1 / 25

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications . Prateek Saxena *. Steve Hanna *. Pongsin Poosankam ‡*. Dawn Song *. * UC Berkeley. ‡ Carnegie Mellon University. Client-side Validation(CSV) Vulnerabilities.

cyma
Download Presentation

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Prateek Saxena* Steve Hanna* Pongsin Poosankam‡* Dawn Song* * UCBerkeley ‡ Carnegie Mellon University

  2. Client-side Validation(CSV) Vulnerabilities • A new class of input validation vulnerabilities • Analogous to server-side bugs • Unsafe data usage in the client-side JS code • Involves data flows • Purely client-side, data never sent to server • Returned from server, then used in client-side code

  3. Rich Web Applications • Lots of JS code • Rich cross-domain interaction APP 1 APP 3 APP 2 APP 4

  4. Outline • CSV Vulnerability Examples • FLAX: Tool and Techniques • Challenges & Key Idea • Tool Architecture • Design • Real Attacks and Evaluation Results • Related Work & Conclusion

  5. Vulnerability Example (I): Origin Misattribution • Cross-domain Communication • Example: HTML 5 postMessage Sender Receiver facebook.com cnn.com postMessage Origin: www.facebook.com Data: “Chatuser: Joe, Msg: Hi” Origin: www.evil.com Data: “Chatuser: Joe, Msg: onlinepharmacy.com”

  6. Vulnerability Example (II): Code Injection Receiver • Code/data mixing • Dynamic code evaluation • eval • DOM methods • Eval also deserializes objects • JSON facebook.com …… …… eval (.. + event.data); Data: “alert(‘0wned’);”

  7. Vulnerability Example (III): Application Command Injection • Application-specific commands • Example: Chat application “..=nba&cmd=addbuddy&user=evil” Injected Command http://chat.com/roomname=nba Application JavaScript Join this room http://chat.com?cmd=joinroom&room=nba &cmd=addbuddy&user=evil XMLHttpReq.open (url) http://chat.com?cmd=joinroom&room=nba Application Server

  8. Vulnerability Example (IV): Cookie Sink Vulnerabilities • Cookies • Store session ids, user’s history and preferences • Have their own control format, using attributes • Can be read/written in JavaScript • Attacks • Session fixation • History and preference data manipulation • Cookie attribute manipulation, changes

  9. Summary of Goals • Systematic discovery techniques • FLAX: An Automatic tool for discovery • A new hybrid technique for JavaScript analysis • Evaluate prevalence in real code • An empirical evaluation of real-world applications • Find several unknown CSV vulnerabilities

  10. Outline • CSV Vulnerabilities • FLAX: Tool and Techniques • Challenges & Key Idea • Tool Architecture • Design • Real Attacks and Evaluation Results • Related Work & Conclusion

  11. Problem Definition • Definition • Unsafe usage of untrusted data in a critical sink • Systematically discovery of CSV vulnerabilities • Two sub-problems • Exploring program space • Finding bugs in some explored functionality • Attacker Model • Web attacker (evil.com) • User-as-an-attacker

  12. Challenges End-to-end Web Application Analysis • JavaScript complexity • Highly dynamic language • String-heavy • Parsing ops. indistinguishable from validation checks • Custom sanity routines are common • Hidden server-side logic • Assumes no knowledge of the server • Handles reflected flows: data flows to server and back

  13. Key Insight • Taint-enhanced black-box fuzzing (TEBF) • A simple idea • Combine benefits of taint-tracking & fuzzing • Requires no source code annotations • No false positives • FLAX: An End-to-end System • Simplifies JS first • Implements TEBF • Handles reflected flow using approximate tainting Purely dynamic Taint-tracking TEBF Efficiency of finding Bugs Syntax-driven fuzzing Black-box fuzzing False Positives

  14. FLAX Tool Design function acceptor(input) { must_match = ’{]:],]:]}’; re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g; re2 =/"[ˆ"\\\n\r]*"|true|false|null| -?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g; re3 = /(?:ˆ|:|,)(?:\s*\[)+/g; rep1 = input.replace(re1, "@"); rep2 = rep1.replace(re2, "]"); rep3 = rep2.replace(re3,""); if(rep3 == must_match) { return true; } return false; } Initial Input SINK- AWARE FUZZER Source Transformation Operations Sink EXPLOIT ? Path Constraints JavaScript Program Execution Trace Taint-tracking Acceptor Slice

  15. FLAX Implementation JAVASCRIPT INTERPRETER TAINT ENGINE ACCEPTOR SLICE GENERATOR X = INPUT[4] Y = SubStr(X,0,4)Z = (Y==“http”) PC = IF (Z) THEN (T) ELSE (NEXT) JASIL EXECUTION TRACE

  16. Simplifying JavaScript • JASIL : Our intermediate language • A simple type system • Small set of operations • Enables string-centric, fine-grained taint tracking on JS

  17. Simplifying JavaScript (II) • Benefits of JASIL simplification to taint-tracking • Example: Taint semantics for replace are difficult! rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@"); R Emitted JASIL Instructions INPUT subString R convert @ @ @ concat @ @ @ OUTPUT

  18. Outline • CSV Vulnerabilities • FLAX: Tool and Techniques • Challenges & Key Idea • Tool Architecture • Design • Attacks and Evaluation Results • Related Work & Conclusion

  19. Evaluation • 40 Subjects • iGoogle gadgets • AJAX applications and web sites • Setup • Untrusted sources • All cross-domain channels • Text boxes • Critical sinks • Code evaluation constructs • XHR url data • Cookies

  20. Results (I) • Summary • Taint observed in 18 / 40 subjects • FLAX found 11 previously unknown vulnerabilities • Examples • Origin Misattribution leading to XSS in Facebook Connect • Gadget Overwriting Attacks on Google/IG • Application Command Injection on AjaxIM • Code injection and cookie attribute manipulation via cookie sinks

  21. Example Attacks: Gadget Overwriting Legitimate URL bar Compromised Gadget with Overwritten Contents <Attack Link to IGoogle page>

  22. Effectiveness • Character-level precise taint-tracking helps fuzzing • Reduction in input sizes

  23. Effectiveness (II) • Reduction in false positives, TEBF vs. pure taint-tracking

  24. Conclusion • A new class of vulnerabilities: CSV • Example attacks • A systematic discovery tool: FLAX • No annotations, no false positives • Employs a simple TEBF techniques • Robust analysis using JASIL • CSV vulnerabilities are actually prevalent today • Found 11 previously unknown vulns • Demonstrate proof-of-concept exploits

  25. Contact • Contact: • PrateekSaxena (prateeks@cs.berkeley.edu) • Please visit our project web site • http://webblaze.cs.berkeley.edu THANKS FOR LISTENING

More Related