P' Vogt, F' Nentwich, N' Jovanovic, C' Kruegel, E' Kirda, and G' Vigna' NDSS Network and Distributed

1
Cross-Site Scripting with Dynamic Data Tainting
and Static Analysis

• P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel,
  E. Kirda, and G. Vigna. NDSS (Network and
  Distributed System Security Symposium), 2007.
• Ee Foong, Lee

2
Outline

• Introduction
• Related Work
• Proposed Solution
• Dynamic Data Tainting
• Static Data Tainting
• Data Transmission
• Implementation and Evaluation
• Conclusion

3
Introduction

• What is cross-site scripting (XSS) ?
• An attack against web applications where
  malicious scripting code is injected into the
  output of an application that is further
  delivered to a users web browser
• This scripting code transfers sensitive
  information to a server under the attackers
  control
• This information allows the attacker to
  impersonate the victim or hijack the victims
  session
• Types of XSS attacks
• Stored
• Reflected

4
Introduction

• Stored XSS

5
Introduction

• Reflected XSS

6
Introduction

• Causes of XSS
• Extensive use of client-side scripts
• Programming mistakes
• Vulnerable web applications are not fixed in a
  timely fashion

7
Related Work

• Server-side protection
• Perls taint mode track the flow of tainted
  values within a Perl interpreter by marking the
  input from untrusted sources as malicious and
  aborting the application with error whenever
  there is an attempt to use the tainted data
• Anomaly-based intrusion detection analyze web
  server logs and compare the profiles of typical
  parameters of any protected web application
  against incoming user requests and mark those
  requests with mismatch parameter profiles as
  malicious
• Static analysis and data flow analysis

8
Related Work

• Client-side protection
• Proxy-based analyze the HTTP traffic exchanged
  between users web browser and the target web
  server by scanning for special HTML characters
  and encoding them before executing the page on
  the users web browser
• Application-level firewall analyze browsed HTML
  pages for hyperlinks that might lead to leakage
  of sensitive information and stop bad requests
  using a set of connection rules.
• Auditing system monitor execution of JavaScript
  code and compare the operations against
  high-level policies to detect malicious behavior

9
Proposed Solution

• Client-side approach
• Taint sensitive information (eg. cookies) and
  keep track of the flow of these tainted
  information inside a web browser
• Ensure the transfer of information between the
  same domains
• Require user responses when warnings are raised
• Combine dynamic and static data tainting

10
Dynamic Data Tainting

• Goal prevent the transfer of sensitive data to a
  third party without users consent
• Basic idea
• Mark sensitive data as tainted (eg. boolean flag)
• Track this data usage dynamically when it is
  accessed by scripts running in the web browser
• Alert user before tainted data is transferred to
  a third party
• Can track data dependency and direct control
  dependency

11
Dynamic Data Tainting

• Line 1 data dependency and variable cookie is
  tainted
• Line 6-10 direct control dependency and variable
  dut is tainted

12
Dynamic Data Tainting

• Two main tasks in a typical script execution
• Sensitive data sources
• Taint propagation

13
Dynamic Data Tainting

• What kind of information is considered sensitive?
• JavaScript engine ensures that the result of a
  JavaScript program accessing a sensitive data
  element is tainted

14
Dynamic Data Tainting

• How tainted data is propagated when a script is
  run?

15
Dynamic Data Tainting

• Extend the JavaScript engine to make sure taint
  information is correctly propagated
• JavaScript bytecode instructions is divided into
  4 classes of operations
• Assignments
• Arithmetic and logic operations (eg. , -, etc)
• Control structures and loops (eg. if-else, while,
  switch, for)
• Function calls
• Each operation is handled using different rules

16
Dynamic Data Tainting

• Assignments
• If the source on the RHS is tainted, the target
  on the LHS is also tainted (eg. for single
  variables)
• If an element of an array object (a property of
  an object) is tainted, the entire array object
  (entire object) is also tainted (eg. for array
  elements and object properties)
• Arithmetic and logic operations
• If one of the operands is tainted, the results of
  the operation is also tainted

17
Dynamic Data Tainting

• Control structures and loops
• If the condition of a control structure tests a
  tainted value, a tainted scope is generated that
  covers the entire control structure
• The results of all operations and assignments
  within the scope are also tainted
• Only variables whose values have been modified
  inside the scope are dynamically tainted
• Function calls
• If a function is defined in a tainted scope, the
  function itself (operations, parameters, return
  value) is also tainted

18
Static Data Tainting

• Handle indirect control dependencies
• Dynamic tainting occurs only along the branch
  that is actually executed
• Line 12 exposed to attacks with cookies abc!

19
Static Data Tainting

• The untainted variable can be used to leak
  sensitive information since only one variable is
  tainted dynamically
• Basic idea
• Every branch in the control flow that depends on
  a tainted value needs to be examined statically
• Dynamic analysis covers those parts that are
  executed
• Ensure all variables that are assigned values
  (tainted or not) inside the tainted scope are
  also tainted
• Enlarge the tainted scope for every subsequent
  executed instruction (eg. for function calls)
  conservative mode

20
Data Transmission

• How to transfer tainted data to a malicious third
  party?
• Changing the location of the current web page
• Changing the source of an image in the web page
• Submitting a form in the web page
• Using special objects
• Prevent transfer by seeking users permission

21
Implementation

• Extend Mozilla Firefox 1.0
• Modify data structures in the JavaScript engine
  of the browser
• Check if a transfer of sensitive data between
  different domains happened in a JavaScript
  program

22
Evaluation

• Use two approaches
• Manual testing authors use the modified web
  browser to surf the internet on a daily basis
• Automatic testing integrate a web crawling
  engine into Firefox that can interpret JavaScript
  code and simulate user behavior
• Visited 1,033,000 unique web pages
• 88,589 (8.58) web pages raised an XSS warning
• Connections to only a few domains (eg. companies
  that collect statistics about traffic on the
  internet)
• Reduced to 13,964 (1.35) if these domains were
  ignored

23
Evaluation
24
Evaluation

• Another possible reduction in the number of XSS
  alerts
• Less restrictive about the kind of data
  considered as sensitive (eg. only cookies)
• Reduced to 5,289 (0.51) if only transfer of
  cookies were considered

25
Evaluation

• Contribution of small false positives
• Transfer of cookies to different domains, but
  within company borders (eg. cnn.net -gt cnn.com)
• Transfer of cookies between different domains,
  but same company (eg. discover.com -gt
  unitedstreaming.com)
• Our conservative tainting approach (eg. checking
  whether browser allows cookies using JavaScript)

26
Conclusion

• Prevent XSS attacks using a dynamic taint
  analysis and invoke a complementary static
  analysis when necessary, by monitoring the flow
  of sensitive information in the web browser
• Integrate the solution into Firefox web browser
  by modifying its JavaScript engine
• Generate small false positives and feasible in
  practice