1 / 13

Static Detection of Cross-Site Scripting Vulnerabilities

Static Detection of Cross-Site Scripting Vulnerabilities. Gary Wassermann and Zhendong Su. Presented by: Ryan Lehan. What is Cross-Site Scripting (XSS)?.

cyma
Download Presentation

Static Detection of Cross-Site Scripting Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Static Detection of Cross-Site Scripting Vulnerabilities Gary Wassermann and Zhendong Su Presented by: Ryan Lehan CSC 682 – Advanced Computer Security

  2. What is Cross-Site Scripting (XSS)? A class of web application vulnerability in which an attacker causes a victim’s web browser to execute Javascript from the attacker with the privileges of a trusted host. CSC 682 – Advanced Computer Security

  3. 3 Main Types of XSS • Stored • Reflected • DOM Based CSC 682 – Advanced Computer Security

  4. 3 Main Types of XSS Stored Occurs when the server stores un-trusted data and later displays it. • Forums • Blogs • Wiki CSC 682 – Advanced Computer Security

  5. 3 Main Types of XSS Reflected Occurs when a server echoes back un-trusted input. • Error Messages • Informative Messages that use input CSC 682 – Advanced Computer Security

  6. 3 Main Types of XSS DOM Based Occurs when reading malicious data from the DOM and dynamically execute the script. CSC 682 – Advanced Computer Security

  7. Causes of XSS Vulnerabilities • Web applications that display un-trusted input. • Web application programming languages provide unsafe default for passing un-trusted input to the client. PHP: If “export globals” is set, then each key in the associative GET, POST, and COOKIE arrays becomes the name of a variable, and its initial value is the value it maps to in the array. CSC 682 – Advanced Computer Security

  8. Detecting XSS Vulnerabilities Static String – Taint Analysis • Static Analysis – Process which analyzes the source code, without the need for program execution. • String Analysis – Process which generates a formal language representation of the possible string values that a program may generate at a certain point. • String - Taint Analysis – Process just like String Analysis but also adds in labels that indicate which substrings come from un-trusted sources CSC 682 – Advanced Computer Security

  9. The Approach Two phase approach to analyze the source code. • Use of String – Taint Analysis to track un-trusted substring values • Use of Context Free Grammars (CFG) to represent sets of string values. • Use of Finite State Transducers (FST) to model the semantics of string operations. • Use of formal language techniques to check for un-trusted scripts. • Creations of black-list policies CSC 682 – Advanced Computer Security

  10. The Approach Phase 1: String – Taint Analysis • Translate output statements into assignments to an added output variable. • Translate the program into static single assignment (SSA) form. • SSA Form - Intermediate representation (IR) in which every variable is assigned exactly once. Existing variables in the original IR are split into versions, new variables typically indicated by the original name with a subscript, so that every definition gets its own version. • This is done so that data dependencies can be encoded. • Creates an extended CFG. • Use of FSTs • Model the string operation semantics. • Produce output on the transitions from state to state. CSC 682 – Advanced Computer Security

  11. The Approach Phase 2: Checking for Un-trusted Scripts • Created a Policy based upon how the Javascript engine is invoked. • Not the string value of the un-trusted Javascript code. • Policy is a black-list. • If it is on the list, then it is evil. • Translated the Policy into a formal language. CSC 682 – Advanced Computer Security

  12. Testing • Can it detect XSS vulnerabilities via static analysis approach? • Found Direct and Indirect XSS vulnerabilities in 7 test subjects. • Direct: Data is directly provided by an un-trusted user. • Indirect: Data comes from a source such as a file or a database where un-trusted data may have entered, but users cannot provide the value directly. • How well does it check manually written input validation code? • Found input validation errors in 5 out of 9 test subjects. • However, it failed to report the errors in two of the test subjects. • Can it scale? • Depends, some larges projects (Claroline – 170Kloc), it was able to finish. But other projects (Phorum – 31Kloc) it was unable due to consecutive use of string functions. CSC 682 – Advanced Computer Security

  13. Conclusion • Positives • Able to detect some XSS vulnerabilities via static analysis. • Use of formal techniques for the detection process. • Checked manually written input validation code. • Negatives • Checked un-trusted values on invoking the Javascript engine only. • Did not scale as well as expected. • Source of creating the policy included documentation of closed source web browsers. • Does not detect DOM based XSS vulnerabilities. CSC 682 – Advanced Computer Security

More Related