Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | sherman-foster |
View: | 222 times |
Download: | 1 times |
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for
Existing Browsers
Mike Ter Louw, V.N. Venkatakrishnan
University of Illinois at Chicago
IEEE Symposium on Security and Privacy, 2009
---
Presented by Joseph Del Rocco
University of Central Florida
2
Outline
• Cross-site Scripting Overview
• BLUEPRINT– Overview– Specifics– Experiment / Results– Contributions– Weakness / Improvement
• References
3
Trusted vs. Untrusted HTML
4
Trusted vs. Untrusted HTML
5
Cross-site Scripting (XSS)
• Code injection into untrusted HTML which exploits client-side browser parsing
• Hacker injects code into untrusted section,innocent user visits the web page,client browser displays all content,user encounters unintended content / hack
• JavaScript (HTML, CSS, Java, Flash, etc.)• Non-persistent (reflected), Persistent (stored)
6
XSS Example
http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Healthcare/PCI_AppD.html#wp1026905
7
XSS Example
http://www.zdnet.com/blog/security/facebook-vulnerable-to-critical-xss-could-lead-to-malware-attacks/1175
8
XSS Example
http://news.netcraft.com/archives/2008/04/24/clinton_and_obama_xss_battle_develops.html
9
XSS Example
Many web applications also store user preferences in JavaScript variables directly…
10
www.xssed.com
XSS vulnerability found at these domains.
Not yet fixed…
11
BLUEPRINT Goals
• W3C + dev cycle slow. Need solution now!
• Solution should be transparent to user, support current browsers, no plug-ins, etc.
• Retain expressiveness of untrusted HTML
• Do not rely on browser to parse this data!
• Enable web apps. to create a “blueprint” of untrusted web content free of XSS attacks,bridging divide between app. & browser
12
HTML Interpretation Process
13
Document Object Model (DOM)
http://www.wdvl.com/Authoring/DHTML/DOM/NS.htmlhttp://www.codeguru.com/csharp/csharp/cs_misc/userinterface/article.php/c12267
14
BLUEPRINT Approach
• Reduce browser influence of parsing: HTML, CSS, URI, JavaScript
• Server encodes chunks as models,
• Server API uses whitelist to vet models,data encoded w/ syntactically inert chars
• Transmit encoded data via <code> nodes,so browser ignores them, + script calls tomodel interpreter ( _bp_ )
15
BLUEPRINT API
16
BLUEPRINT Model
Encoded to…
old new
HTMLpresented to client
17
HTML Interpretation Process
Normal path:A, B, C, D, E
Untrusted data:A, B’, Q, P, E, R
_bp_ script +encoded models
A, B, C, D, E
18
Reduce HTML Parser Influence
• Models encoded in syntactically inert lang: {a,…,z,A,…,Z,0,…,9,/,+,=}*
• Decode model w/ model interpreter _bp_,link embedded in <head> element
• Use of DOM API to create elements
• Original rendering order preserved, models embedded near original location, decoded synchronously as page renders
19
Reduce CSS Parser Influence
• element.style obj. vetted by whitelist, only known static properties allowed
• expression() allows any dynamic property to contain exec code, so use setExpression() to function using whitelist to return valid static property
• Whitelist behavior and –moz-binding• @import (CSS files) not supported
20
Reduce URI Parser Influence
• javascript: scheme very dangerous,no API exists for controlling the browser,scheme selection by browser URI parser.
• Use whitelist of schemes:http: https: ftp: mailto:
• Additional steps include testing browser scheme interpretation, and rewriting URIs,paper defers to previous work…
21
Reduce JS Parser Influence
• Common for web apps to store user prefs. in JavaScript variables for customization,so allow this but convert to _bp_ call
22
BLUEPRINT Model Generator
23
Results
24
Contributions
• W3C / browser development cycle is slow,offers effective XSS defense solution now
• No required plug-ins, browser, ext., etc.,empowers web developers, user benefits
• Innovative thinking:Web developers bypass browser parsing
25
Weaknesses
• All websites now have to update their libraries of code to use BLUEPRINT…
• HTML interpretation process may change,especially on embedded browsers
• Large script (15.6kB) downloaded / cached,How safe is this script? One for each site?
• Client browser may disable JavaScript
• Page size overhead due to text encoding
26
Improvement / Future Work
• Securely transfer script & keep up-to-date
• Perhaps different encoding scheme or compress w/ fast codec
• Maybe a scheme that empowers user?
27
References
1 M. Ter Louw, V.N. Venkatakrishnan. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers, IEEE Symposium on Security & Privacy, 2009
2 DP, KF, et al. www.xssed.com, Cross-site Scripting Attacks Information, 2007-present
3 UIC, http://sisl.rites.uic.edu/blueprint, BLUEPRINT information site (Wiki), 2009
4 Wikipedia, http://en.wikipedia.org/wiki/Cross-site_scripting
5 W3C, http://www.w3.org/2002/07/26-dom-article, 2002