A	
  SYSTEMATIC	
  ANALYSIS	
  OF	
  
XSS	
  SANITIZATION	
  IN	
  WEB	
  
APPLICATION	
  FRAMEWORKS	
  
Joel	
  Weinberge...
Cross	
  Site	
  Scrip=ng	
  
<div class=“comment”>
<iframe src=“http://www.voteobama.com”></iframe>
</div>
Web	
  Frameworks	
  
	
  
•  Systems	
  to	
  aid	
  the	
  development	
  of	
  web	
  applications	
  
•  Dynamically	
...
Code	
  in	
  Web	
  Frameworks	
  
<html>
<p>hello, world</p>
</html>
Code	
  in	
  Web	
  Frameworks	
  
<html>
<?php echo "<p>hello, world</p>"; ?>
</html>
Code	
  in	
  Web	
  Frameworks	
  
<html>
<?php echo $USERDATA ?>
</html>
What	
  happens	
  if	
  
$USERDATA	
  =	
  
<s...
Code	
  in	
  Web	
  Frameworks	
  
<html>
<script>doEvil()</script>
</html>
Sani=za=on	
  
	
  
The	
  encoding	
  or	
  elimination	
  of	
  dangerous	
  
constructs	
  in	
  untrusted	
  data.	
  
Contribu=ons	
  
•  Build	
  a	
  detailed	
  model	
  of	
  the	
  browser	
  to	
  explain	
  subtleties	
  
in	
  data	...
Sani=za=on	
  Example	
  
"<p>" + "<script>doEvil()</script>" + "</p>"
Untrusted	
  
Sani=za=on	
  Example	
  
"<p>" +
sanitizeHTML(
"<script>
doEvil()
</script>"
) +
"</p>"
	
  
	
  
<p>
doEvil()
</p>
Are	
  we	
  done?	
  
"<a href='" +
sanitizeHTML(
"javascript: …"
) +
"' />"
	
  
	
  
<a href='
javascript: …
'/>
URI	
 ...
Now	
  are	
  we	
  done?	
  
	
  
<div
onclick='displayComment("
SANITIZED_ATTRIBUTE
")'
>
</div>
What	
  if	
  SANITIZED...
Now	
  are	
  we	
  done?	
  
	
  
<div
onclick='displayComment(
"&quot;);
stealInfo(
&quot;")
'>
</div>
<div
onclick='dis...
Browser	
  Model	
  
OMG!!!	
  
Framework	
  and	
  Applica=on	
  Evalua=on	
  
	
  
•  What	
  support	
  for	
  auto	
  sanitization	
  do	
  frameworks...
Using	
  Auto	
  Sani=za=on	
  
	
  
	
  
{% if header.sortable %}
<a href="{{header.url}}">
{% endif %}
Django	
  doesn’t...
Overriding	
  Auto	
  Sani=za=on	
  
	
  
	
  
{% if header.sortable %}
<a href="{{header.url | escape}}">
{% endif %}
Who...
Auto	
  Sani=za=on	
  Support	
  
No	
  Auto	
  Sanitization	
  	
   HTML	
  Context	
  Only	
  
Auto	
  sanitization	
  
...
Sani=za=on	
  Context	
  Support	
  
HTML	
  Tag	
  
Context	
  
URI	
  
Attribute	
  
(excluding	
  
scheme)	
  
URI	
  
...
Contexts	
  Used	
  By	
  Web	
  Applica=ons	
  
HTML	
  Tag	
  
Context	
  
URI	
  
Attribute	
  
(excluding	
  
scheme)	...
Further	
  Complexity	
  in	
  Sani=za=on	
  Policies	
  
User	
  
"<img src='…'></img>"
""
Admin	
  
"<img src='…'></img>...
Evalua=on	
  Summary	
  
	
  
•  Auto	
  sanitization	
  alone	
  is	
  insufgicient	
  
•  Frameworks	
  lack	
  sufgicie...
Take	
  Aways	
  
	
  
•  Degining	
  correct	
  sanitization	
  policies	
  is	
  hard	
  
•  And	
  it’s	
  in	
  the	
 ...
Upcoming SlideShare
Loading in …5
×

A systematic analysis of XSS Sanitization in web application frameworks

1,321 views

Published on

A systematic analysis of XSS Sanitization in web application frameworks

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,321
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A systematic analysis of XSS Sanitization in web application frameworks

  1. 1. A  SYSTEMATIC  ANALYSIS  OF   XSS  SANITIZATION  IN  WEB   APPLICATION  FRAMEWORKS   Joel  Weinberger,  Prateek  Saxena,     Devdatta  Akhawe,  Matthew  Finifter,   Richard  Shin,  and  Dawn  Song     University  of  California,  Berkeley  
  2. 2. Cross  Site  Scrip=ng   <div class=“comment”> <iframe src=“http://www.voteobama.com”></iframe> </div>
  3. 3. Web  Frameworks     •  Systems  to  aid  the  development  of  web  applications   •  Dynamically  generated  pages  on  the  server   •  Templates  for  code  reuse   •  Untrusted  data  dynamically  inserted  into  programs   •  User  responses,  SQL  data,  third  party  code,  etc.  
  4. 4. Code  in  Web  Frameworks   <html> <p>hello, world</p> </html>
  5. 5. Code  in  Web  Frameworks   <html> <?php echo "<p>hello, world</p>"; ?> </html>
  6. 6. Code  in  Web  Frameworks   <html> <?php echo $USERDATA ?> </html> What  happens  if   $USERDATA  =   <script>doEvil()</script>
  7. 7. Code  in  Web  Frameworks   <html> <script>doEvil()</script> </html>
  8. 8. Sani=za=on     The  encoding  or  elimination  of  dangerous   constructs  in  untrusted  data.  
  9. 9. Contribu=ons   •  Build  a  detailed  model  of  the  browser  to  explain  subtleties   in  data  sanitization   •  Evaluate  the  effectiveness  of  auto  sanitization  in  popular   web  frameworks   •  Evaluate  the  ability  of  frameworks  to  sanitize  different   contexts   •  Evaluate  the  tools  of  frameworks  in  relation  to  what  web   applications  actually  use  and  need  
  10. 10. Sani=za=on  Example   "<p>" + "<script>doEvil()</script>" + "</p>" Untrusted  
  11. 11. Sani=za=on  Example   "<p>" + sanitizeHTML( "<script> doEvil() </script>" ) + "</p>"     <p> doEvil() </p>
  12. 12. Are  we  done?   "<a href='" + sanitizeHTML( "javascript: …" ) + "' />"     <a href=' javascript: … '/> URI  Context,   not  HTML   HTML  context   sanitizer  
  13. 13. Now  are  we  done?     <div onclick='displayComment(" SANITIZED_ATTRIBUTE ")' > </div> What  if  SANITIZED_ATTRIBUTE = &quot;);stealInfo(&quot;"  
  14. 14. Now  are  we  done?     <div onclick='displayComment( "&quot;); stealInfo( &quot;") '> </div> <div onclick='displayComment( ""); stealInfo("") '> </div>
  15. 15. Browser  Model   OMG!!!  
  16. 16. Framework  and  Applica=on  Evalua=on     •  What  support  for  auto  sanitization  do  frameworks  provide?   •  What  support  for  context  sensitivity  do  frameworks   provide?   •  Does  the  support  of  frameworks  match  the  requirements  of   web  applications?  
  17. 17. Using  Auto  Sani=za=on       {% if header.sortable %} <a href="{{header.url}}"> {% endif %} Django  doesn’t   know  how  to   auto  sanitize   this  context!  
  18. 18. Overriding  Auto  Sani=za=on       {% if header.sortable %} <a href="{{header.url | escape}}"> {% endif %} Whoops!   Wrong   sanitizer.  
  19. 19. Auto  Sani=za=on  Support   No  Auto  Sanitization     HTML  Context  Only   Auto  sanitization   Context  Aware   7   4   3   •  Examined  14  different  frameworks   •  7  have  no  auto  sanitization  support  at  all   •  4  provide  auto  sanitization  for  HTML  contexts  only   •  3  automatically  determine  correct  context  and  which  sanitizer  to  apply   •  …although  may  only  support  a  limited  number  of  contexts  
  20. 20. Sani=za=on  Context  Support   HTML  Tag   Context   URI   Attribute   (excluding   scheme)   URI   Attribute   (including   scheme)   JS  String   JS  Number   or  Boolean   Style   Attribute  or   Tag   14   14   4   4   1   2   •  Examined  14  different  frameworks   •  Only  1  handled  all  of  these  contexts   •  Numbers  indicate  sanitizer  support  for  a  context  regardless  of  auto  sanitization   support  
  21. 21. Contexts  Used  By  Web  Applica=ons   HTML  Tag   Context   URI   Attribute   (excluding   scheme)   URI   Attribute   (including   scheme)   JS  String,   Number,   or  Boolean   Style   Attribute   or  Tag   8/8   7/8   7/8   6/8   8/8   •  Web  applications  (all  in  PHP):   •  RoundCube,  Drupal,  Joomla,  WordPress,  MediaWiki,  PHPBB3,  OpenEMR,   Moodle   •  Ranged  from  ~19k  LOC  to  ~530k  LOC  
  22. 22. Further  Complexity  in  Sani=za=on  Policies   User   "<img src='…'></img>" "" Admin   "<img src='…'></img>" "<img src='…'></img>" wordpress/post_comment.php
  23. 23. Evalua=on  Summary     •  Auto  sanitization  alone  is  insufgicient   •  Frameworks  lack  sufgicient  expressivity   •  Web  applications  already  use  more  features  than   frameworks  provide  
  24. 24. Take  Aways     •  Degining  correct  sanitization  policies  is  hard   •  And  it’s  in  the  browser  spec!   •  Frameworks  can  do  more   •  More  sanitizer  contexts,  better  automation,  etc.     •  Is  sanitization  the  best  form  of  policy  going  forward?  

×