Presentation is loading. Please wait.

Presentation is loading. Please wait.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research."— Presentation transcript:

1 S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research Ben Livshits Microsoft Research

2 Large-Scale Legacy Applications Step-up in Scale – Half a Million LOC – Shared Development by teams of 100+ What’s The Difference? – Shifting Platforms isn’t practical – Long Program Paths, Many sanitizers Applied 2 How to Secure Legacy Apps?

3 XSS in Large-Scale Applications Small-Scale Apps Buggy Sanitizer Missing Sanitization – [ Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11 ] Large-Scale Applications 3 String Img.RenderControl() { Write(userimg); } String Img.RenderControl() { Write(Sanitize(userimg)); } New Sanitization Errors – [ CCS’11 ] S CRIPT G ARD

4 Contributions Does Sanitization Defense Fail In Practice? – 7 Commercial Applications, 400 KLOC 2 New Classes of Errors in Sanitizer Use – How Often & Why S CRIPT G ARD : Automated Sanitizer Use Analysis 4 Legacy.NET Minimal Specs Concrete Test Cases Can Auto-Correct Sanitization During Deployment

5 Error #1: Context-Mismatched Sanitization(CMS) 5 Diapers var name=‘Stewie’; JS String Context HtmlEncode JSStringEncode Which Sanitizer To Apply Where? \r\n; alert(document.cookie); HTML Tag Context 1,207 (4.7%) are CMS errors!

6 Why Does Context-Mismatch Happen? 6 Output Sink San Context is a Global Path-Sensitive Property But, developers select Sanitizers Locally

7 Error #2: Inconsistent Multiple Sanitization(IMS) 7 Output Sink San 1 San 2 Attack Input Safe? San 1 San 2 Does the Order Matter?

8 Inconsistent Multiple Sanitization(IMS): Does it Really Happen? 8 Attack Input HtmlEncode JSStringEncodeHtmlEncode JSStringEncode 285 (8%) of multiple sanitizations are errors!

9 Why Does IMS Happen? 9 Output Sink document.write (‘ ’); <a href=" userlink "> SERVER - SIDE OUTPUT

10 Why Does IMS Happen: Nested Contexts 10 document.write (‘ ’); <a href=" userlink JS String Context "> URL Attribute Context JS Parser HTML Parser JS Unicode Decode \u0022 " Html-Entity Decode " "

11 Why Does IMS Happen: Nested Contexts 11 JS Parser HTML Parser JS Unicode Decode Html-Entity Decode \u0022 \u0026quot; " " Correct Sanitizer Order Wrong Sanitizer Order " Nested Contexts Cause Developer Confusion!

12 How Common Are Nested Contexts? 12 Nesting Depth: Up to 4 Nesting Depth: Up to 4

13 Take-Aways… Small-Scale Apps Buggy Sanitizer Missing Sanitization – [ Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11 ] Large-Scale Applications 13 Shared Paths lead to… CMS & IMS Developers apply correct sanitizers wrongly

14 How Do We Find Sanitization Errors In Legacy Applications At Scale? 14

15 S CRIPT G ARD Analysis 15 S CRIPT G ARD HTTP Requests Inconsistently Sanitized Test Cases Instrumented Server-side DLLs Legacy.NET Sanitizer Specification

16 Browser Model S CRIPT G ARD Analysis: Key Ideas Path 1 Path 2 Path 3Path 4 Path-Sensitive Positive Taint-Tracking Determine Contexts

17 S CRIPT G ARD Analysis: Key Ideas 17 Trusted? +-+- Sanitizer Sequence HtmlAttributeEncode, JSStringEncode HtmlEncode, JSStringEncode HtmlAttributeEncodeJSStringEncode, HtmlEncode CMS IMS Path 1 Path 2 Path 3Path 4 Path-Sensitive Positive Taint-Tracking Determine Contexts

18 Precise Context Determination: Browser Parser Model 18 T Context s

19 How Can We Correct Sanitization Errors Automatically? How Can We Correct Sanitization Errors Automatically? 19

20 S CRIPT G ARD : Can We Auto-Patch Sanitization Errors? The Bad News: Large slowdown Observation: Less than 10% paths problematic Yes! – Preferential Path Profiling [ POPL’06 ] – Negligible Overhead 20 Can We Detect When A Problematic Path Is Executed?

21 S CRIPT G ARD Auto-Correction 21 SCRIPTGARD Pre-Release Analysis Sanitization CacheSanitizer Patch Deployment Preferential Path Profiler Server Code With Light-weight Instrumentation Sanitizer Patch

22 Conclusions 2 New Patterns of Errors in Sanitizer Use S CRIPT G ARD – Effective Analysis Tool – Auto-Correction with Negligible Overhead 22

23 You have been a wonderful audience 23 …you stayed… Prateek Saxena http://www.cs.berkeley.edu/~prateeks/

24 Sanitizer Correction is Challenging 24 Output Sink San HtmlEncode Can We Just Replace HtmlEncode with another Sanitizer? Contexts Vary By Path Executed

25 Context Determination: An Abstract Browser Model 25 HTML URI JavaScript CSS …… ……… … document.write javascript: alert() alert() T

26 Browser Contexts 26 <img src=‘ String Img.RenderControl() { Write(“<img src=‘”); Write(userimg); Write(“’> ”); } Sunset.gif’> Expect < Expect URL Expect ’ Img Tag Src Attribute Attribute Value Start Parsing “Context”

27 27 <img src=‘ String Img.RenderControl() { Write(“<img src=‘”); Write(userimg); Write(“’> ”); } ’ onerror=alert(“XSS”):… Expect < Expect URL Img Tag Src Attribute Attribute Value Start Parsing “Context” Malicious string closes enclosing parsing context javascript: alert(“XSS”); Malicious string introduces new parsing context JS URL Context In a Scripting Attack…

28 Sanitizers & Contexts 28 Diapers var name=‘Stewie’; Quoted resource attribute Html-entity encode qoutes (" for “), Neuter javascript: URI CSS attribute Prevent moz-bindings, behavior: URLs Html Content Convert,&,”,’ to Html-entities JS String Literal Encode ‘,”,&,\n,\r,(,),,\ to Unicode encoding \u00XX

29 Insight #1: Why does it happen…. Nested Contexts Browser Model is Intricate 29 HTML Parser JavaScript Parser D HTML Parser D

30 Challenges Non-Solutions – “Rewrite The Application…” – “Use Favorite Static Auditing Tool…” – “Write Interface Specifications…” 30 How to Secure Against XSS? Code Specifications

31 Observation #2: The Browser Model Complexity 31 T Context s Can we Expect Developers To Retain This Model Mentally?

32 Contexts & Sanitizers 32 Diapers var name=‘Stewie’; Quoted URI attribute Html-entity encode qoutes (" for “), Neuter javascript: URI CSS attribute Prevent moz-bindings, behavior: URLs Html Content Convert,&,”,’ to Html-entities JS String Literal Encode ‘,”,&,\n,\r,(,),,\ to Unicode encoding \u00XX

Download ppt "S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research."

Similar presentations

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
Testing Web Applications & Services Testing Web Applications & Web Services.

Testing Web Applications & Services Testing Web Applications & Web Services.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.

MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Languages for Dynamic Web Documents

Languages for Dynamic Web Documents
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides.

Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides.
Basic Web Application Security. User Input Kick Your Arse.

Basic Web Application Security. User Input Kick Your Arse.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Similar presentations

Ads by Google