Presentation is loading. Please wait.

Presentation is loading. Please wait.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Similar presentations


Presentation on theme: "Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen."— Presentation transcript:

1 Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen Northwestern University, Evanston, IL SRI International, Menlo Park, CA NDSS Symposium /05/14 曾毓傑 1

2 Outline Introduction Design Implementation Evaluation Performance Discussion 2

3 INTRODUCTION 3

4 Self-Propagating XSS Attacks 4 Samy’s Page User’s Page (1) Access (2) Gain Page DOM Access MySpace (4) Post Malicious Data onto User’s Wall (5) Affect Other Users... (3) Send Forge Request User

5 XSS Taxonomy Server-side XSS Attacks Stored XSS (Persistent) Reflected XSS (Non-Persistent) Client-side XSS Attacks Plug-in XSS (e.g. Flash, Java) Content Sniffing XSS DOM-based XSS 5

6 Path Cutter Path Cutter can successfully block all kinds of XSS attack for self-propagation Easy implementation on both server-side and proxy server 6

7 Problem Definition Exploitation of a web application vulnerability that enables an attacker to inject client-side scripts into web pages owned by other users. Four steps of Self-Propagating XSS Attack: Step 1 – Enticement and Exploitation Step 2 – Privilege Escalation Step 3 – Replication Step 4 – Propagation 7

8 Related Work Spectator System – track propagation activity Sun et al. – Firefox plug-in Xu et al. – monitor social graph 8

9 DESIGN 9

10 Main Mechanisms View Separation Request Authentication 10

11 Key Concepts Views A form of a web page or a part of web page Actions An operation belonging to a view Access Control List (ACL) Actions which a view can perform Capability A secret key to validate a request 11

12 Dividing Web Applications into Views Based on semantics User A’s blog website User B’s blog website Based on URLs Based on elements Blogpost User Comments 12

13 View Separation Isolate different pages/views from the server at the client side Taking advantage of Same-Origin-Policy to prevent DOM access and request forgery 13 User B’s Blogpost User A Login User B’s Blogpost User A Login

14 Request Authentication Authenticate actions using: Secret Tokens/Capability A secret token per view which is not be able to guess, and server-side verify this token to accept the request Referer-based View Validation Check if an action is permitted from certain view in the access control list(ACL) 14 Referer: POST Referer: User B’s Blogpost User A Login

15 IMPLEMENTATION 15

16 Server-side Implementation WordPress Open Source Blog System Totally 43 lines of code modification URLs Separation Elgg Open Social Network Engine Totally 2 lines of code modification and 23 lines of plug-in Isolate comment add form into different view 16 echo "

';
Ads by Google