FLAX: Systematic Discovery of
Client-Side Validation Vulnerabilities
in Rich Web Applications
Prateek Saxena*
Pongsin Poosankam‡*
Steve Hanna*
Dawn Song*
* UC Berkeley
‡ Carnegie Mellon University
1
Client-side Validation(CSV) Vulnerabilities
• A new class of input validation vulnerabilities
• Analogous to server-side bugs
– Unsafe data usage in the client-side JS code
– Involves data flows
– Purely client-side, data never sent to server
– Returned from server, then used in client-side code
2
Rich Web Applications
• Lots of JS code
• Rich cross-domain interaction
APP 1
APP 2
APP 3
APP 4
3
Outline
• CSV Vulnerability Examples
• FLAX: Tool and Techniques
– Challenges & Key Idea
– Tool Architecture
– Design
• Real Attacks and Evaluation Results
• Related Work & Conclusion
4
Vulnerability Example (I):
Origin Misattribution
• Cross-domain Communication
– Example: HTML 5 postMessage
Sender
Receiver
facebook.com
cnn.com
postMessage
Origin: www.facebook.com
Data: “Chatuser: Joe, Msg: Hi”
Origin: www.evil.com
Data: “Chatuser: Joe, Msg: onlinepharmacy.com”
5
Vulnerability Example (II):
Code Injection
• Code/data mixing
• Dynamic code evaluation
Receiver
facebook.com
– eval
– DOM methods
……
• Eval also deserializes objects ……
– JSON
eval (.. + event.data);
Data: “alert(‘0wned’);”
6
Vulnerability Example (III):
Application Command Injection
• Application-specific commands
• Example: Chat application
“..=nba&cmd=addbuddy&user=evil”
http://chat.com/roomname=nba
Injected Command
Application
JavaScript
Join this room
XMLHttpReq.open (url)
http://chat.com?cmd=joinroom&room=nba
&cmd=addbuddy&user=evil
http://chat.com?cmd=joinroom&room=nba
Application
Server
7
Vulnerability Example (IV):
Cookie Sink Vulnerabilities
• Cookies
– Store session ids, user’s history and preferences
– Have their own control format, using attributes
• Can be read/written in JavaScript
• Attacks
– Session fixation
– History and preference data manipulation
– Cookie attribute manipulation, changes
8
Summary of Goals
• Systematic discovery techniques
– FLAX: An Automatic tool for discovery
– A new hybrid technique for JavaScript analysis
• Evaluate prevalence in real code
– An empirical evaluation of real-world applications
– Find several unknown CSV vulnerabilities
9
Outline
• CSV Vulnerabilities
• FLAX: Tool and Techniques
– Challenges & Key Idea
– Tool Architecture
– Design
• Real Attacks and Evaluation Results
• Related Work & Conclusion
10
Problem Definition
• Definition
– Unsafe usage of untrusted data in a critical sink
• Systematically discovery of CSV vulnerabilities
• Two sub-problems
– Exploring program space
– Finding bugs in some explored functionality
• Attacker Model
– Web attacker (evil.com)
– User-as-an-attacker
11
Challenges
End-to-end Web Application Analysis
• JavaScript complexity
– Highly dynamic language
– String-heavy
• Parsing ops. indistinguishable from validation checks
– Custom sanity routines are common
• Hidden server-side logic
– Assumes no knowledge of the server
– Handles reflected flows: data flows to server and back
12
Key Insight
• Taint-enhanced black-box fuzzing (TEBF)
–
–
–
–
A simple idea
Combine benefits of taint-tracking & fuzzing
Requires no source code annotations
No false positives
• FLAX: An End-to-end System
– Simplifies JS first
Efficiency
of finding
– Implements TEBF
Bugs
– Handles reflected flow
using approximate tainting
Purely dynamic
Taint-tracking
TEBF
Syntax-driven fuzzing
Black-box fuzzing
False Positives
13
FLAX Tool Design
function acceptor(input)
Initial
{
Input
must_match = ’{]:],]:]}’;
re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g;
re2 =/"[ˆ"\\\n\r]*"|true|false|null|
Source
-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g;
re3 = /(?:ˆ|:|,)(?:\s*\[)+/g;
rep1 = input.replace(re1, "@");
rep2 = rep1.replace(re2, "]");
rep3 = rep2.replace(re3,"");
Transformation
Operations
if(rep3 == must_match) { return true; }
JavaScript
return
false;
Program
}
Execution Trace
Taint-tracking
SINKAWARE
FUZZER
Sink
EXPLOIT ?
Path
Constraints
Acceptor
Slice
14
FLAX Implementation
JAVASCRIPT
INTERPRETER
X = INPUT[4]
TAINT
ENGINE
ACCEPTOR
SLICE
GENERATOR
Y = SubStr(X,0,4)
Z = (Y==“http”)
PC = IF (Z) THEN
(T) ELSE (NEXT)
JASIL
EXECUTION
TRACE
15
Simplifying JavaScript
• JASIL : Our intermediate language
– A simple type system
– Small set of operations
• Enables string-centric, fine-grained taint tracking on JS
16
Simplifying JavaScript (II)
• Benefits of JASIL simplification to taint-tracking
• Example: Taint semantics for replace are difficult!
rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@");
R
Emitted
JASIL
Instructions
INPUT
subString
R
convert
@
@
concat
@
@
@
@
OUTPUT
17
Outline
• CSV Vulnerabilities
• FLAX: Tool and Techniques
– Challenges & Key Idea
– Tool Architecture
– Design
• Attacks and Evaluation Results
• Related Work & Conclusion
18
Evaluation
• 40 Subjects
– iGoogle gadgets
– AJAX applications and web sites
• Setup
– Untrusted sources
» All cross-domain channels
» Text boxes
– Critical sinks
» Code evaluation constructs
» XHR url data
» Cookies
19
Results (I)
• Summary
– Taint observed in 18 / 40 subjects
– FLAX found 11 previously unknown vulnerabilities
Vulnerability Type
Number of vulnerabilities
Code Injection
8
Origin Misattribution
1
Application Command Injection
1
Cookie Sink
1
TOTAL FOUND BY FLAX
11
• Examples
–
–
–
–
Origin Misattribution leading to XSS in Facebook Connect
Gadget Overwriting Attacks on Google/IG
Application Command Injection on AjaxIM
Code injection and cookie attribute manipulation via cookie sinks
20
Example Attacks: Gadget Overwriting
Legitimate URL bar
<Attack Link to IGoogle page>
Compromised
Gadget with
Overwritten Contents
21
Effectiveness
• Character-level precise taint-tracking helps fuzzing
• Reduction in input sizes
22
Effectiveness (II)
• Reduction in false positives, TEBF vs. pure taint-tracking
23
Conclusion
• A new class of vulnerabilities: CSV
• Example attacks
• A systematic discovery tool: FLAX
– No annotations, no false positives
– Employs a simple TEBF techniques
– Robust analysis using JASIL
• CSV vulnerabilities are actually prevalent today
– Found 11 previously unknown vulns
– Demonstrate proof-of-concept exploits
24
Contact
• Contact:
– Prateek Saxena (prateeks@cs.berkeley.edu)
• Please visit our project web site
– http://webblaze.cs.berkeley.edu
THANKS FOR
LISTENING
25