Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Detection of Cross-Site Scripting Vulnerabilities

Published byKathlyn Simpson Modified over 6 years ago

Similar presentations

Presentation on theme: "Static Detection of Cross-Site Scripting Vulnerabilities"— Presentation transcript:

1 Static Detection of Cross-Site Scripting Vulnerabilities
Gary Wassermann and Zhendong Su Presented by: Ryan Lehan 6/3/2018 CSC 682 – Advanced Computer Security

2 What is Cross-Site Scripting (XSS)?
A class of web application vulnerability in which an attacker causes a victim’s web browser to execute Javascript from the attacker with the privileges of a trusted host. 6/3/2018 CSC 682 – Advanced Computer Security

3 CSC 682 – Advanced Computer Security
3 Main Types of XSS Stored Reflected DOM Based 6/3/2018 CSC 682 – Advanced Computer Security

4 Stored 3 Main Types of XSS
Occurs when the server stores un-trusted data and later displays it. Forums Blogs Wiki 6/3/2018 CSC 682 – Advanced Computer Security

5 Reflected 3 Main Types of XSS
Occurs when a server echoes back un-trusted input. Error Messages Informative Messages that use input 6/3/2018 CSC 682 – Advanced Computer Security

6 CSC 682 – Advanced Computer Security
3 Main Types of XSS DOM Based Occurs when reading malicious data from the DOM and dynamically execute the script. 6/3/2018 CSC 682 – Advanced Computer Security

7 Causes of XSS Vulnerabilities
Web applications that display un-trusted input. Web application programming languages provide unsafe default for passing un-trusted input to the client. PHP: If “export globals” is set, then each key in the associative GET, POST, and COOKIE arrays becomes the name of a variable, and its initial value is the value it maps to in the array. 6/3/2018 CSC 682 – Advanced Computer Security

8 Detecting XSS Vulnerabilities
Static String – Taint Analysis Static Analysis – Process which analyzes the source code, without the need for program execution. String Analysis – Process which generates a formal language representation of the possible string values that a program may generate at a certain point. String - Taint Analysis – Process just like String Analysis but also adds in labels that indicate which substrings come from un-trusted sources 6/3/2018 CSC 682 – Advanced Computer Security

9 The Approach Two phase approach to analyze the source code.
Use of String – Taint Analysis to track un-trusted substring values Use of Context Free Grammars (CFG) to represent sets of string values. Use of Finite State Transducers (FST) to model the semantics of string operations. Use of formal language techniques to check for un-trusted scripts. Creations of black-list policies 6/3/2018 CSC 682 – Advanced Computer Security

10 Phase 1: String – Taint Analysis
The Approach Phase 1: String – Taint Analysis Translate output statements into assignments to an added output variable. Translate the program into static single assignment (SSA) form. SSA Form - Intermediate representation (IR) in which every variable is assigned exactly once. Existing variables in the original IR are split into versions, new variables typically indicated by the original name with a subscript, so that every definition gets its own version. This is done so that data dependencies can be encoded. Creates an extended CFG. Use of FSTs Model the string operation semantics. Produce output on the transitions from state to state. 6/3/2018 CSC 682 – Advanced Computer Security

11 Phase 2: Checking for Un-trusted Scripts
The Approach Phase 2: Checking for Un-trusted Scripts Created a Policy based upon how the Javascript engine is invoked. Not the string value of the un-trusted Javascript code. Policy is a black-list. If it is on the list, then it is evil. Translated the Policy into a formal language. 6/3/2018 CSC 682 – Advanced Computer Security

12 CSC 682 – Advanced Computer Security
Testing Can it detect XSS vulnerabilities via static analysis approach? Found Direct and Indirect XSS vulnerabilities in 7 test subjects. Direct: Data is directly provided by an un-trusted user. Indirect: Data comes from a source such as a file or a database where un-trusted data may have entered, but users cannot provide the value directly. How well does it check manually written input validation code? Found input validation errors in 5 out of 9 test subjects. However, it failed to report the errors in two of the test subjects. Can it scale? Depends, some larges projects (Claroline – 170Kloc), it was able to finish. But other projects (Phorum – 31Kloc) it was unable due to consecutive use of string functions. 6/3/2018 CSC 682 – Advanced Computer Security

13 CSC 682 – Advanced Computer Security
Conclusion Positives Able to detect some XSS vulnerabilities via static analysis. Use of formal techniques for the detection process. Checked manually written input validation code. Negatives Checked un-trusted values on invoking the Javascript engine only. Did not scale as well as expected. Source of creating the policy included documentation of closed source web browsers. Does not detect DOM based XSS vulnerabilities. 6/3/2018 CSC 682 – Advanced Computer Security

Download ppt "Static Detection of Cross-Site Scripting Vulnerabilities"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Similar presentations

Ads by Google