250 likes | 384 Views
FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications . Prateek Saxena *. Steve Hanna *. Pongsin Poosankam ‡*. Dawn Song *. * UC Berkeley. ‡ Carnegie Mellon University. Client-side Validation(CSV) Vulnerabilities.
E N D
FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Prateek Saxena* Steve Hanna* Pongsin Poosankam‡* Dawn Song* * UCBerkeley ‡ Carnegie Mellon University
Client-side Validation(CSV) Vulnerabilities • A new class of input validation vulnerabilities • Analogous to server-side bugs • Unsafe data usage in the client-side JS code • Involves data flows • Purely client-side, data never sent to server • Returned from server, then used in client-side code
Rich Web Applications • Lots of JS code • Rich cross-domain interaction APP 1 APP 3 APP 2 APP 4
Outline • CSV Vulnerability Examples • FLAX: Tool and Techniques • Challenges & Key Idea • Tool Architecture • Design • Real Attacks and Evaluation Results • Related Work & Conclusion
Vulnerability Example (I): Origin Misattribution • Cross-domain Communication • Example: HTML 5 postMessage Sender Receiver facebook.com cnn.com postMessage Origin: www.facebook.com Data: “Chatuser: Joe, Msg: Hi” Origin: www.evil.com Data: “Chatuser: Joe, Msg: onlinepharmacy.com”
Vulnerability Example (II): Code Injection Receiver • Code/data mixing • Dynamic code evaluation • eval • DOM methods • Eval also deserializes objects • JSON facebook.com …… …… eval (.. + event.data); Data: “alert(‘0wned’);”
Vulnerability Example (III): Application Command Injection • Application-specific commands • Example: Chat application “..=nba&cmd=addbuddy&user=evil” Injected Command http://chat.com/roomname=nba Application JavaScript Join this room http://chat.com?cmd=joinroom&room=nba &cmd=addbuddy&user=evil XMLHttpReq.open (url) http://chat.com?cmd=joinroom&room=nba Application Server
Vulnerability Example (IV): Cookie Sink Vulnerabilities • Cookies • Store session ids, user’s history and preferences • Have their own control format, using attributes • Can be read/written in JavaScript • Attacks • Session fixation • History and preference data manipulation • Cookie attribute manipulation, changes
Summary of Goals • Systematic discovery techniques • FLAX: An Automatic tool for discovery • A new hybrid technique for JavaScript analysis • Evaluate prevalence in real code • An empirical evaluation of real-world applications • Find several unknown CSV vulnerabilities
Outline • CSV Vulnerabilities • FLAX: Tool and Techniques • Challenges & Key Idea • Tool Architecture • Design • Real Attacks and Evaluation Results • Related Work & Conclusion
Problem Definition • Definition • Unsafe usage of untrusted data in a critical sink • Systematically discovery of CSV vulnerabilities • Two sub-problems • Exploring program space • Finding bugs in some explored functionality • Attacker Model • Web attacker (evil.com) • User-as-an-attacker
Challenges End-to-end Web Application Analysis • JavaScript complexity • Highly dynamic language • String-heavy • Parsing ops. indistinguishable from validation checks • Custom sanity routines are common • Hidden server-side logic • Assumes no knowledge of the server • Handles reflected flows: data flows to server and back
Key Insight • Taint-enhanced black-box fuzzing (TEBF) • A simple idea • Combine benefits of taint-tracking & fuzzing • Requires no source code annotations • No false positives • FLAX: An End-to-end System • Simplifies JS first • Implements TEBF • Handles reflected flow using approximate tainting Purely dynamic Taint-tracking TEBF Efficiency of finding Bugs Syntax-driven fuzzing Black-box fuzzing False Positives
FLAX Tool Design function acceptor(input) { must_match = ’{]:],]:]}’; re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g; re2 =/"[ˆ"\\\n\r]*"|true|false|null| -?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g; re3 = /(?:ˆ|:|,)(?:\s*\[)+/g; rep1 = input.replace(re1, "@"); rep2 = rep1.replace(re2, "]"); rep3 = rep2.replace(re3,""); if(rep3 == must_match) { return true; } return false; } Initial Input SINK- AWARE FUZZER Source Transformation Operations Sink EXPLOIT ? Path Constraints JavaScript Program Execution Trace Taint-tracking Acceptor Slice
FLAX Implementation JAVASCRIPT INTERPRETER TAINT ENGINE ACCEPTOR SLICE GENERATOR X = INPUT[4] Y = SubStr(X,0,4)Z = (Y==“http”) PC = IF (Z) THEN (T) ELSE (NEXT) JASIL EXECUTION TRACE
Simplifying JavaScript • JASIL : Our intermediate language • A simple type system • Small set of operations • Enables string-centric, fine-grained taint tracking on JS
Simplifying JavaScript (II) • Benefits of JASIL simplification to taint-tracking • Example: Taint semantics for replace are difficult! rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@"); R Emitted JASIL Instructions INPUT subString R convert @ @ @ concat @ @ @ OUTPUT
Outline • CSV Vulnerabilities • FLAX: Tool and Techniques • Challenges & Key Idea • Tool Architecture • Design • Attacks and Evaluation Results • Related Work & Conclusion
Evaluation • 40 Subjects • iGoogle gadgets • AJAX applications and web sites • Setup • Untrusted sources • All cross-domain channels • Text boxes • Critical sinks • Code evaluation constructs • XHR url data • Cookies
Results (I) • Summary • Taint observed in 18 / 40 subjects • FLAX found 11 previously unknown vulnerabilities • Examples • Origin Misattribution leading to XSS in Facebook Connect • Gadget Overwriting Attacks on Google/IG • Application Command Injection on AjaxIM • Code injection and cookie attribute manipulation via cookie sinks
Example Attacks: Gadget Overwriting Legitimate URL bar Compromised Gadget with Overwritten Contents <Attack Link to IGoogle page>
Effectiveness • Character-level precise taint-tracking helps fuzzing • Reduction in input sizes
Effectiveness (II) • Reduction in false positives, TEBF vs. pure taint-tracking
Conclusion • A new class of vulnerabilities: CSV • Example attacks • A systematic discovery tool: FLAX • No annotations, no false positives • Employs a simple TEBF techniques • Robust analysis using JASIL • CSV vulnerabilities are actually prevalent today • Found 11 previously unknown vulns • Demonstrate proof-of-concept exploits
Contact • Contact: • PrateekSaxena (prateeks@cs.berkeley.edu) • Please visit our project web site • http://webblaze.cs.berkeley.edu THANKS FOR LISTENING