By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07) 1 / 18

Authors  Philipp Vogt  Main developer of the XSS Attack Prevention in Firefox project  Cross site scripting detection  Giovanni Vigna  Associate Professor of UCSB  Web Security, Intrusion Detection 2 / 18

Introduction [1/5]  Cross Site Scripting  An attack against web applications where malicious scripting code is injected into the output of an application that is further delivered to a user’s web browser  This scripting code transfers sensitive information to the attacker  This information allows the attacker to impersonate the victim or hijack the victim’s session 3 / 18

Introduction [2/5]  Cross Site Scripting Attacker Server Victim Send to with XSS code Send to request with XSS Code Send to response with XSS Code XSS Code is executed Sensitive information is trasfered 4 / 18

Introduction [3/5]  Stored XSS Attacker persistently stores the malicious code in a resource managed by the web application, such as a database. when the victim requests a dynamic page, The actual attack is carried out at a later time.  Reflected XSS The attack script is not persistently stored, instead, it is reflected(sent back) to the victim.  Example Sending to the victim an with a link that contains the malicious JavaScript code. 5 / 18

Introduction [4/5]  Sensitive Data Sources 6 / 18

Introduction [5/5]  The Goal JavaScript program can send sensitive information only to the site from which it was loaded So the information flow of sensitive data is tracked inside the JavaScript engine of the browser. Whenever an attack is detected, the user is warned and given the possibility to stop the transfer. 7 / 18

Dynamic Tainting [1/5]  Dynamic Tainting Sensitive data is first marked, and then, when this data is accessed by scripts running in the web browser, its use is dynamically tracked by system. it is sufficient to model the taint value associated with a piece of data as a simple boolean flag. 8 / 18

Dynamic Tainting [2/5]  Taint Propagation  Assignments  Arithmetic and logic operations (+, -, &, etc.)  Control structures and loops (if, while, switch, for in)  Function call and eval 9 / 18

Static Tainting [1/3]  Indirect Control Dependency To cover both direct and indirect control dependencies, all possible program path in a scope need to be examined. Static analysis is necessary. 10 / 18

Static Tainting [2/3]  Linear Static Taint Analysis Ensure all variables that are assigned values (tainted or not) inside the tainted scope are also tainted. 11 / 18

Static Tainting [3/3]  Stack Analysis  Instructions responsible for setting object properties do not specify the target object because of stack-based nature of JavaScript.  Abstraction stack which has boolean values. 12 / 18

Data Transmission  The tainted data has to be transferred to a third party, using a variety of methods.  document.location.  source of an image in the web page.  Submitting a form in the web page.  XMLHttpRequest object. 13 / 18

Evaluation [1/4]  XSS attacks  XSS sources that group’s members collected  Successful in detecting XSS  Manual test  The modified browser was used by the authors for web surfing on a daily basis  The overhead of is negligible.  The amount of false positives was low. 14 / 18

Evaluation [2/4]  Automatic test  Integrate a web crawling engine into modified Firefox.  Visited 1,033,000 unique web pages  88,589 (8.58%) web pages raised an XSS warning  The scripts are inserted into the web page with the con sent of the web site owner. 15 / 18

Evaluation [3/4]  Top -30 destination domain  These domains belong to companies that collect statistics about traffic on web sites of their customers  Deny top 30 domains, reduce to 13,964(1.35%)  Reduced to 5,289 (0.51%) if only transfer of cookies were considered 16 / 18

Evaluation [4/4]  Reasons of small false positives  Transfer of cookies to different domains, but within company borders (eg. cnn.net -> cnn.com)  Transfer of cookies between different domains, but same company (eg. discover.com -> unitedstreaming.com)  Our indirect control flow 17 / 18

Conclusion  Prevent XSS attacks using a dynamic taint analysis and static analysis when necessary.  Integrate the solution into Firefox web browser by modifying its JavaScript engine.  Generate small false positives and feasible in practice. 18 / 18

Extra - Dynamic Tainting [3/5]  Assignments  If the right-hand side of the assignment is tainted, then the target on the left-hand side is also tainted. x = document.cookie;  The variable that is assigned a tainted value is not the only object that must be tainted.  Arithmetic and Logic Operation  Javascript is a stack-based language.  First pop the operands from the stack and then push back the result.  The result is tainted if one of the used operands is tainted. 19

Extra - Dynamic Tainting [4/5]  Control Structures and Loops if the condition of a control structure tests a tainted value, a tainted scope is generated that covers the whole control structures. A variable is dynamically tainted only when its value is modified inside a scope during the actual execution of the program  Function Calls If a function is defined in a tainted scope, the function itself (operations, parameters, return value) is also tainted  Eval If eval is called in a tainted scope or if its parameter is tainted, a scope is generated. 20

Extra - Dynamic Tainting [5/5]  Example 21

Extra - Implementation  Extends Mozilla firefox 1.o pre  Two parts for containing tainted data objects  The javascript engine (Spider-Monkey)  Variable, functions, scopes, and objects  DOM tree  location.href, etc  Every time a JavaScript program attempts to transfer sensitive data, a check is performed to determine whether sensitive data is sent to own host 22