flax systematic discovery of client side validation vulnerabilities in rich web applications n.
Download
Skip this Video
Download Presentation
FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications

Loading in 2 Seconds...

play fullscreen
1 / 25

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications . Prateek Saxena *. Steve Hanna *. Pongsin Poosankam ‡*. Dawn Song *. * UC Berkeley. ‡ Carnegie Mellon University. Client-side Validation(CSV) Vulnerabilities.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications' - cyma


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
flax systematic discovery of client side validation vulnerabilities in rich web applications

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications

Prateek Saxena*

Steve Hanna*

Pongsin Poosankam‡*

Dawn Song*

* UCBerkeley

‡ Carnegie Mellon University

client side validation csv vulnerabilities
Client-side Validation(CSV) Vulnerabilities
  • A new class of input validation vulnerabilities
  • Analogous to server-side bugs
    • Unsafe data usage in the client-side JS code
    • Involves data flows
      • Purely client-side, data never sent to server
      • Returned from server, then used in client-side code
rich web applications
Rich Web Applications
  • Lots of JS code
  • Rich cross-domain interaction

APP 1

APP 3

APP 2

APP 4

outline
Outline
  • CSV Vulnerability Examples
  • FLAX: Tool and Techniques
    • Challenges & Key Idea
    • Tool Architecture
    • Design
  • Real Attacks and Evaluation Results
  • Related Work & Conclusion
vulnerability example i origin misattribution
Vulnerability Example (I): Origin Misattribution
  • Cross-domain Communication
    • Example: HTML 5 postMessage

Sender

Receiver

facebook.com

cnn.com

postMessage

Origin: www.facebook.com

Data: “Chatuser: Joe, Msg: Hi”

Origin: www.evil.com

Data: “Chatuser: Joe, Msg: onlinepharmacy.com”

vulnerability example ii code injection
Vulnerability Example (II): Code Injection

Receiver

  • Code/data mixing
  • Dynamic code evaluation
    • eval
    • DOM methods
  • Eval also deserializes objects
    • JSON

facebook.com

……

……

eval (.. + event.data);

Data: “alert(‘0wned’);”

vulnerability example iii application command injection
Vulnerability Example (III): Application Command Injection
  • Application-specific commands
  • Example: Chat application

“..=nba&cmd=addbuddy&user=evil”

Injected Command

http://chat.com/roomname=nba

Application

JavaScript

Join this room

http://chat.com?cmd=joinroom&room=nba

&cmd=addbuddy&user=evil

XMLHttpReq.open (url)

http://chat.com?cmd=joinroom&room=nba

Application

Server

vulnerability example iv cookie sink vulnerabilities
Vulnerability Example (IV): Cookie Sink Vulnerabilities
  • Cookies
    • Store session ids, user’s history and preferences
    • Have their own control format, using attributes
  • Can be read/written in JavaScript
  • Attacks
    • Session fixation
    • History and preference data manipulation
    • Cookie attribute manipulation, changes
summary of goals
Summary of Goals
  • Systematic discovery techniques
    • FLAX: An Automatic tool for discovery
    • A new hybrid technique for JavaScript analysis
  • Evaluate prevalence in real code
    • An empirical evaluation of real-world applications
    • Find several unknown CSV vulnerabilities
outline1
Outline
  • CSV Vulnerabilities
  • FLAX: Tool and Techniques
    • Challenges & Key Idea
    • Tool Architecture
    • Design
  • Real Attacks and Evaluation Results
  • Related Work & Conclusion
problem definition
Problem Definition
  • Definition
    • Unsafe usage of untrusted data in a critical sink
  • Systematically discovery of CSV vulnerabilities
  • Two sub-problems
    • Exploring program space
    • Finding bugs in some explored functionality
  • Attacker Model
    • Web attacker (evil.com)
    • User-as-an-attacker
challenges
Challenges

End-to-end Web Application Analysis

  • JavaScript complexity
    • Highly dynamic language
    • String-heavy
  • Parsing ops. indistinguishable from validation checks
    • Custom sanity routines are common
  • Hidden server-side logic
    • Assumes no knowledge of the server
    • Handles reflected flows: data flows to server and back
key insight
Key Insight
  • Taint-enhanced black-box fuzzing (TEBF)
    • A simple idea
    • Combine benefits of taint-tracking & fuzzing
    • Requires no source code annotations
    • No false positives
  • FLAX: An End-to-end System
    • Simplifies JS first
    • Implements TEBF
    • Handles reflected flow

using approximate tainting

Purely dynamic

Taint-tracking

TEBF

Efficiency

of finding

Bugs

Syntax-driven fuzzing

Black-box fuzzing

False Positives

flax tool design
FLAX Tool Design

function acceptor(input)

{

must_match = ’{]:],]:]}’;

re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g;

re2 =/"[ˆ"\\\n\r]*"|true|false|null|

-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g;

re3 = /(?:ˆ|:|,)(?:\s*\[)+/g;

rep1 = input.replace(re1, "@");

rep2 = rep1.replace(re2, "]");

rep3 = rep2.replace(re3,"");

if(rep3 == must_match) { return true; }

return false;

}

Initial

Input

SINK-

AWARE

FUZZER

Source

Transformation

Operations

Sink

EXPLOIT ?

Path

Constraints

JavaScript

Program

Execution Trace

Taint-tracking

Acceptor

Slice

flax implementation
FLAX Implementation

JAVASCRIPT

INTERPRETER

TAINT ENGINE

ACCEPTOR

SLICE

GENERATOR

X = INPUT[4]

Y = SubStr(X,0,4)Z = (Y==“http”)

PC = IF (Z) THEN (T) ELSE (NEXT)

JASIL

EXECUTION

TRACE

simplifying javascript
Simplifying JavaScript
  • JASIL : Our intermediate language
    • A simple type system
    • Small set of operations
  • Enables string-centric, fine-grained taint tracking on JS
simplifying javascript ii
Simplifying JavaScript (II)
  • Benefits of JASIL simplification to taint-tracking
  • Example: Taint semantics for replace are difficult!

rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@");

R

Emitted

JASIL Instructions

INPUT

subString

R

convert

@

@

@

concat

@

@

@

OUTPUT

outline2
Outline
  • CSV Vulnerabilities
  • FLAX: Tool and Techniques
    • Challenges & Key Idea
    • Tool Architecture
    • Design
  • Attacks and Evaluation Results
  • Related Work & Conclusion
evaluation
Evaluation
  • 40 Subjects
    • iGoogle gadgets
    • AJAX applications and web sites
  • Setup
    • Untrusted sources
      • All cross-domain channels
      • Text boxes
    • Critical sinks
      • Code evaluation constructs
      • XHR url data
      • Cookies
results i
Results (I)
  • Summary
    • Taint observed in 18 / 40 subjects
    • FLAX found 11 previously unknown vulnerabilities
  • Examples
    • Origin Misattribution leading to XSS in Facebook Connect
    • Gadget Overwriting Attacks on Google/IG
    • Application Command Injection on AjaxIM
    • Code injection and cookie attribute manipulation via cookie sinks
example attacks gadget overwriting
Example Attacks: Gadget Overwriting

Legitimate URL bar

Compromised Gadget with

Overwritten Contents

<Attack Link to IGoogle page>

effectiveness
Effectiveness
  • Character-level precise taint-tracking helps fuzzing
  • Reduction in input sizes
effectiveness ii
Effectiveness (II)
  • Reduction in false positives, TEBF vs. pure taint-tracking
conclusion
Conclusion
  • A new class of vulnerabilities: CSV
  • Example attacks
  • A systematic discovery tool: FLAX
    • No annotations, no false positives
    • Employs a simple TEBF techniques
    • Robust analysis using JASIL
  • CSV vulnerabilities are actually prevalent today
    • Found 11 previously unknown vulns
    • Demonstrate proof-of-concept exploits
contact
Contact
  • Contact:
    • PrateekSaxena (prateeks@cs.berkeley.edu)
  • Please visit our project web site
    • http://webblaze.cs.berkeley.edu

THANKS FOR

LISTENING

ad