an approach for the automated detection of xss
play

An Approach for the Automated Detection of XSS Vulnerabilities in - PowerPoint PPT Presentation

Nov 03, 2022 •194 likes •403 views

An Approach for the Automated Detection of XSS Vulnerabilities in Web Templates Sebastian Stigler sebastian.stigler@hs-aalen.de Gulshat Karzhaubekova gulshat.karzhaubekova@hs-aalen.de Christoph Karg christoph.karg@hs-aalen.de Aalen University of

  1. An Approach for the Automated Detection of XSS Vulnerabilities in Web Templates Sebastian Stigler sebastian.stigler@hs-aalen.de Gulshat Karzhaubekova gulshat.karzhaubekova@hs-aalen.de Christoph Karg christoph.karg@hs-aalen.de Aalen University of Applied Sciences, Germany

  2. Motivation Stigler, Karzhaubekova, Karg 2/19

  3. Web Frameworks are often predefined by the customer or already existing projects Templates from different Web Template Engines (WTE) look similar but don’t behave completely equally Due to this facts, valid and secure code fragments from one WTE can lead to security risks in another WTE Stigler, Karzhaubekova, Karg 3/19

  4. Methodology Stigler, Karzhaubekova, Karg 4/19

  5. Architecture of our Approach Inspired by the LLVM Compiler Source : own graphic Very easy to add a new Template Engine and unittest Stigler, Karzhaubekova, Karg 5/19

  6. Considered Web Template Engines A WTE must comply with the following constraints for our approach 1. There is a restricted set of control structures (loop, condition, filter, setting and printing of variables) 2. There may be mechanisms to include other templates (inheritance, macros) 3. There is no way to write arbitrary code in the language of the backend within the template Stigler, Karzhaubekova, Karg 6/19

  7. Example of a Template index.html 1 <! DOCTYPE html > 2 < html > 3 < body > 4 < h1 >Hello world</ h1 > 5 {% for name in usernames %} 6 < p >Hello {{ name }}</ p > 7 {% endfor %} 8 </ body > 9 </ html > Stigler, Karzhaubekova, Karg 7/19

  8. The Internal Representation (IR) The IR is represented by a two-staged intertwined abstract syntax tree (AST) The first stage AST is constructed by parsing the pure HTML part of the template and by marking the places where template tags are with special tokens The second stage AST is built by walking the first stage AST in depth-first-order and parsing the entries of the special tokens from above While constructing the second stage AST we collect the free variables and the output variables in a list and build a data flow graph between all used variables Stigler, Karzhaubekova, Karg 8/19

  9. First stage AST of the Example First stage AST of index.html 1 Declaration (raw="<!DOCTYPE html>") 2 StartTag (tag="html", attributes=[]) 3 StartTag (tag="body", attributes=[]) 4 StartTag (tag="h1", attributes=[]) 5 Data (raw="Hello world") 6 EndTag (tag="h1") 7 TemplateStatement (entry="for name in usernames") 8 StartTag (tag="p", attributes=[]) 9 Data (raw="Hello ") 10 TemplateExpression (entry="name") 11 EndTag (tag="p") 12 TemplateStatement (entry="endfor") 13 EndTag (tag="body") 14 EndTag (tag="html") Stigler, Karzhaubekova, Karg 9/19

  10. Second stage AST of the Example Second stage AST of index.html 1 Foreach (item= Variable (name="name", ref=None), 2 collection= Variable (name="usernames", ref=None), 3 ref=7) 4 Variable (name="name", ref=10) 5 EndForeach (ref=12) Data flow graph of the Example Source : own graphic Stigler, Karzhaubekova, Karg 10/19

  11. Finding vulnerabilities in templates Candidates are variables that reside in an expression template tag (the output variables) Using the data flow graph, we check if the value of this variable comes from a free variable Use 2nd stage AST to find all special tokens in 1st stage AST which influences the output variable Use the reference in 2nd stage AST to find the encapsulating html tag of the output variable in the 1st stage AST Stigler, Karzhaubekova, Karg 11/19

  12. Template for the unittest Generate from these nodes in the ASTs the template code and replace line 9 with it Skeleton for the template 1 <! DOCTYPE html > 2 < html > 3 < head > 4 < title >Unittest</ title > 5 < script type ="text/javascript"> 6 function attack() { document.title="ATTACK"; }; 7 </ script > 8 < body > 9 <! -- < a onclick ='attack()'> Attack </ a > -- > 10 </ body > 11 </ html > Use selenium webdriver to run the backend with this template and inject values for the free variables Stigler, Karzhaubekova, Karg 12/19

  13. Findings Stigler, Karzhaubekova, Karg 13/19

  14. Places for template tags in HTML Source : own graphic Stigler, Karzhaubekova, Karg 14/19

  15. Attack on case e) <xxx key=’ {{ temp }} ’> There are three cases for the value of temp : xxx is clickable and key is onclick attack(); xxx is clickable and key is not onclick ’␣onclick=’attack(); xxx is not clickable ’><a␣onclick="attack();">click</a><xxx␣key=’ Stigler, Karzhaubekova, Karg 15/19

  16. The End. . . Thank you for your attention! This was An Approach for the Automated Detection of XSS Vulnerabilities in Web Templates Sebastian Stigler sebastian.stigler@hs-aalen.de Gulshat Karzhaubekova gulshat.karzhaubekova@hs-aalen.de Christoph Karg christoph.karg@hs-aalen.de Questions? Stigler, Karzhaubekova, Karg 16/19

  17. References I Nils Adermann, Jordi Boggiano et al. Composer . url : https://getcomposer.org [1] (visited on 12/04/2018). Josip Bozic et al. “Attack Pattern-Based Combinatorial Testing with Constraints [2] for Web Security Testing.” In: 2015 IEEE International Conference on Software Quality, Reliability and Security 6.4 (24 September 2015), pp. 207–212. doi : 10.1109/QRS.2015.38 . Eric Conrad, Seth Misenar and Joshua Feldman. “Chapter 7 - Domain 6: Security [3] Assessment and Testing (Designing, Performing, and Analyzing Security Testing)”. In: CISSP Study Guide (Third Edition) . Ed. by Eric Conrad, Seth Misenar and Joshua Feldman. Third Edition. Boston: Syngress, 2016, pp. 329–345. isbn : 978-0-12-802437-9. doi : B978-0-12-802437-9.00007-2 . url : https://www.sciencedirect.com/science/article/pii/B9780128024379000072 . Gabriel Diaz and Juan Ramon Bermejo. “Static analysis of source code security: [4] Assessment of tools against SAMATE tests.” In: Information and Software Technology 55 (2013) 1462-1476 55.2 (Aug. 2013), pp. 1462–1476. doi : 10.1016/j.infsof.2013.02.005 . url : https://www.sciencedirect.com/science/article/pii/S0950584913000384 . Stigler, Karzhaubekova, Karg 17/19

  18. References II R. Diestel. Graph Theory . Graduate Texts in Mathematics. Springer Berlin [5] Heidelberg, 2017. isbn : 9783662536216. url : https://books.google.de/books?id=FY5BvgAACAAJ . Katarina Goseva-Popstojanova and Andrei Perhinschi. “On the capability of static [6] code analysis to detect vulnerabites.” In: Information and Software Technology 68 (2015) 18-33 68.1 (Dezember 2015), pp. 18–33. doi : 10.1016/j.infsof.2015.08.002 . url : https://www.sciencedirect.com/science/article/pii/S0950584915001366?via%3Dihub . Lars Hermerschmidt, Stephan Kugelmann and Bernhard Rumpe. “Towards More [7] Security in Data Exchange: Defining Unparsers with Context-Sensitive Encoders for Context-Free Grammars”. In: 2015 IEEE Security and Privacy Workshops 8.6 (21-22 May 2015), pp. 134–141. doi : 10.1109/SPW.2015.29 . Chris Lattner. “Chapter 11 - LLVM”. In: The Architecture Of Open Source [8] Applications . Ed. by Amy Brown and Greg Wilson. lulu.com, 2012, pp. 151–166. isbn : 978-1257638017. url : http://aosabook.org/en/llvm.html . Mahmoud Mohammadi et al. “Detecting Cross-Site Scripting Vulnerabilities [9] through Automated Unit Testing.” In: UNC Charlotte, Charlotte, NC, USA. 2017. IEEE. 10.5 (25-29 July 2017), pp. 364–372. doi : 10.1109/QRS.2017.46 . Stigler, Karzhaubekova, Karg 18/19

  19. References III Muhammad Parvez, Pavol Zavarsky and Nidal Khoury. “Analysis of Effectiveness [10] of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities”. In: The 10-th International Conference for Internet Technology and Secured Transactions (ICITST-2015). 6.3 (14-16 December 2015), pp. 186–191. doi : 10.1109/ICITST.2015.7412085 . Fabien Potencier et al. Twig . url : https://twig.symfony.com/doc/2.x/ (visited on [11] 12/04/2018). Armin Ronacher et al. Flask . url : http://flask.pocoo.org/docs/012 (visited on [12] 12/04/2018). Armin Ronacher et al. Jinja2 . url : http://jinja.pocoo.org/docs/2.10/templates/ [13] (visited on 12/04/2018). Stigler, Karzhaubekova, Karg 19/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've achieved in a year? TSEM talk @ Institute of Cybernetics, Tallinn, Estonia Juhan Ernits, March 9, 2010 Overview of todays talk Overview of today s

490 views • 26 slides
Towards Automated Melanoma Detection with Deep Learning: Data Purification and Augmentation

Towards Automated Melanoma Detection with Deep Learning: Data Purification and Augmentation

Motivation Related work Proposed approach Empirical results Conclusion Towards Automated Melanoma Detection with Deep Learning: Data Purification and Augmentation Devansh Bisla , Anna Choromanska, Russell S. Berman, Jennifer A. Stein, David

359 views • 15 slides
Moving Forward Using Automated Measures for Lameness Detection Nria Chapinal, PhD Animal

Moving Forward Using Automated Measures for Lameness Detection Nria Chapinal, PhD Animal

Moving Forward Using Automated Measures for Lameness Detection Nria Chapinal, PhD Animal Welfare Program, UBC April 14, 2010 Outline Introduction Visual/subjective methods of detection Automated methods of detection Examples

905 views • 47 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities Theofilos Petsios , Jason Zhao, Angelos D. Keromytis, and Suman Jana Columbia University ACM Conference on Computer and Communications Security (CCS)

563 views • 38 slides
Automated microscopy system for detection and genetic characterization of fetal nucleated red

Automated microscopy system for detection and genetic characterization of fetal nucleated red

Header for SPIE use Automated microscopy system for detection and genetic characterization of fetal nucleated red blood cells on slides. Ilya Ravkin and Vladimir Temov * Applied Imaging Corp., 2380 Walsh Avenue, Bldg. B, Santa Clara, CA 95051

263 views • 12 slides
Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal {drasar|vykopal}@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic FloCon 2012 January 12, Austin, Texas Part I Network

898 views • 22 slides
From Web 2.0 to Semantic Web A Semi-Automated Approach Andreas He, Christian Maa and Francis

From Web 2.0 to Semantic Web A Semi-Automated Approach Andreas He, Christian Maa and Francis

From Web 2.0 to Semantic Web A Semi-Automated Approach Andreas He, Christian Maa and Francis Dierick Lycos Europe 01/06/2008 | 1 Outline Motivation Proposals for better tagging Tag suggestion / semi-automated tagging Tag

478 views • 32 slides
AUTOMATED, RAPID MICROBIAL DETECTION SYSTEM FOR REMOTE TESTING OF E.COLI , COLIFORMS, AND

AUTOMATED, RAPID MICROBIAL DETECTION SYSTEM FOR REMOTE TESTING OF E.COLI , COLIFORMS, AND

Brisbane, Queensland, Australia May 9, 2018 AUTOMATED, RAPID MICROBIAL DETECTION SYSTEM FOR REMOTE TESTING OF E.COLI , COLIFORMS, AND ENTEROCOCCI BACTERIA R.S. Brown, L. ODonnell and A. Luke, School of Environmental Studies and Dept. of

490 views • 31 slides
ADWISER Automated Detection of Writing Inaccuracies for Students of English in Russia Developed

ADWISER Automated Detection of Writing Inaccuracies for Students of English in Russia Developed

ADWISER Automated Detection of Writing Inaccuracies for Students of English in Russia Developed by: Darya Overnikova Olga Vinogradova Nika Smilga Elizaveta Ershova Anna Viklova Ivan Torubarov Anton Buzanov Ksenia Pospelova Nikita Login

656 views • 30 slides
Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego Perez-Palacin, Youssef Ridene, Jos Merseguer University of Zaragoza, Netfective Technology Diego Perez-Palacin Big Blu eGov Tax Fraud Detection System

907 views • 41 slides
A Novel Approach to Integrate Human-in-the-Loop Testing in the Development Chain of Automated

A Novel Approach to Integrate Human-in-the-Loop Testing in the Development Chain of Automated

Institute of Automotive Engineering A Novel Approach to Integrate Human-in-the-Loop Testing in the Development Chain of Automated Driving on the Example of Automated Lane Change Branko Rogic TU Graz 1 Agenda Institute of Automotive

296 views • 16 slides
Automated Geophysical Feature Detection with Deep Learning Chiyuan Zhang , Charlie Frogner and

Automated Geophysical Feature Detection with Deep Learning Chiyuan Zhang , Charlie Frogner and

Automated Geophysical Feature Detection with Deep Learning Chiyuan Zhang , Charlie Frogner and Tomaso Poggio, MIT . Mauricio Araya-Polo, Jan Limbeck and Detlef Hohl, Shell International Exploration &amp; Production Inc . GPU Technology Conference

496 views • 22 slides
Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods

Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods

MAnET Meeting, Helsinki, 8-9 Dec. 2015 Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods Samaneh Abbasi-Sureshjani, Prof. Bart ter Haar Romeny RetinaCheck-MAnET Project, Eindhoven University of

476 views • 19 slides
Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben

Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben

Biology Image Processing Algorithm Methods Analytics Results Error Metrics Conclusion Questions References Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben Gross, Hannah Kastein Mentors:

1.07k views • 22 slides
GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated

GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated

GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated Instrumentation Adisak Pochanayon : adisak@wbgames.com Principal Software Engineer, Mortal Kombat Team Netherrealm Studios (WB Games Chicago) This

366 views • 9 slides
Lets make HTML5 &amp; JavaScript Games! credit: w3.or g HTML is a markup lan g ua g e Markup

Lets make HTML5 &amp; JavaScript Games! credit: w3.or g HTML is a markup lan g ua g e Markup

Lets make HTML5 &amp; JavaScript Games! credit: w3.or g HTML is a markup lan g ua g e Markup lan g ua g es are code-based annotation systems HTML is the backbone of every website HTML is made of elements openin g ta g closin g ta g

1.19k views • 38 slides
Well-formed XML Documents Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept.

Well-formed XML Documents Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept.

Well-formed XML Documents Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept. of Computer Engineering Khon Kaen University 1 Agenda Types of XML documents Why Well-formed XML Documents Rules of Well-formed XML

777 views • 44 slides
Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working install of Android Studio Make sure it works by running Hello, world App On emulator

666 views • 24 slides
Goal: next 2-3 weeks Create a pla@orm game (side scrolling game) leveraging Canvas Tutorial

Goal: next 2-3 weeks Create a pla@orm game (side scrolling game) leveraging Canvas Tutorial

Goal: next 2-3 weeks Create a pla@orm game (side scrolling game) leveraging Canvas Tutorial HTML 2D Canvas HTML5 (be sure to follow the links) CSS, and JavaScript Final product (aLer 2-3 Weeks) From Simple HTML to 2D Pla@orm

430 views • 4 slides
Natural Language Processing Info 159/259 Lecture 10: Sequence Labeling 1 (Sept 26, 2017)

Natural Language Processing Info 159/259 Lecture 10: Sequence Labeling 1 (Sept 26, 2017)

Natural Language Processing Info 159/259 Lecture 10: Sequence Labeling 1 (Sept 26, 2017) David Bamman, UC Berkeley POS tagging Labeling the tag thats correct for the context. NNP IN FW IN JJ SYM JJ VBZ VB LS VB VBZ NN NN

1.27k views • 63 slides
HTML 1 CS 337 - Web Programming University of Arizona - Spring 2014 Day 1 Review There are four

HTML 1 CS 337 - Web Programming University of Arizona - Spring 2014 Day 1 Review There are four

HTML 1 CS 337 - Web Programming University of Arizona - Spring 2014 Day 1 Review There are four main technological elements used in a majority of websites Design Interaction Logic Database (HTML &amp; CSS) (JavaScript) (PHP/ (MySQL/

656 views • 40 slides
Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests

Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests

Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests A general purpose software application for requesting HTTP resources and displaying responses to the user is a web browser. Web Resources

833 views • 17 slides
Time-Lord Techniques A lost set of timing techniques. Called time-lord systems (Greek:

Time-Lord Techniques A lost set of timing techniques. Called time-lord systems (Greek:

Time-Lord Techniques A lost set of timing techniques. Called time-lord systems (Greek: chronocrator ). Not all placements activated at all times. Latent natal potential becomes awakened. Western equivalent of Indian dasha

715 views • 49 slides

More recommend