BLUEPRINT : Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

advertisement
BLUEPRINT: Robust Prevention
of Cross-site Scripting Attacks for
Existing Browsers
Mike Ter Louw, V.N. Venkatakrishnan
University of Illinois at Chicago
IEEE Symposium on Security and Privacy, 2009
--Presented by Joseph Del Rocco
University of Central Florida
Outline
• Cross-site Scripting Overview
• BLUEPRINT
– Overview
– Specifics
– Experiment / Results
– Contributions
– Weakness / Improvement
• References
2
Trusted vs. Untrusted HTML
3
Trusted vs. Untrusted HTML
4
Cross-site Scripting (XSS)
• Code injection into untrusted HTML
which exploits client-side browser parsing
• Hacker injects code into untrusted section,
innocent user visits the web page,
client browser displays all content,
user encounters unintended content / hack
• JavaScript (HTML, CSS, Java, Flash, etc.)
• Non-persistent (reflected), Persistent (stored)
5
XSS Example
http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Healthcare/PCI_AppD.html#wp1026905
6
XSS Example
http://www.zdnet.com/blog/security/facebook-vulnerable-to-critical-xss-could-lead-to-malware-attacks/1175
7
XSS Example
http://news.netcraft.com/archives/2008/04/24/clinton_and_obama_xss_battle_develops.html
8
XSS Example
Many web applications also store user
preferences in JavaScript variables directly…
9
www.xssed.com
XSS vulnerability found
at these domains.
Not yet fixed…
10
BLUEPRINT Goals
• W3C + dev cycle slow. Need solution now!
• Solution should be transparent to user,
support current browsers, no plug-ins, etc.
• Retain expressiveness of untrusted HTML
• Do not rely on browser to parse this data!
• Enable web apps. to create a “blueprint” of
untrusted web content free of XSS attacks,
bridging divide between app. & browser
11
HTML Interpretation Process
12
Document Object Model (DOM)
http://www.wdvl.com/Authoring/DHTML/DOM/NS.html
http://www.codeguru.com/csharp/csharp/cs_misc/userinterface/article.php/c12267
13
BLUEPRINT Approach
• Reduce browser influence of parsing:
HTML, CSS, URI, JavaScript
• Server encodes chunks as models,
• Server API uses whitelist to vet models,
data encoded w/ syntactically inert chars
• Transmit encoded data via <code> nodes,
so browser ignores them, + script calls to
model interpreter ( _bp_ )
14
BLUEPRINT API
15
BLUEPRINT Model
HTML
presented to client
Encoded to…
old
new
16
HTML Interpretation Process
Normal path:
A, B, C, D, E
_bp_ script +
encoded models
A, B, C, D, E
Untrusted data:
A, B’, Q, P, E, R
17
Reduce HTML Parser Influence
• Models encoded in syntactically inert lang:
{a,…,z,A,…,Z,0,…,9,/,+,=}*
• Decode model w/ model interpreter _bp_,
link embedded in <head> element
• Use of DOM API to create elements
• Original rendering order preserved,
models embedded near original location,
decoded synchronously as page renders
18
Reduce CSS Parser Influence
• element.style obj. vetted by whitelist,
only known static properties allowed
• expression() allows any dynamic
property to contain exec code, so use
setExpression() to function using
whitelist to return valid static property
• Whitelist behavior and –moz-binding
• @import (CSS files) not supported
19
Reduce URI Parser Influence
• javascript: scheme very dangerous,
no API exists for controlling the browser,
scheme selection by browser URI parser.
• Use whitelist of schemes:
http: https: ftp: mailto:
• Additional steps include testing browser
scheme interpretation, and rewriting URIs,
paper defers to previous work…
20
Reduce JS Parser Influence
• Common for web apps to store user prefs.
in JavaScript variables for customization,
so allow this but convert to _bp_ call
21
BLUEPRINT Model Generator
22
Results
23
Contributions
• W3C / browser development cycle is slow,
offers effective XSS defense solution now
• No required plug-ins, browser, ext., etc.,
empowers web developers, user benefits
• Innovative thinking:
Web developers bypass browser parsing
24
Weaknesses
• All websites now have to update their
libraries of code to use BLUEPRINT…
• HTML interpretation process may change,
especially on embedded browsers
• Large script (15.6kB) downloaded / cached,
How safe is this script? One for each site?
• Client browser may disable JavaScript
• Page size overhead due to text encoding
25
Improvement / Future Work
• Securely transfer script & keep up-to-date
• Perhaps different encoding scheme or
compress w/ fast codec
• Maybe a scheme that empowers user?
26
References
1
M. Ter Louw, V.N. Venkatakrishnan. BLUEPRINT: Robust
Prevention of Cross-site Scripting Attacks for Existing Browsers,
IEEE Symposium on Security & Privacy, 2009
2
DP, KF, et al. www.xssed.com, Cross-site Scripting Attacks
Information, 2007-present
3
UIC, http://sisl.rites.uic.edu/blueprint, BLUEPRINT information site
(Wiki), 2009
4
Wikipedia, http://en.wikipedia.org/wiki/Cross-site_scripting
5
W3C, http://www.w3.org/2002/07/26-dom-article, 2002
27
Download