BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw...
-
Upload
alfonso-lombard -
Category
Documents
-
view
213 -
download
1
Transcript of BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw...
![Page 1: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/1.jpg)
BLUEPRINT: Robust Prevention ofCross-site Scripting Attacks
for Existing Browsers
Mike Ter Louw V.N. VenkatakrishnanUniversity of Illinois at Chicago
![Page 2: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/2.jpg)
Outline
• Intro to Cross-site Scripting• Objective• Approach• Technical details• Evaluation• Related work
![Page 3: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/3.jpg)
Cross-site scripting (XSS)
• A widespread web application vulnerability– In the last few weeks…– Time magazine “Top 100 influential people” poll
defaced by XSS (Apr 2009)– Twitter XSS worm (Apr 2009)– McAfee web site attacked (May 2009)
• The #1 threat on the Internet (OWASP)
![Page 4: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/4.jpg)
![Page 5: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/5.jpg)
Problem: Malicious user created content!
Benign comment“Pete is…”
Malicious comment“<script>doEvil()</script>”
![Page 6: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/6.jpg)
Our Objective
To develop a robust defense for cross-site scripting attacks
![Page 7: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/7.jpg)
Typical Web Application Goals
• Allow user created content to be expressive, containing rich HTML content– Format text (<b>bold</b>, <i>italics</i>)– Hyperlinks (<a href=“http://g.com”>…</a>)– Embedded images
• Prevent scripts in user created content
• Today’s web browsers / standards do not easily facilitate these goals to be met simultaneously
![Page 8: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/8.jpg)
Content Isolation
• User-created content should always be treated as “data”, never as “code”
• Need to isolate user created content as “data only”
![Page 9: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/9.jpg)
Content Isolation for Browsers
• Content Isolation can be achieved for future browsers– Requires changes to standards and browser parser
implementations – Standards / Browsers’ revision cycles may take
several years
• Today’s browsers continue to remain vulnerable to XSS in the near term
![Page 10: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/10.jpg)
Our Goal
Construct a robust defense for cross-site scripting attacks that – permits rich HTML content– works on today’s browsers• configured to default settings• without requiring changes of any form, including
patches, plug-ins, add-ons, etc.
![Page 11: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/11.jpg)
Most popular defense: Content filtering
• Involves sanitization of untrusted HTML by removing script content– Mainly done using regular expressions / parsing
HTML• Absence of strong isolation facilities for HTML
has made content filtering the current main line of defense
![Page 12: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/12.jpg)
Problem with Content Filtering
• The web application’s interpretation of sanitized content may differ from the browser’s interpretation
• Example: +ADw-SCRIPT+AD4-attack(); • Web Application’s understanding : raw text• Browser’s understanding: “<SCRIPT>attack();”
![Page 13: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/13.jpg)
The parsing “gap”
Browser generated Parse Tree
div
div
text text
div
text
div
div
text text
div
script
Server intended parse tree
XSS Cheat Sheet provides approx. 100 examples of such browser “quirks”
![Page 14: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/14.jpg)
Our Approach: Server intended parse treeof untrusted content
Reproduce on Browser
div
div
text text
div
text
div
div
text text
div
text
Challenge : Parsers on existing browsers are unreliable
![Page 15: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/15.jpg)
The Blueprint Approach
• Take control content interpretation process on the browser – Avoid untrusted content parsing by browser
No parsing of untrusted content by browser
No scripts identified in untrusted content!
RobustXSSPrevention
![Page 16: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/16.jpg)
High level overview
• Generate a parse tree of untrusted content on the server– Remove script content by applying whitelist of
known-static content types
• Automatically generate a (trusted) JavaScript program to reconstruct this parse tree on the browser
![Page 17: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/17.jpg)
Approach Overview
HTML parse tree viadocument.createElement()et al.
![Page 18: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/18.jpg)
Problem: Transporting data without invoking browser’s parser
• Parse tree is constructed using both JavaScript code and data– Code constructs various tree nodes (e.g. <div>)– Data that annotates tree nodes (e.g. text content)
• Exposing raw data to browser parser may lead to unpredictable behavior
• Our Solution: Encode data using safe alphabet– E.g. “a-z”– transport encoded data to the JavaScript interpreter
![Page 19: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/19.jpg)
Transporting data
HTML parse tree viadocument.createElement() et al.
Text node
Plain text
String variable
![Page 20: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/20.jpg)
DOM API used
document.
createElement() createTextNode() getElementById()
element.
appendChild()
insertBefore()
parentNode()
removeChild()
setAttribute() style[ ] style.setExpression()
![Page 21: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/21.jpg)
Instrumenting web application with Blueprint
<?php foreach ($comments as $comment): ?> <li><?php echo($comment); ?></li><?php endforeach; ?>
<?php foreach ($comments as $comment): ?> <li><?php $model = Blueprint::cxPCData($comment); echo($model); ?></li><?php endforeach; ?>
![Page 22: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/22.jpg)
Transformed web application output
![Page 23: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/23.jpg)
XSS Vector II:Cascading Style Sheets
![Page 24: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/24.jpg)
CSS without XSS
Use style object to apply style rules element.style['width'] = decode( untrusted );
Dynamic properties not allowed by whitelist element.style['behavior'] = …
element.style['-moz-binding'] = …
![Page 25: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/25.jpg)
CSS expression vector
Any “static” property can be promoted to dynamic via expression() syntax
element.style[“width”] = “expression( attack())”;
Threat exists only on Internet Explorer IE has no DOM interface to directly force
static value
![Page 26: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/26.jpg)
Protection against CSS expressions
Use setExpression( … ) to apply style rules Forces all CSS rules to be dynamic Trusted script invoked to retrieve property
value Script looks up untrusted value in array, then
returns it Returned value observed to be static
Evaluated unobfuscated expression() for all allowed CSS properties
![Page 27: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/27.jpg)
XSS vector III:Uniform Resource Identifiers (URI)
![Page 28: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/28.jpg)
URI
http://www.example.com/a.html?param#a URI scheme indicates static / dynamic nature
Static: http:, https:, ftp:, mailto: Dynamic: javascript:
No direct interface to URI parser to enforce a particular (whitelisted) scheme
We use a 3-tiered defense
![Page 29: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/29.jpg)
Evaluation
![Page 30: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/30.jpg)
Evaluation
Effectiveness at preventing XSS attacks on existing browsers
Compatibility with common use cases
Performance overhead on server and browser
![Page 31: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/31.jpg)
Browser evaluation
• Chrome 1• Firefox 3• Firefox 2• IExplorer 7
8 browsers tested Total over 96% market share of browsers in active
use
Internet Explorer 6
Opera 9.6
Safari 3.2
Safari 3.1
![Page 32: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/32.jpg)
Defense effectiveness
XSS Cheat Sheet [Ha09] 94 XSS attack examples Designed to target server-side defenses Embedded in several syntactic contexts Developed automated test platform
Identified which attacks successful on which browser Evaluated defense effectiveness
All 94 attacks successfully defended on all 8 evaluated browsers
![Page 33: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/33.jpg)
Compatibility
Modified source code for two popular web applications: WordPress MediaWiki
Modified output of two popular websites NY Times blog Slashdot.org
![Page 34: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/34.jpg)
WordPress (compatibility)
Added protection for 3 low integrity outputs (per user comment to blog article) Name (plain text) Website link (anchor element) Comment body (mixed HTML)
Allows testing of pages with hundreds of (relatively simple) models
Tested real-world blogs, 23—516 comments No negative compatibility impact observed
![Page 35: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/35.jpg)
MediaWiki (compatibility)
Added protection for 2 low integrity outputs Article (i.e., web page) title Article content
Allows testing of large, complex models Tested “Featured” article from Wikipedia Content rendered very faithfully to original Problems:
<imagemap> not in whitelist Relocate trusted script
![Page 36: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/36.jpg)
Performance overhead measurements
Server page generation latency Browser memory overhead Browser page rendering latency Combined effect of server and browser
latencies
![Page 37: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/37.jpg)
WordPress page generation latency
Measured significant overhead Partly due to redundant content filter (KSES)
![Page 38: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/38.jpg)
MediaWiki page generation latency
Better performance than WordPress Redundant intermediate HTML stage
![Page 39: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/39.jpg)
Client memory overhead
Minor overhead
![Page 40: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/40.jpg)
WordPress page rendering latency
![Page 41: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/41.jpg)
MediaWiki page rendering latency
![Page 42: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/42.jpg)
User experience impact of combined latencies
Tested with Firefox 2 (mid-road performance) WordPress with 100 blog comments
Low perception of delays for common case
![Page 43: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/43.jpg)
Related Work
• Server-side (XSS-Guard, NeatHTML)– Prevent injected scripts in final output– Vulnerable to attacks exploiting parsing differences
• Client-side (NoMoXSS, Noxes)– Identification and prevention of data leaks– Cannot detect XSS within same origin
• Black box / proxy (XSS-DS, Taint inference)– Server: Detect and prevent reflected scripts– Client: Detect and prevent data leaks
![Page 44: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/44.jpg)
Related work (cont.)
• Server and browser collaboration (BEEP, DSI, Noncespaces)– Server: Identify policy regions and declare policies– Client: Enforce policies over policy regions– Require browser changes
• Systems supporting benign scripts in user-created content– Caja, Web Sandbox, Facebook– Complimentary to our approach
![Page 45: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/45.jpg)
Conclusion
• Cross-site scripting attacks can be prevented entirely if browsers and web applications can come to a common understanding of the structure of untrusted content
• Blueprint faciliates this goal and provides a novel defense for XSS
• Project page:– http://www.sisl.rites.uic.edu/blueprint
![Page 46: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/46.jpg)
References
•[Ha09] Hansen, Robert. XSS Cheat Sheet
•[Di07] Di Paola, Stefano. Preventing XSS with Data Binding
![Page 47: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/47.jpg)
XSS Detail
• Challenge for attacker: Embed content the browser will interpret as script
• Many vectors– Script tags <script> attack(); </script>– Script attributes: onmousemove=“attack();”– CSS Style rules: “width: expression( attack() );”– URI: src=“javascript:void attack()”
![Page 48: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/48.jpg)
Encoding
• Search engine optimization (SEO)• Screen readers• View source• Solutions:– Less destructive encoding– Modify reader– Add feature to browser
![Page 49: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/49.jpg)
Dynamic attacks
• UCC added to a page dynamically must also be protected
• Current implementation requires remote procedure call (via XHR / AJAX) to request model
• Blueprint can ensure a base document free of user-embedded scripts
• Trusted code must then take precautions to maintain security
![Page 50: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/50.jpg)
Whitelist
• Whitelist can be site-specific• Whitelist can be grown, gradually adding
content known to be static• Used off-the-shelf whitelist from HTMLPurifier
![Page 51: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/51.jpg)
URI Defense 3-tiered defense: 1. Character-level whitelist
Only allow syntactically-inert untrusted chars 2. Parse behavior sensing
a.protocol DOM property [Di07] Assumes URI parsing same for all contexts
a.href, img.src, url() 3. Impact mitigation
Rewrite URI pointing to redirection service Attacks execute in different origin, void of sensitive data
![Page 52: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/52.jpg)
Eliminate dependency on browser parser
• Transform user-created content into static content models on web server– Model reflects approved content parse tree
• Propagate static content models into JavaScript interpreter of web browser
• Reconstruct server-approved parse tree using client-side model interpreter
![Page 53: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/53.jpg)
Create static content model
• Parse untrusted HTML• Prune resulting parse tree in accordance with
whitelist of known-static node types• Serialize parse tree into stream of benign data
characters• Wrap in <code> … </code> tags• Attach trusted script for invoking model
interpreter
![Page 54: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw V.N. Venkatakrishnan University of Illinois at Chicago.](https://reader036.fdocuments.us/reader036/viewer/2022070306/55168bd35503469d698b6228/html5/thumbnails/54.jpg)
Model interpreter
• Interprets model as stream of declarative statements
• Uses reliable DOM API to generate content– document.createElement( … )– element.appendChild( … )
• Enforces server-intended parse tree in browser