevar username = "*"; application. We call these cases “safe dynamic inline JavaScript.” DoupĂ© - 11/7/13
  • 72. Applications Application Lines of Code Known Vulnerability BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 35,674 29,512 6,994 12,155 11,993 21,261 CVE-2010-3266 CVE-2008-6476 CVE-2009-0814 CVE-2008-3483 2 Intentional N/A DoupĂ© - 11/7/13
  • 73. Evaluation ‱ Security – Crafted exploits for applications with known vulnerabilities – Transformed applications, along with CSP, blocked the exploits ‱ Functional correctness – ChronoZoom had 160 JavaScript tests and all passed after the transformation – Manually browsed the application and source code looking for missing inline JavaScript DoupĂ© - 11/7/13
  • 74. 100% 90% 80% 70% 60% Unsafe Dynamic 50% Safe Dynamic Static 40% 30% 20% 10% 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki DoupĂ© - 11/7/13 WebGoat.NET ChronoZoom
  • 75. 100% 90% 80% 70% 60% 50% Here we are going to look at what percentage of the inline JavaScript in each application is either: static, safe dynamic, or unsafe dynamic. Unsafe Dynamic Safe Dynamic 40% 30% 20% 10% Static 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki DoupĂ© - 11/7/13 WebGoat.NET ChronoZoom
  • 76. 100% 90% 80% 70% 60% 6 50% 40% 41 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki DoupĂ© - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
  • 77. 100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki DoupĂ© - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
  • 78. 100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 27 5 Unsafe Dynamic Safe Dynamic Static 30% 20% 4 In these safe dynamic situations, we are able to safely 0% transform the dynamic inline JavaScript code. BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 10% DoupĂ© - 11/7/13
  • 80. 100% 90% 2 3 4 80% 1 1 4 4 70% 60% 50% 10 6 5 Unsafe Dynamic Safe Dynamic 41 In 10 40% cases of unsafe dynamic inline JavaScript, we alert the Static 27 developer that the transformation could potentially contain 30% an XSS vulnerability. After the developer confirms the 20% absence of an XSS vulnerability in the unsafe dynamic 4 10% inline JavaScript, then the application is guaranteed free of 0% BugTracker.NET BlogEngine.NET BlogSA.NET vulnerabilities. XSS ScrewTurn Wiki WebGoat.NET ChronoZoom DoupĂ© - 11/7/13
  • 81. Limitations ‱ Might miss inline JavaScript – Loops – Dynamic code execution ‱ Does not handle HTML attributes and CSS DoupĂ© - 11/7/13
  • 82. Summary ‱ Code and Data separation necessary to prevent XSS ‱ deDacota can automatically separate Code and Data of web application ‱ deDacota works in practice DoupĂ© - 11/7/13
  • 83. Adam DoupĂ© Email: Twitter: adoupe@cs.ucsb.edu @adamdoupe DEDACOTA: TOWARD PREVENTING SERVER-SIDE XSS VIA AUTOMATIC CODE AND DATA SEPARATION DoupĂ© - 11/7/13

Editor's Notes

  1. ----- Meeting Notes (11/7/13 11:22) -----3
  2. We want to fundamentally solve XSS vulnerabilities.
  3. We want to fundamentally solve XSS vulnerabilities.
  4. ----- Meeting Notes (11/7/13 11:22) -----8:30
  5. ----- Meeting Notes (11/7/13 11:22) -----8:30
  6. Server-side: Traditional XSS attacks. Result of server-side code.
  7. ----- Meeting Notes (11/7/13 11:22) -----12
  8. Branches.Loops.
  9. Branches.Loops.
  10. Just say we extract all the possible inline JavaScript from the approximation graph.
  11. We solved the problem!Hurray!Then talk about dynamic JS.
  12. The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  13. The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  14. The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  15. Missing inline JavaScript - dynamic code - loops