FLAX: Systematic Discovery of
Client-Side Validation Vulnerabilities
in Rich Web Applications
1
SOFTWARE SECURITY
JORINA VAN MALSEN
Client-Side Validation (CSV) Vulnerabilities
2
 “A CSV vulnerability results from unsafe usage of
untrusted data in the client-side code of the web
application”
 CSV more common than ever due to the increased
complexity of JavaScript applications
FLAX
3
 Tool to analyze a web application in an end-to-end
manner, aimed to discover vulnerabilities in the clientside code
 The framework simplifies JavaScript analysis and
explicitly models reflected flows and path constraints.
 Challenges:
- Complexity of JavaScript
- Parsing operations are syntactically indistinguishable from validation
checks
- Difficulties with the reflected flows
Existing Approaches
4
 Fuzzing/Black Box Testing
 Dynamic Taint-Tracking
 Symbolic Execution Techniques
 FLAX is a hybrid approach named a ‘taint enhanced
blackbox fuzzing approach’
Attacks resulting from CSV Vulnerabilities
5
 Origin Misattribution
 Arises because the application checks the domain field of the origin
parameter insufficiently, though the protocol sub-field is correctly validated
 Code Injection
 Possible because JavaScript can dynamically evaluate both HTML and script
code using various DOM methods as well as JavaScript native constructs (often
referred to as DOM-based XSS)
 Command Injection
 Allows the attacker to perform unintended actions on behalf of the user.
 Cookie-Sink Vulnerabilities
 An attacker could, among others, fix the values of the session identifiers
which may result in a session fixation
FLAX
Technical Challenges and Design Points
6
 Modeling path constraints
Improvement Saner by enabling FLAX to capture the validation checks as
branch conditions
 Simplifying JavaScript
By the use of JASIL
 Dealing with reflected flows
This is done by testing the client-side code independently of the server-side
cody by generating candidate inputs that make simple assumptions about
the transformations occurring in reflected flows. Subsequently, the tool
verifies the assumption by running the candidate attack concretely, and
reports a vulnerability if the concrete test succeeds
The System’s Architecture
7
The taint enhanced blackbox fuzzing algorithm
consists of five steps at a high level:
1.
2.
3.
4.
5.
Dynamic trace generation and conversion to JASIL
Dynamic taint analysis
Generate an acceptor slice
Sink-aware random testing
Verification of candidate inputs
Evaluation FLAX
8
 FLAX discovered several real-world bugs (incl. several
iGoogle gadgets, websites and AJAX applications for
instance)
 11 of the founded vulnerabilities were unknown before, so it
proves that the tool is a valuable resource for security
analysts and developers of rich web applications
 The technique is light-weight compared to symbolic
execution techniques, has no false positives and is scalable
enough to use on real-world applications