deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation
-
Upload
adam-doupe -
Category
Technology
-
view
1.745 -
download
5
description
Transcript of deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation
![Page 1: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/1.jpg)
deDacota: Toward Preventing Server-Side XSS via Automatic
Code and Data SeparationAdam Doupé, Weidong Cui€, Mariusz H. Jakubowski€, Marcus
Peinado€, Christopher Kruegel, and Giovanni Vigna
University of California, Santa Barbara€Microsoft Research
CCS 2013 – 11/7/13
![Page 2: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/2.jpg)
Doupé - 11/7/13
XSS Vulnerabilities Still Exist Today
![Page 3: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/3.jpg)
Doupé - 11/7/13
![Page 4: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/4.jpg)
Doupé - 11/7/13Courtesy of Ashar Javed
![Page 5: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/5.jpg)
Doupé - 11/7/13
Test.aspx
<html><body><p>Hello <%= this.Name %></p></body>
</html>
![Page 6: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/6.jpg)
Doupé - 11/7/13
http://example.com/Test.aspx?name=adam
Ask Test.dll for output
<html> <body> <p>Hello <%= this.Name %></p> </body></html>
![Page 7: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/7.jpg)
Doupé - 11/7/13
http://example.com/Test.aspx?name=adam
Ask Test.dll for output
<html> <body> <p>Hello adam</p> </body></html>
![Page 8: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/8.jpg)
Doupé - 11/7/13
http://example.com/Test.aspx?name=adam
Ask Test.dll for output
<html> <body> <p>Hello adam</p> </body></html>
![Page 9: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/9.jpg)
Doupé - 11/7/13
http://example.com/Test.aspx?name=adam
Ask Test.dll for output
<html> <body> <p>Hello adam</p> </body></html>
![Page 10: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/10.jpg)
Doupé - 11/7/13
http://example.com/Test.aspx?name=adam
Ask Test.dll for output
<html> <body> <p>Hello adam</p> </body></html>
![Page 11: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/11.jpg)
Doupé - 11/7/13
Test.aspxhttp://example.com/Test.aspx?name=<script>alert("xss");</script>
<html><body>
<p>Hello <%= this.Name %></script></p>
</body></html>
![Page 12: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/12.jpg)
Doupé - 11/7/13
Test.aspxhttp://example.com/Test.aspx?name=<script>alert("xss");</script>
<html><body>
<p>Hello <script>alert("xss"); </script></p>
</body></html>
![Page 13: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/13.jpg)
Doupé - 11/7/13
Test.aspxhttp://example.com/Test.aspx?name=<script>alert("xss");</script>
<html><body>
<p>Hello <script>alert("xss"); </script></p>
</body></html>
![Page 14: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/14.jpg)
Doupé - 11/7/13
XSS – Impact• Steal cookies
• Perform actions as user
• Exploit user’s browser
• Fake login form
![Page 15: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/15.jpg)
Doupé - 11/7/13
Fixing XSS – Sanitization<html>
<body><p>Hello <%= HtmlEncode(this.Name) %></p></body>
</html>
![Page 16: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/16.jpg)
Doupé - 11/7/13
Fixing XSS – Sanitization<html>
<body><p>Hello <%= HtmlEncode(this.Name) %></p></body>
</html>
<script>alert("xss");</script>
<script>alert("xss");</script>
![Page 17: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/17.jpg)
Doupé - 11/7/13
XSS as Input Validation
![Page 18: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/18.jpg)
Doupé - 11/7/13
XSS as Input ValidationProblem Research
Find All Paths WWW 2004, USENIX 2005, Oakland 2006
Many Different Contexts CCS 2011, CCS 2011
Is Sanitization Correct? Oakland 2008, USENIX 2011
Parsing Quirks Oakland 2009
![Page 19: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/19.jpg)
Doupé - 11/7/13
XSS as Input ValidationProblem Research
Find All Paths WWW 2004, USENIX 2005, Oakland 2006
Different Context CCS 2011, CCS 2011
Is Sanitization Correct? Oakland 2008, USENIX 2011
Parsing Quirks Oakland 2009
![Page 20: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/20.jpg)
Doupé - 11/7/13
XSS as Input ValidationProblem Research
Find All Paths WWW 2004, USENIX 2005, Oakland 2006
Different Context CCS 2011, CCS 2011
Is Sanitization Correct? Oakland 2008, USENIX 2011
Parsing Quirks Oakland 2009
![Page 21: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/21.jpg)
Doupé - 11/7/13
XSS as Input ValidationProblem Research
Find All Paths WWW 2004, USENIX 2005, Oakland 2006
Different Context CCS 2011, CCS 2011
Is Sanitization Correct? Oakland 2008, USENIX 2011
Parsing Quirks Oakland 2009, CCS 2013
![Page 22: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/22.jpg)
Doupé - 11/7/13
XSS as Input ValidationProblem Research
Find All Paths WWW 2004, USENIX 2005, Oakland 2006
Different Context CCS 2011, CCS 2011
Is Sanitization Correct? Oakland 2008, USENIX 2011
Parsing Quirks Oakland 2009, CCS 2013
We want to fundamentally solve XSS vulnerabilities
![Page 23: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/23.jpg)
Doupé - 11/7/13
Another Example<html>
<body><script>
alert("welcome to example.com!");
</script><p>Hello <%= this.Name %></p>
</body></html>
![Page 24: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/24.jpg)
Doupé - 11/7/13
Another Example<html>
<body><script>
alert("welcome to example.com!");
</script><p>Hello <%= this.Name %></p>
</body></html>
Developer indented for this code to be executed on the browser
![Page 25: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/25.jpg)
Doupé - 11/7/13
Another Examplehttp://example.com/Test.aspx?name=<script>alert("xss");</script>
<html><body>
<script>alert("welcome to
example.com!");</script><p>Hello <%= this.Name %>
</p></body>
</html>
![Page 26: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/26.jpg)
Doupé - 11/7/13
Another Examplehttp://example.com/Test.aspx?name=<script>alert("xss");</script>
<html><body>
<script>alert("welcome to
example.com!");</script><p>Hello
<script>alert("xss");</script> </p></body>
</html>
![Page 27: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/27.jpg)
Doupé - 11/7/13
The Fundamental Problemhttp://example.com/Test.aspx?name=<script>alert("xss");</script>
<html><body>
<script>alert("welcome to
example.com!");</script><p>Hello
<script>alert("xss");</script> </p></body>
</html>
Developer indented for this code to be executed on the browser
Developer did not intend for this code to be executed on the browser
![Page 28: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/28.jpg)
Doupé - 11/7/13
The Fundamental Problemhttp://example.com/Test.aspx?name=<script>alert("xss");</script>
<html><body>
<script>alert("welcome to
example.com!");</script><p>Hello
<script>alert("xss");</script> </p></body>
</html>
Developer indented for this code to be executed on the browser
Developer did not intend for this code to be executed on the browser
The browser can’t tell the difference!
![Page 29: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/29.jpg)
Doupé - 11/7/13
The Fundamental Solution
<html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
CodeData
![Page 30: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/30.jpg)
Doupé - 11/7/13
The Fundamental Solution
<html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
CodeDataTo fundamentally solve XSS
vulnerabilities, we must apply the basic security principles of Code
and Data separation!
![Page 31: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/31.jpg)
Doupé - 11/7/13
Content Security Policy (CSP)• Mechanism for the website to communicate a policy to the browser about
what JavaScript to execute• The browser then enforces this policy• Supported by many modern browsers (68% of users use one of these
browsers – Firefox– Chrome– IE (10)– Safari– Opera– iOS– Android
![Page 32: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/32.jpg)
Doupé - 11/7/13
Content Security Policy
<html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
Code
DataContent-Security-Policy: script-src http://example.com/0cc111eb135.js
![Page 33: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/33.jpg)
Doupé - 11/7/13
Content Security Policy
<html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
Code
DataContent-Security-Policy: script-src http://example.com/0cc111eb135.js
![Page 34: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/34.jpg)
Doupé - 11/7/13
Code and Data Separation• Code and Data separation from start
– No legacy applications
• Manually rewrite application– Difficult and error-prone (HotSec 2011)
deDacota: Automatically separate code and data of a web application
![Page 35: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/35.jpg)
Doupé - 11/7/13
Threat Model• Benign web application
– The developer has not obfuscated the web application
• Server-side XSS– Our approach will only address traditional XSS, in other words,
XSS where the resulting bug is in the server-side code
• Inline JavaScript – For the deDacota prototype, we focused only on inline JavaScript– We ignore JavaScript in HTML attributes and CSS
![Page 36: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/36.jpg)
Doupé - 11/7/13
DESIGN
![Page 37: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/37.jpg)
Doupé - 11/7/13
deDacota Process
Approximate HTML Output
Extract Inline JavaScript
Rewrite Web Application
![Page 38: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/38.jpg)
Doupé - 11/7/13
deDacota Process
Approximate HTML Output
Extract Inline JavaScript
Rewrite Web Application
The goal is to rewrite the web application so that it is
semantically equivalent yet separates the code and data.
![Page 39: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/39.jpg)
Doupé - 11/7/13
Approximate HTML Output<%@ Page Language="C#" CodeBehind="CodeBehind.cs" Inherits="Test" %>
<html><body>
<p>Hello <%= this.Name %></p><%= Scripts() %>
</body></html>
![Page 40: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/40.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
![Page 41: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/41.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
The goal here is to create a graph that approximates the HTML
content of the web page. We use static analysis techniques to
construct the graph.
![Page 42: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/42.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<html><body><p>"
![Page 43: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/43.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
this.Name
"<html><body><p>"
![Page 44: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/44.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
this.Name
"<html><body><p>"
![Page 45: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/45.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
this.Name
"<html><body><p>"
Here we need to analyze the control flow of the application,
which means following the control flow into the Scripts()
method.
![Page 46: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/46.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
this.Name
"<html><body><p>"
![Page 47: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/47.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
this.Name
"<html><body><p>"
Here we encounter string concatenation, which our analysis
is able to handle.
![Page 48: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/48.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
![Page 49: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/49.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
Now that we have constructed the approximation graph, we must determine what is being
output by each node in the graph. Here we use data-flow analysis
and points-to analysis.
![Page 50: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/50.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
![Page 51: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/51.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
<html><body><p>
![Page 52: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/52.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
<html><body><p>
In this case, Request.QueryString["name"]is statically undecidable
because it comes from user input. In the approximation graph we
represent this as a * which means the output at this node could be
anything.
![Page 53: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/53.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
<html><body><p>
*
![Page 54: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/54.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
<html><body><p>
*
<script>alert('
![Page 55: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/55.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
<html><body><p>
*
<script>alert('
2013
![Page 56: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/56.jpg)
Doupé - 11/7/13
Approximate HTML Outputclass test_aspx : System.Web.UI.Page {
public test_aspx () {this.Name = Request.QueryString["name"];this.Year = "2013";}protected void Render(HtmlTextWriter writer) {writer.write("<html><body><p>");writer.write(this.Name);writer.write(Scripts());writer.write("</p></body></html>");}protected string Scripts() {return "<script>alert('" + this.Year + "');</script>";}
}
"<script>alert('"
this.Year
this.Name
"<html><body><p>"
"');</script>"
<html><body><p>
*
<script>alert('
2013
');</script>
![Page 57: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/57.jpg)
Doupé - 11/7/13
<html><body><p>
*
<script>alert('
2013
');</script>
</p></body></html>
![Page 58: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/58.jpg)
Doupé - 11/7/13
<html><body><p>
*
<script>alert('
2013
');</script>
</p></body></html>
This approximation graph contains a static approximation of
the HTML content of the web page. Any path through this
graph is one possible output of the page.
![Page 59: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/59.jpg)
Doupé - 11/7/13
In this example approximation graph from a real-world application, the branch in the graph comes from a
conditional branch in the control-flow of the application.
![Page 60: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/60.jpg)
Doupé - 11/7/13
Statically undecidable content, represented here as a *, can come from two different areas:
1. Statically undecidable according to the static analysis.2. To make our analysis conservative, we treat all loops as
outputting a *, because we cannot statically determine how many times a loop will execute.
![Page 61: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/61.jpg)
Doupé - 11/7/13
Extract Inline JavaScript
![Page 62: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/62.jpg)
Doupé - 11/7/13
In the second step, we simply extract the inline JavaScript (aka the developer intended code) from the approximation
graph.
![Page 63: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/63.jpg)
Doupé - 11/7/13
Rewrite Web Application
<html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
![Page 64: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/64.jpg)
Doupé - 11/7/13
Rewrite Web Application
<html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
Code
DataContent-Security-Policy: script-src http://example.com/0cc111eb135.js
![Page 65: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/65.jpg)
Doupé - 11/7/13
Rewrite Web Application
<html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
Code
DataContent-Security-Policy: script-src http://example.com/0cc111eb135.js
At this point, if the inline JavaScript code is static, we have
protected the application. No attacked data in the Data
segment will ever be interpreted as Code.
![Page 66: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/66.jpg)
Doupé - 11/7/13
Rewrite Web Application
<html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body></html>
alert("welcome to example.com!");
Code
DataContent-Security-Policy: script-src http://example.com/0cc111eb135.js
Unfortunately, developers sometimes dynamically generate the Code of an application. If this
happens with untrusted Data, there can still be a XSS
vulnerability.
![Page 67: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/67.jpg)
Doupé - 11/7/13
Dynamic Inline JavaScript
<html> <script> var username = "<%= Username %>"; </script></html>
![Page 68: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/68.jpg)
Doupé - 11/7/13
Dynamic Inline JavaScript
<html> <script> var username = "<%= Username %>"; </script></html>
var username = "<%= Username %>";
CodeData
Here, the developer has chosen to dynamically generate the Code from untrusted data.
![Page 69: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/69.jpg)
Doupé - 11/7/13
Dynamic Inline JavaScript
<html> <script> var username = "<%= Username %>"; </script></html>
var username = "<%= Username %>";
CodeData
var username = "*";
![Page 70: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/70.jpg)
Doupé - 11/7/13
Dynamic Inline JavaScript
<html> <script> var username = "<%= Username %>"; </script></html>
var username = "<%= Username %>";
CodeData
var username = "*";
We developed a technique to safely transform cases of dynamic inline
JavaScript. If the statically undecidable content is used in a known JavaScript
context (JavaScript string or comment), we can safely rewrite the application. We call these cases “safe dynamic
inline JavaScript.”
![Page 71: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/71.jpg)
Doupé - 11/7/13
EVALUATION
![Page 72: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/72.jpg)
Doupé - 11/7/13
ApplicationsApplication Lines of Code Known
Vulnerability
BugTracker.NET 35,674 CVE-2010-3266
BlogEngine.NET 29,512 CVE-2008-6476
BlogSA.NET 6,994 CVE-2009-0814
ScrewTurn Wiki 12,155 CVE-2008-3483
WebGoat.NET 11,993 2 Intentional
ChronoZoom 21,261 N/A
![Page 73: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/73.jpg)
Doupé - 11/7/13
Evaluation• Security
– Crafted exploits for applications with known vulnerabilities– Transformed applications, along with CSP, blocked the
exploits
• Functional correctness– ChronoZoom had 160 JavaScript tests and all passed
after the transformation– Manually browsed the application and source code
looking for missing inline JavaScript
![Page 74: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/74.jpg)
Doupé - 11/7/13
BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Unsafe DynamicSafe DynamicStatic
![Page 75: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/75.jpg)
Doupé - 11/7/13
BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Unsafe DynamicSafe DynamicStatic
Here we are going to look at what percentage of the inline
JavaScript in each application is either: static, safe dynamic, or
unsafe dynamic.
![Page 76: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/76.jpg)
Doupé - 11/7/13
BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
41
4
10 27
6 5Unsafe DynamicSafe DynamicStatic
![Page 77: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/77.jpg)
Doupé - 11/7/13
BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
41
4
10 27
6 5
3
10
14
Unsafe DynamicSafe DynamicStatic
![Page 78: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/78.jpg)
Doupé - 11/7/13
BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
41
4
10 27
6 5
3
10
14
Unsafe DynamicSafe DynamicStatic
In these safe dynamic situations, we are able to safely transform the dynamic inline JavaScript code.
![Page 79: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/79.jpg)
Doupé - 11/7/13
BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
41
4
10 27
6 5
3
10
14
2
41 4
Unsafe DynamicSafe DynamicStatic
![Page 80: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/80.jpg)
Doupé - 11/7/13
BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
41
4
10 27
6 5
3
10
14
2
41 4
Unsafe DynamicSafe DynamicStaticIn cases of unsafe dynamic inline JavaScript, we alert the
developer that the transformation could potentially contain an XSS vulnerability. After the developer confirms the
absence of an XSS vulnerability in the unsafe dynamic inline JavaScript, then the application is guaranteed free of
XSS vulnerabilities.
![Page 81: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/81.jpg)
Doupé - 11/7/13
Limitations• Might miss inline JavaScript
– Loops– Dynamic code execution
• Does not handle HTML attributes and CSS
![Page 82: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/82.jpg)
Doupé - 11/7/13
Summary
• Code and Data separation necessary to
prevent XSS
• deDacota can automatically separate
Code and Data of web application
• deDacota works in practice
![Page 83: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation](https://reader033.fdocuments.us/reader033/viewer/2022061214/547da976b4af9f33438b45f9/html5/thumbnails/83.jpg)
Doupé - 11/7/13
DEDACOTA: TOWARD PREVENTING SERVER-SIDE XSS VIA AUTOMATIC CODE AND DATA SEPARATION
Adam Doupé
Email: [email protected]: @adamdoupe