Flax systematic discovery of client side validation vulnerabilities in rich web applications
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on
  • Presentation posted in: General

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications . Prateek Saxena *. Steve Hanna *. Pongsin Poosankam ‡*. Dawn Song *. * UC Berkeley. ‡ Carnegie Mellon University. Client-side Validation(CSV) Vulnerabilities.

Download Presentation

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Flax systematic discovery of client side validation vulnerabilities in rich web applications

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications

Prateek Saxena*

Steve Hanna*

Pongsin Poosankam‡*

Dawn Song*

* UCBerkeley

‡ Carnegie Mellon University


Client side validation csv vulnerabilities

Client-side Validation(CSV) Vulnerabilities

  • A new class of input validation vulnerabilities

  • Analogous to server-side bugs

    • Unsafe data usage in the client-side JS code

    • Involves data flows

      • Purely client-side, data never sent to server

      • Returned from server, then used in client-side code


Rich web applications

Rich Web Applications

  • Lots of JS code

  • Rich cross-domain interaction

APP 1

APP 3

APP 2

APP 4


Outline

Outline

  • CSV Vulnerability Examples

  • FLAX: Tool and Techniques

    • Challenges & Key Idea

    • Tool Architecture

    • Design

  • Real Attacks and Evaluation Results

  • Related Work & Conclusion


Vulnerability example i origin misattribution

Vulnerability Example (I): Origin Misattribution

  • Cross-domain Communication

    • Example: HTML 5 postMessage

Sender

Receiver

facebook.com

cnn.com

postMessage

Origin: www.facebook.com

Data: “Chatuser: Joe, Msg: Hi”

Origin: www.evil.com

Data: “Chatuser: Joe, Msg: onlinepharmacy.com”


Vulnerability example ii code injection

Vulnerability Example (II): Code Injection

Receiver

  • Code/data mixing

  • Dynamic code evaluation

    • eval

    • DOM methods

  • Eval also deserializes objects

    • JSON

facebook.com

……

……

eval (.. + event.data);

Data: “alert(‘0wned’);”


Vulnerability example iii application command injection

Vulnerability Example (III): Application Command Injection

  • Application-specific commands

  • Example: Chat application

“..=nba&cmd=addbuddy&user=evil”

Injected Command

http://chat.com/roomname=nba

Application

JavaScript

Join this room

http://chat.com?cmd=joinroom&room=nba

&cmd=addbuddy&user=evil

XMLHttpReq.open (url)

http://chat.com?cmd=joinroom&room=nba

Application

Server


Vulnerability example iv cookie sink vulnerabilities

Vulnerability Example (IV): Cookie Sink Vulnerabilities

  • Cookies

    • Store session ids, user’s history and preferences

    • Have their own control format, using attributes

  • Can be read/written in JavaScript

  • Attacks

    • Session fixation

    • History and preference data manipulation

    • Cookie attribute manipulation, changes


Summary of goals

Summary of Goals

  • Systematic discovery techniques

    • FLAX: An Automatic tool for discovery

    • A new hybrid technique for JavaScript analysis

  • Evaluate prevalence in real code

    • An empirical evaluation of real-world applications

    • Find several unknown CSV vulnerabilities


Outline1

Outline

  • CSV Vulnerabilities

  • FLAX: Tool and Techniques

    • Challenges & Key Idea

    • Tool Architecture

    • Design

  • Real Attacks and Evaluation Results

  • Related Work & Conclusion


Problem definition

Problem Definition

  • Definition

    • Unsafe usage of untrusted data in a critical sink

  • Systematically discovery of CSV vulnerabilities

  • Two sub-problems

    • Exploring program space

    • Finding bugs in some explored functionality

  • Attacker Model

    • Web attacker (evil.com)

    • User-as-an-attacker


Challenges

Challenges

End-to-end Web Application Analysis

  • JavaScript complexity

    • Highly dynamic language

    • String-heavy

  • Parsing ops. indistinguishable from validation checks

    • Custom sanity routines are common

  • Hidden server-side logic

    • Assumes no knowledge of the server

    • Handles reflected flows: data flows to server and back


Key insight

Key Insight

  • Taint-enhanced black-box fuzzing (TEBF)

    • A simple idea

    • Combine benefits of taint-tracking & fuzzing

    • Requires no source code annotations

    • No false positives

  • FLAX: An End-to-end System

    • Simplifies JS first

    • Implements TEBF

    • Handles reflected flow

      using approximate tainting

Purely dynamic

Taint-tracking

TEBF

Efficiency

of finding

Bugs

Syntax-driven fuzzing

Black-box fuzzing

False Positives


Flax tool design

FLAX Tool Design

function acceptor(input)

{

must_match = ’{]:],]:]}’;

re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g;

re2 =/"[ˆ"\\\n\r]*"|true|false|null|

-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g;

re3 = /(?:ˆ|:|,)(?:\s*\[)+/g;

rep1 = input.replace(re1, "@");

rep2 = rep1.replace(re2, "]");

rep3 = rep2.replace(re3,"");

if(rep3 == must_match) { return true; }

return false;

}

Initial

Input

SINK-

AWARE

FUZZER

Source

Transformation

Operations

Sink

EXPLOIT ?

Path

Constraints

JavaScript

Program

Execution Trace

Taint-tracking

Acceptor

Slice


Flax implementation

FLAX Implementation

JAVASCRIPT

INTERPRETER

TAINT ENGINE

ACCEPTOR

SLICE

GENERATOR

X = INPUT[4]

Y = SubStr(X,0,4)Z = (Y==“http”)

PC = IF (Z) THEN (T) ELSE (NEXT)

JASIL

EXECUTION

TRACE


Simplifying javascript

Simplifying JavaScript

  • JASIL : Our intermediate language

    • A simple type system

    • Small set of operations

  • Enables string-centric, fine-grained taint tracking on JS


Simplifying javascript ii

Simplifying JavaScript (II)

  • Benefits of JASIL simplification to taint-tracking

  • Example: Taint semantics for replace are difficult!

rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@");

R

Emitted

JASIL Instructions

INPUT

subString

R

convert

@

@

@

concat

@

@

@

OUTPUT


Outline2

Outline

  • CSV Vulnerabilities

  • FLAX: Tool and Techniques

    • Challenges & Key Idea

    • Tool Architecture

    • Design

  • Attacks and Evaluation Results

  • Related Work & Conclusion


Evaluation

Evaluation

  • 40 Subjects

    • iGoogle gadgets

    • AJAX applications and web sites

  • Setup

    • Untrusted sources

      • All cross-domain channels

      • Text boxes

    • Critical sinks

      • Code evaluation constructs

      • XHR url data

      • Cookies


Results i

Results (I)

  • Summary

    • Taint observed in 18 / 40 subjects

    • FLAX found 11 previously unknown vulnerabilities

  • Examples

    • Origin Misattribution leading to XSS in Facebook Connect

    • Gadget Overwriting Attacks on Google/IG

    • Application Command Injection on AjaxIM

    • Code injection and cookie attribute manipulation via cookie sinks


Example attacks gadget overwriting

Example Attacks: Gadget Overwriting

Legitimate URL bar

Compromised Gadget with

Overwritten Contents

<Attack Link to IGoogle page>


Effectiveness

Effectiveness

  • Character-level precise taint-tracking helps fuzzing

  • Reduction in input sizes


Effectiveness ii

Effectiveness (II)

  • Reduction in false positives, TEBF vs. pure taint-tracking


Conclusion

Conclusion

  • A new class of vulnerabilities: CSV

  • Example attacks

  • A systematic discovery tool: FLAX

    • No annotations, no false positives

    • Employs a simple TEBF techniques

    • Robust analysis using JASIL

  • CSV vulnerabilities are actually prevalent today

    • Found 11 previously unknown vulns

    • Demonstrate proof-of-concept exploits


Contact

Contact

  • Contact:

    • PrateekSaxena ([email protected])

  • Please visit our project web site

    • http://webblaze.cs.berkeley.edu

THANKS FOR

LISTENING


  • Login