document structure integrity
play

Document Structure Integrity: A Robust Basis for Cross-Site - PowerPoint PPT Presentation

Jan 18, 2023 •141 likes •569 views

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, <img src=>

  1. Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1

  2. A Cross-Site Scripting Attack Hi Joe, <img src=“…”> <script src=“”> Cookies, Password Hi Joe, Policy: ALLOW <img src=“…”> {a, a@href, img, img@src } <script src=“”> 2

  3. Limitations of Server-side Sanitization <IMG SRC="javascript:alert('XSS')”> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=&#106;&#97;&#118;&#97; &#115;&#99;&#114;&#105;&#112;&#1 16;&#58;&#97;&#108;&#101;&#114;& #116;&#40;&#39;&#88;&#83;&#83;&# Cookies, 39;&#41;> Password Hi Joe, Policy: ALLOW <img src=…> {a, a@href, img, img@src } 3

  4. Limitations of Server-side Sanitization • Over 90 ways to inject JS [RSnake07] • Multiple Languages » JS, Flash, CSS, XUL, VBScript Cookies, Password Hi Joe, <img src=…> 4

  5. A Different Approach… • Previous defenses: XSS is a sanitization problem • Our view: XSS is a document structure integrity problem IMG SRC IMG SRC javascript: String 5

  6. Concept of Document Structure DYNAMIC STATIC DOCUMENT div STRUCTURE DOCUMENT div STRUCTURE id id Joe; online Joe; online document.write() JAVASCRIPT DOCUMENT STRUCTURE 6

  7. Document Structure Integrity (DSI) • Definition: – Given a server’s policy P, – Restrict untrusted content to allowable syntactic elements – Policy in terms of client-side languages • Central idea for DSI enforcement – Dynamic information flow tracking (server & browser) – Policy based parser-level confinement • Default policy: Only leaf nodes untrusted 7

  8. Talk Outline • Power of DSI Defense: Examples • Design Goals • Architecture • Implementation • Evaluation • Conclusion & Related Work 8

  9. Talk Outline • Power of DSI Defense: Examples • Design Goals • Architecture • Implementation • Evaluation • Conclusion & Related Work 9

  10. DSI Defense: A Powerful Approach • DSI enforcement prevents – Not just cookie-theft » Form injection for phishing [Netcraft08] » Profile Worms [Samy05, Yammaner06] » Web site defacement through XSS – “DOM-Based” XSS (Attacks on client-side languages) – Vulnerabilities due to browser-server inconsistency 10

  11. Example 1: DOM-Based XSS • DOM-based client-side XSS [Klein05] <div id=“ Joe; online ”> <div id=“ Joe; online ”> Joe div + id online Joe; online JAVASCRIPT DYNAMIC UPDATE 11

  12. Example 1: DOM-Based XSS • DOM-based client-side XSS [Klein05] < div id=“ Devil ; <script>..</script> ”> <div id=“ Devil; <script>..</script>”> JAVASCRIPT 12

  13. Example 1: DOM-Based XSS • DOM-based client-side XSS [Klein05] < div id=“ Devil ; <script>..</script> ”> <div id=“ Devil; <script>..</script>”> script “Devil” JAVASCRIPT “..” DYNAMIC UPDATE 13

  14. Example 2: Inconsistency Bugs • Browser-Server Inconsistency Bugs IMG <img onload=alert(1)> ONLOAD alert (1) <img onload:=alert(1)> IMG <img onload:=alert(1)> onload:=alert(1) Assumed Parse Tree 14

  15. Talk Outline • Defense in Depth: Examples • Design Goals • Architecture • Implementation • Evaluation • Conclusion & Related Work 15

  16. Design Goals • Clear separation between policy and mechanism • No dependence on sanitization • No changes to web application code • Minimize false positives • Minimizes impact to backwards compatibility • Robustness – Address static & dynamic integrity attacks – Defeat adaptive adversaries 16

  17. Mechanisms • Client-server architecture • Server – Step 1: Identify trust boundaries in HTML response – Step 2: Serialize » Encoding data & trust boundaries in HTML • Client – Step 3: De-serialize » Initialize HTTP response page into static document structure – Step 4: Dynamic information flow tracking » Modified semantics of client-side interpretation 17

  18. Talk Outline • Defense in Depth: Examples • Design Goals • Architecture • Implementation • Evaluation • Conclusion & Related Work 18

  19. Approach Overview: Static DSI SERIALIZER DE-SERIALIZER <img src=“…”> [[<img src=“…”> <script src=“”> <script src=“”>]] <a href = …> <a href = …> img script P SERVER BROWSER 19

  20. Approach Overview: Dynamic DSI TAINT SERIALIZER DE-SERIALIZER TRACKING <div id=“ Devil; <div id=“[[ Devil; div <script>..</scri <script>..</scrip pt> ”> t> ]]”> id Devil;<script>.. </script> SERVER BROWSER 20

  21. Approach Overview: Dynamic DSI (II) TAINT SERIALIZER DE-SERIALIZER TRACKING <div id=“ Devil; <div id=“[[ Devil; <script>..</scri <script>..</scrip script pt> ”> t> ]]”> id “Devil” “..” SERVER BROWSER 21

  22. Serialization Design: Key Challenge • Safety against an adaptive adversary <CONFINE> <CONFINE> </CONFINE> USER BLOG <script>…</script> </CONFINE> </CONFINE> </CONFINE> 22

  23. Serialization: Key Challenge • Do not rely on sanitization <CONFINE … ID=“N5”></CONFINE> <SCRIPT> document.getElementByID(“N5”).innerHTML = “ What to disallow? USER BLOG ”; </SCRIPT> 23

  24. Serialization Design: Key Challenge • Attack on sanitization mechanism for JS strings <CONFINE … ID=“N5”></CONFINE> <SCRIPT> document.getElementByID(“N5”).innerHTML = “ </SCRIPT> Attack <SCRIPT> ”; </SCRIPT> 24

  25. Markup Randomization • Markup Randomization – Mechanism independent of the policy – Does not depend on any sanitization R [[ 00101 R ]] 00101 Valid Nonces: 00101 , 11010 , 01110 Policy: ALLOW {a, a@aref ... } 25

  26. Markup Randomization • Markup Randomization – Mechanism independent of the policy – Does not depend on any sanitization [[ 00101 R ]] 00101 [[ 00101 R ]] 00101 Valid Nonces: 00101 , 11010 , 01110 Policy: ALLOW {a, a@aref} OK! 26

  27. Markup Randomization • Markup Randomization – Mechanism independent of the policy – Does not depend on any sanitization [[ 00101 R ]] 10101 [[ 00101 R ]] 00101 Valid Nonces: 00101 , 11010 , 01110 Policy: ALLOW {a, a@aref} 27

  28. Browser-side Taint Tracking • Dynamic DSI • Client Language Interpreters enhanced • Ubiquitous tracking of untrusted data in the browser 28

  29. Talk Outline • Advantages of DSI in Attack Coverage • Design Goals • Architecture • Implementation • Evaluation • Conclusion & Related Work 29

  30. Implementation • Full Prototype Implementation • DSI-enable server – Utilized existing taint tracking in PHP [IBM07] • DSI-compliant browser – Implemented in KDE Konqueror 3.5.9 – Client side taint tracking in JS interpreter of KDE 3.5.9 30

  31. 31 You are 0wned!

  32. 32 In a DSI-compliant Browser… <script>alert(document.cookie)</script>

  33. Talk Outline • Advantages of DSI in Attack Coverage • Design Goals • Architecture • Implementation • Evaluation • Conclusion & Related Work 33

  34. Evaluation: Attack Detection • Stored XSS attacks • Vulnerable phpBB forum application • 25 public attack vectors [RSnake07] • 30 benign posts • Results – 100% attack prevention – No changes required to the application – No false positives 34

  35. Evaluation: Real-World XSS Attacks • 5,328 real-world vulnerabilities [xssed.com] • 500 most popular benign web sites [alexa.com] • Default Policy: – Coerce untrusted data to leaf nodes • Results – 98.4% attack prevention – False Negatives: » Due to exact string matching in instrumentation – False Positives: 1% » Due to instrumentation for tainting (<title> on Slashdot) 35

  36. 36 1-3% 1.8% 1.1% Evaluation: Performance Static page size increase Browser Overhead Server overhead

  37. Related Work • Client-server Approaches » BEEP [Jim07] » <jail> [Eich07] » Hypertext Isolation [Louw08] • Client-side approaches » IE 8 Beta XSS Filter [IE8Blog] » Client-side Firewalls [Kirda06] » Sensitive Info. Flow Tracking [Vogt07] • Server-side approaches » Server-side taint-based defenses [Xu06, Nan07, Ngu05, Pie04] » XSS-Guard [Bisht08] » Program Analysis for XSS vulnerabilities [Balz08, Mar05, Mar08, Jov06, Hua04] 37

  38. Conclusion • DSI: A fundamental integrity property for web applications • XSS as a DSI violation • Multifaceted Approach – Clearly separates mechanism and policy • Defeats adaptive adversaries – Markup randomization • Evaluation on a large real-world dataset – Low performance overhead – No web application code changes – No false positives with configurable policies 38

  39. 39 Thank you! Questions

  40. 40 Hi Joe! Hi Joe! Client-Side Proxy user=Joe Hi [[Joe]]! www.site.com?user=Joe

  41. Markup Randomization: Adaptive Attacks • Multiple valid parse trees [[ N1 [[ N3 ]] N1 [[ N2 ]] N3 ]] N2 [[ N1 [[ N3 ]] N1 [[ N2 ]] N3 ]] N2 OR [[ N1 [[ N3 ]] N1 [[ N2 ]] N3 ]] N2 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain &amp; Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
3. Defining the document structure (DTD) Declaration of application-specific names and

3. Defining the document structure (DTD) Declaration of application-specific names and

3. Defining the document structure (DTD) Declaration of application-specific names and structural constraints A document is valid if it specifies a DTD, and if its contents conform to the DTD. A validating parser does the checking;

895 views • 18 slides
Professional Integrity to Testing &amp; Certification Practitioners Integrity Training for PCSTP

Professional Integrity to Testing &amp; Certification Practitioners Integrity Training for PCSTP

Professional Integrity to Testing &amp; Certification Practitioners Integrity Training for PCSTP Applicants Hong Kong Ethics Development Centre Independent Commission Against Corruption Competence Requirement Integrity Management

574 views • 23 slides
LESSONS LEARNED Research Integrity Some Thoughts Integrity is doing the right thing when

LESSONS LEARNED Research Integrity Some Thoughts Integrity is doing the right thing when

Mr. Gianfranco Scipione, M.Sc., J.D./M.B.A. Manager, Research Integrity UHN Research Ms. Katie Roposa, BScN, MEd, RN, CMQ/OE Director, Research Quality Integration UHN Research LESSONS LEARNED Research Integrity Some Thoughts Integrity

623 views • 21 slides
Going Remote with Integrity 3.0: Your Academic Integrity Policy Gone Virtual Dr. James Earl Orr,

Going Remote with Integrity 3.0: Your Academic Integrity Policy Gone Virtual Dr. James Earl Orr,

Going Remote with Integrity 3.0: Your Academic Integrity Policy Gone Virtual Dr. James Earl Orr, Jr. April 9, 2020 Caveat to Presentation True Promotion of Academic Integrity Involves a Coordinated Campus Conversation Faculty, Students,

464 views • 44 slides
Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional

Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional

Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional integrity? What evidence shows BC is trustworthy? I.C: Institutional Integrity Standard #1: We make sure the information we give is

227 views • 6 slides
Integrity 1. Perspective Five Steps to Decision Integrity Dialogue grows perspective about

Integrity 1. Perspective Five Steps to Decision Integrity Dialogue grows perspective about

GOOD DECISION 5. Connection 4. Alignment 3. Priority 2. Importance Integrity 1. Perspective Five Steps to Decision Integrity Dialogue grows perspective about stakeholders and values. Integrity is rooted in open, honest examination of stakeholder

431 views • 15 slides
Current assessment frameworks for trawling impact on seafloor integrity: Lessons learnt from ICES

Current assessment frameworks for trawling impact on seafloor integrity: Lessons learnt from ICES

Current assessment frameworks for trawling impact on seafloor integrity: Lessons learnt from ICES WKBENT on structure, function, tolerance and recoverability Anna Trnroos bo Akademi University Impact on seafloor integrity. The EUs

339 views • 20 slides
The Document Object Model (DOM) How a browser internally represents an HTML document Jay

The Document Object Model (DOM) How a browser internally represents an HTML document Jay

The Document Object Model (DOM) How a browser internally represents an HTML document Jay Urbain, Ph.D. 1 The Document Object Model (DOM) represents the objects that comprise a web page document The hierarchical structure of the DOM depends

775 views • 6 slides
Corporate integrity in turbulent times EY Forensic &amp; Integrity Services 9 July 2020

Corporate integrity in turbulent times EY Forensic &amp; Integrity Services 9 July 2020

Corporate integrity in turbulent times EY Forensic &amp; Integrity Services 9 July 2020 Restriction of use and liability EY Global Integrity Report 2020 Spotlight on India The COVID-19 crisis has magnified the risk of unethical conduct in

985 views • 7 slides
PROGRAM INTEGRITY 101 Program Integrity Kimberly Sullivan, JD DHH Deputy General Counsel

PROGRAM INTEGRITY 101 Program Integrity Kimberly Sullivan, JD DHH Deputy General Counsel

PROGRAM INTEGRITY 101 Program Integrity Kimberly Sullivan, JD DHH Deputy General Counsel PURPOSE 2 Assure the Programmatic and Fiscal Integrity of the Louisiana Medical Assistance Program (Medicaid). In order for DHH to receive the federal

448 views • 25 slides
How to get started in L A T EX Document Structure Formatting and Page Layout Florence Bouvet

How to get started in L A T EX Document Structure Formatting and Page Layout Florence Bouvet

Introduction Some very basics How to get started in L A T EX Document Structure Formatting and Page Layout Florence Bouvet Tables Department of Economics Importing Images and Sonoma State University creating Figures Mathematics

522 views • 29 slides
Asset Integrity Management The House of Integrity Integrating Process Safety Steven Saunders

Asset Integrity Management The House of Integrity Integrating Process Safety Steven Saunders

: Asset Integrity Management The House of Integrity Integrating Process Safety Steven Saunders TUV Rheinland/Risktec This Presentation What is asset integrity? Why should we invest in asset integrity? A modern interpretation of

1.34k views • 27 slides
Integrity of Secondary Containment for Crude Oil Storage Tanks at VMT PWSRCAC Staff Tom

Integrity of Secondary Containment for Crude Oil Storage Tanks at VMT PWSRCAC Staff Tom

Integrity of Secondary Containment for Crude Oil Storage Tanks at VMT PWSRCAC Staff Tom Kuckertz Linda Swiss TOEM and OSPR Committees 1/16/13 Integrity of Secondary Containment Discovery of initial integrity issue More integrity

633 views • 13 slides
1 The symbol of integrity watching signalling checking Antecedents of the Integrity Project

1 The symbol of integrity watching signalling checking Antecedents of the Integrity Project

Why committed SAO itself to the integrity approach in the fight against corruption? Presentation by Gyula Pulay, supervisory manager SAI of Hungary The symbol of corruption 1 The symbol of integrity watching signalling checking

362 views • 12 slides
ACADEMIC INTEGRITY Management Approach Academic Integrity Procedure #2502 Barton Community

ACADEMIC INTEGRITY Management Approach Academic Integrity Procedure #2502 Barton Community

ACADEMIC INTEGRITY Management Approach Academic Integrity Procedure #2502 Barton Community College is an academic community committed to upholding the highest ideals of integrity and the related values of honesty, trust, cooperation, respect,

307 views • 7 slides
Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content Static Static (HTML) Dynamic Dynamic (XML, ASP, JSP) Server-side scripts Client-side scripts (JScript) Fetch content from

621 views • 24 slides
WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win

482 views • 30 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application Security course (Elective in Computer Networks) prof. Fabrizio d'Amore Dept. of Computer, Control, and Management Engineering Antonio Ruberti

729 views • 28 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr-University, Bochum Security Researcher

550 views • 40 slides
VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is XSS? XSS: Cross Site Scripting Injecting malicious scripts into a web page CWE-79

772 views • 12 slides
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style

1.67k views • 129 slides

More recommend