Insane in the IFRAME -- The case for client-side HTML sanitization

•Download as PPTX, PDF•

3 likes•4,792 views

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Technology

David Ross
Principal Software Security Engineer
Trustworthy Computing Security
Microsoft

• No independent parsing / context handling

document.implementation.createHTMLDocument

3. Remove elements / attributes / etc. not explicitly allowed*
*Old (less-performant) approach:
Build yet another DOM by copying safe
elements / attributes / etc. to a new
DOM during tree walk

document.implementation.createHTMLDocument
Must never run script

[Demo] [Benchmark]
Options precedence / inheritance rules:
(Options specified on target
element) > (options specified on
sanitize() call) > (default options)

Mario Heiderich @0x6D6172696F
JSAgents / IceShield
Gareth Heyes @garethheyes
JSLR
Ben Livshits
Loris D’Antoni
FAST
Caja HTML sanitizer
Stefano Di Paola Eduardo ‘Sirdarckcat’Vela N.

I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA)
1 Submitted 1 second ago by randomdross
0 comments share

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization

Web Components mit Polymer und AngularJS 1.xPatrickHillert

Web Components mit Polymer und AngularJS 1.xinovex GmbH

Selenium for-opsŁukasz Proszek

Standing on the Shoulders of Giants – The Kotti Web Application FrameworkDon Disko

Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette

Security Patterns for Microservice Architectures - ADTMag Microservices & API...Matt Raible

Microsoft Security Development LifecycleRazi Rais

Stage 1 Tradecraftmatt806068

Building Social Enterprise with Ruby and SalesforceRaymond Gao

Client-side JavaScriptLilia Sfaxi

Web componentsNoam Kfir

Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid

Bridging the GapWill Schroeder

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax

XCS110_All_Slides.pdfssuser01066a

Domain Driven Security Jfokus 2016Omegapoint Academy

Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible

Microsoft Entity FrameworkMahmoud Tolba

Decomposing the Monolith using modern-day .NET and a touch of microservicesDennis Doomen

PowerShell-and-DSC-Enables-DSCDevOps-1.pptxprabhatthunuguntla

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization (20)

Web Components mit Polymer und AngularJS 1.x

Selenium for-ops

Standing on the Shoulders of Giants – The Kotti Web Application Framework

Automated JavaScript Deobfuscation - PacSec 2007

Security Patterns for Microservice Architectures - ADTMag Microservices & API...

Microsoft Security Development Lifecycle

Stage 1 Tradecraft

Building Social Enterprise with Ruby and Salesforce

Client-side JavaScript

Web components

Android Security - Common Security Pitfalls in Android Applications

Bridging the Gap

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

XCS110_All_Slides.pdf

Domain Driven Security Jfokus 2016

Security Patterns for Microservice Architectures - London Java Community 2020

Microsoft Entity Framework

Decomposing the Monolith using modern-day .NET and a touch of microservices

PowerShell-and-DSC-Enables-DSCDevOps-1.pptx

Recently uploaded

Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55

WebAssembly is Key to Better LLM PerformanceSamy Fodil

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin

PLAI - Acceleration Program for Generative A.I. StartupsStefano

Demystifying gRPC in .Net by John StaveleyJohn Staveley

The Metaverse: Are We There Yet?Mark Billinghurst

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance

Top 10 Symfony Development Companies 2024TopCSSGallery

A Business-Centric Approach to Design System StrategyUXDXConf

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance

Structuring Teams and Portfolios for SuccessUXDXConf

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance

IESVE for Early Stage Design and PlanningIES VE

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl

Connecting the Dots in Product Design at KAYAKUXDXConf

Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin

Designing for Hardware Accessibility at ComcastUXDXConf

Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge

Recently uploaded (20)

Oauth 2.0 Introduction and Flows with MuleSoft

WebAssembly is Key to Better LLM Performance

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

PLAI - Acceleration Program for Generative A.I. Startups

Demystifying gRPC in .Net by John Staveley

The Metaverse: Are We There Yet?

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...

Top 10 Symfony Development Companies 2024

A Business-Centric Approach to Design System Strategy

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

Structuring Teams and Portfolios for Success

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

IESVE for Early Stage Design and Planning

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Connecting the Dots in Product Design at KAYAK

Powerful Start- the Key to Project Success, Barbara Laskowska

Designing for Hardware Accessibility at Comcast

Enterprise Knowledge Graphs - Data Summit 2024

Insane in the IFRAME -- The case for client-side HTML sanitization

1. David Ross Principal Software Security Engineer Trustworthy Computing Security Microsoft

2. @randomdross

5. *

6. @NealPoole https://t.co/5omk5ec2UD

8. @kkotowicz @NealPoole @adam_baldwin

9. @sneak_ @superevr

10.

11. difficult

12.

13. • No independent parsing / context handling

14. everything else

15. document.implementation.createHTMLDocument

16. document.createTreeWalker

17. 3. Remove elements / attributes / etc. not explicitly allowed* *Old (less-performant) approach: Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk

18.

19.

20. document.implementation.createHTMLDocument Must never run script

21.

22. setAttribute

23.

24. promises / deferreds

25.

26.

27.

28. [Demo] [Benchmark] Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)

29.

30.

31.

32. Mario Heiderich @0x6D6172696F JSAgents / IceShield Gareth Heyes @garethheyes JSLR Ben Livshits Loris D’Antoni FAST Caja HTML sanitizer Stefano Di Paola Eduardo ‘Sirdarckcat’Vela N.

33.

34. I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA) 1 Submitted 1 second ago by randomdross 0 comments share

Insane in the IFRAME -- The case for client-side HTML sanitization

Recommended

Recommended

More Related Content

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization (20)

Recently uploaded

Recently uploaded (20)

Insane in the IFRAME -- The case for client-side HTML sanitization