240 likes | 375 Views
A Systematic Analysis of XSS Sanitization in Web Application Frameworks. Joel Weinberger, Prateek Saxena , Devdatta Akhawe , Matthew Finifter , Richard Shin, and Dawn Song University of California, Berkeley. Cross Site Scripting. <div class=“comment”>
E N D
A Systematic Analysis of XSS Sanitization in Web Application Frameworks Joel Weinberger, PrateekSaxena, DevdattaAkhawe, Matthew Finifter, Richard Shin, and Dawn Song University of California, Berkeley
Cross Site Scripting <div class=“comment”> <iframesrc=“http://www.voteobama.com”></iframe> </div>
Web Frameworks • Systems to aid the development of web applications • Dynamically generated pages on the server • Templates for code reuse • Untrusted data dynamically inserted into programs • User responses, SQL data, third party code, etc.
Code in Web Frameworks <html> <p>hello, world</p> </html>
Code in Web Frameworks <html> <?php echo "<p>hello, world</p>"; ?> </html>
Code in Web Frameworks <html> <?php echo $USERDATA ?> </html> What happens if $USERDATA = <script>doEvil()</script>
Code in Web Frameworks <html> <script>doEvil()</script> </html>
Sanitization The encoding or elimination of dangerous constructs in untrusted data.
Contributions • Build a detailed model of the browser to explain subtleties in data sanitization • Evaluate the effectiveness of auto sanitization in popular web frameworks • Evaluate the ability of frameworks to sanitize different contexts • Evaluate the tools of frameworks in relation to what web applications actually use and need
Sanitization Example "<p>" + "<script>doEvil()</script>" + "</p>" Untrusted
Sanitization Example "<p>" + sanitizeHTML( "<script> doEvil() </script>" ) + "</p>" <p> doEvil() </p>
Are we done? HTML context sanitizer "<a href='" + sanitizeHTML( "javascript: …" ) + "' />" <a href=' javascript: … '/> URI Context, not HTML
Now are we done? <div onclick='displayComment(" SANITIZED_ATTRIBUTE ")' > </div> What if SANITIZED_ATTRIBUTE = ");stealInfo(""
Now are we done? <div onclick='displayComment( ""); stealInfo( "") '> </div> <div onclick='displayComment( ""); stealInfo("") '> </div>
Browser Model OMG!!!
Framework and Application Evaluation • What support for auto sanitization do frameworks provide? • What support for context sensitivity do frameworks provide? • Does the support of frameworks match the requirements of web applications?
Using Auto Sanitization {% if header.sortable %} <a href="{{header.url}}"> {% endif %} Django doesn’t know how to auto sanitize this context!
Overriding Auto Sanitization {% if header.sortable %} <a href="{{header.url | escape}}"> {% endif %} Whoops! Wrong sanitizer.
Auto Sanitization Support • Examined 14 different frameworks • 7 have no auto sanitization support at all • 4 provide auto sanitization for HTML contexts only • 3 automatically determine correct context and which sanitizer to apply • …although may only support a limited number of contexts
Sanitization Context Support • Examined 14 different frameworks • Only 1 handled all of these contexts • Numbers indicate sanitizer support for a context regardless of auto sanitization support
Contexts Used By Web Applications • Web applications (all in PHP): • RoundCube, Drupal, Joomla, WordPress, MediaWiki, PHPBB3, OpenEMR, Moodle • Ranged from ~19k LOC to ~530k LOC
Further Complexity in Sanitization Policies wordpress/post_comment.php User Admin "<imgsrc='…'></img>" "<imgsrc='…'></img>" "" "<imgsrc='…'></img>"
Evaluation Summary • Auto sanitization alone is insufficient • Frameworks lack sufficient expressivity • Web applications already use more features than frameworks provide
Take Aways • Defining correct sanitization policies is hard • And it’s in the browser spec! • Frameworks can do more • More sanitizer contexts, better automation, etc. • Is sanitization the best form of policy going forward?