Uploaded by Vasanthi Tarigopula

Networks

advertisement
ZigZag: Automatically Hardening Web
Applications Against Client-Side Validation
Vulnerabilities
Presented by
Vasanthi Tarigopula
Introduction
The popularity of web-based services attracted a large number of malicious actors.
Vulnerabilities persist though applying static and dynamic programs analyses.
Advances in browser JavaScript engines and the adoption of HTML5 APIs.
With increase in use of HTML5 API’s such as postMessage client side validation
vulnerabilities are becoming increasingly important to address.
But most detection and prevention techniques focus on sever side and less on
client side.
Hence there is a need for a system on client side which can protect against these
vulnerabilities.
Background
Same Origin Policy
http://store.company.com/dir/page.html
URL
Result
http://store.company.com/dir2/other.html
Reason
Success
Only the path
differs
http://store.company.com/dir/inner/anoth
er.html
Success
Only the path
differs
https://store.company.com/secure.html
Failure
Different Protocol
http://store.company.com:81/dir/etc.html
http://news.company.com/dir/other.html
Failure
Different Port
Failure
Different Host
Background(Continued)
Same Origin Policy
Background(Continued)
HTML5 API: postMessage
Background(Continued)
• While postMessage provides much greater flexibility to application developers, it
also opens the door for vulnerabilities to be introduced into web applications due
to insufficient origin checks or other programming mistakes.
PostMessage
Client Side Validation
Vulnerabilities
Background(Continued)
Background(Continued)
function listener(event){
if (event.origin.indexOf("domain.test") != -1){
eval(event.data);
}
}
Developer must verify origin correctly
"domain.test.attacker.com"
Motivation : Email Example
Cookie
leak
www.website.com
domain.test.attacker.c
om
domain.test
Goal-Secure JavaScript Apps
• Hardening the buggy applications
• Fully automatic
no developer interaction
• Detection / defense in browser alone
No browser modifications or extensions
• Handle unknown vulnerabilities
ZigZag Overview
•
•
•
•
Anomaly detection system preventing CSV attacks
Instrumentation of client-side JavaScript
Generates model of benign behavior
Two phases
Learning Phase
Enforcement Phase
Learning Phase
Learning Phase
Learning Phase
Learning Phase
Learning Phase
Learning Phase
Learning Phase
Instrumentation Details
Enforcement Phase
Enforcement Phase
Enforcement Phase
Enforcement Phase
Enforcement Phase
Enforcement Phase
Enforcement Phase
Invariant Detection
Invariants supported by ZigZag
Invariant Detection
Invariants are assertions over variables at program points and these are
detected dynamically.
Univariate Invariants
The length of a string
The percentage of printable characters in a string
The parity of a number
 Multivariate Invariants
x==y
x+5==y
x<y
Enforcement Details
Limitations
• The system was not designed to be stealthy or protect its own integrity if an
attacker manages to gain JavaScript code execution in the same origin. If attackers
were able to perform arbitrary JavaScript commands, any kind of in-program
defense would be futile without support from the browser.
• Anomaly detection relies on a benign training set of sufficient size to represent
the range of runtime behaviors that could occur. If the training set contains
attacks, the resulting invariants might be prone to false negatives.
Evaluation
• Four real-world vulnerable sites
• Synthetic webmail application
eg, adition.com, playforex.ru
• Attacks caught
• Functionality retained
Performance
Median overhead:2.01s
Performance
Median overhead : 112%
Performance
0.66ms overhead
Conclusion
 In-browser anomaly detection system for hardening against previously unknown
CSV vulnerabilities.
 The evaluation shows that ZigZag can successfully instrument complex
applications and prevent attacks while not impairing the functionality of the
tested web applications.
 It does not incur much overhead and is suitable for real-world usage.
Download