130 likes | 324 Views
Static Detection of Cross-Site Scripting Vulnerabilities. Gary Wassermann and Zhendong Su. Presented by: Ryan Lehan. What is Cross-Site Scripting (XSS)?.
E N D
Static Detection of Cross-Site Scripting Vulnerabilities Gary Wassermann and Zhendong Su Presented by: Ryan Lehan CSC 682 – Advanced Computer Security
What is Cross-Site Scripting (XSS)? A class of web application vulnerability in which an attacker causes a victim’s web browser to execute Javascript from the attacker with the privileges of a trusted host. CSC 682 – Advanced Computer Security
3 Main Types of XSS • Stored • Reflected • DOM Based CSC 682 – Advanced Computer Security
3 Main Types of XSS Stored Occurs when the server stores un-trusted data and later displays it. • Forums • Blogs • Wiki CSC 682 – Advanced Computer Security
3 Main Types of XSS Reflected Occurs when a server echoes back un-trusted input. • Error Messages • Informative Messages that use input CSC 682 – Advanced Computer Security
3 Main Types of XSS DOM Based Occurs when reading malicious data from the DOM and dynamically execute the script. CSC 682 – Advanced Computer Security
Causes of XSS Vulnerabilities • Web applications that display un-trusted input. • Web application programming languages provide unsafe default for passing un-trusted input to the client. PHP: If “export globals” is set, then each key in the associative GET, POST, and COOKIE arrays becomes the name of a variable, and its initial value is the value it maps to in the array. CSC 682 – Advanced Computer Security
Detecting XSS Vulnerabilities Static String – Taint Analysis • Static Analysis – Process which analyzes the source code, without the need for program execution. • String Analysis – Process which generates a formal language representation of the possible string values that a program may generate at a certain point. • String - Taint Analysis – Process just like String Analysis but also adds in labels that indicate which substrings come from un-trusted sources CSC 682 – Advanced Computer Security
The Approach Two phase approach to analyze the source code. • Use of String – Taint Analysis to track un-trusted substring values • Use of Context Free Grammars (CFG) to represent sets of string values. • Use of Finite State Transducers (FST) to model the semantics of string operations. • Use of formal language techniques to check for un-trusted scripts. • Creations of black-list policies CSC 682 – Advanced Computer Security
The Approach Phase 1: String – Taint Analysis • Translate output statements into assignments to an added output variable. • Translate the program into static single assignment (SSA) form. • SSA Form - Intermediate representation (IR) in which every variable is assigned exactly once. Existing variables in the original IR are split into versions, new variables typically indicated by the original name with a subscript, so that every definition gets its own version. • This is done so that data dependencies can be encoded. • Creates an extended CFG. • Use of FSTs • Model the string operation semantics. • Produce output on the transitions from state to state. CSC 682 – Advanced Computer Security
The Approach Phase 2: Checking for Un-trusted Scripts • Created a Policy based upon how the Javascript engine is invoked. • Not the string value of the un-trusted Javascript code. • Policy is a black-list. • If it is on the list, then it is evil. • Translated the Policy into a formal language. CSC 682 – Advanced Computer Security
Testing • Can it detect XSS vulnerabilities via static analysis approach? • Found Direct and Indirect XSS vulnerabilities in 7 test subjects. • Direct: Data is directly provided by an un-trusted user. • Indirect: Data comes from a source such as a file or a database where un-trusted data may have entered, but users cannot provide the value directly. • How well does it check manually written input validation code? • Found input validation errors in 5 out of 9 test subjects. • However, it failed to report the errors in two of the test subjects. • Can it scale? • Depends, some larges projects (Claroline – 170Kloc), it was able to finish. But other projects (Phorum – 31Kloc) it was unable due to consecutive use of string functions. CSC 682 – Advanced Computer Security
Conclusion • Positives • Able to detect some XSS vulnerabilities via static analysis. • Use of formal techniques for the detection process. • Checked manually written input validation code. • Negatives • Checked un-trusted values on invoking the Javascript engine only. • Did not scale as well as expected. • Source of creating the policy included documentation of closed source web browsers. • Does not detect DOM based XSS vulnerabilities. CSC 682 – Advanced Computer Security