blueprint: robust prevention of cross-site scripting attacks for existing browsers mike ter louw,...
TRANSCRIPT
![Page 1: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/1.jpg)
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for
Existing Browsers
Mike Ter Louw, V.N. Venkatakrishnan
University of Illinois at Chicago
IEEE Symposium on Security and Privacy, 2009
---
Presented by Joseph Del Rocco
University of Central Florida
![Page 2: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/2.jpg)
2
Outline
• Cross-site Scripting Overview
• BLUEPRINT– Overview– Specifics– Experiment / Results– Contributions– Weakness / Improvement
• References
![Page 3: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/3.jpg)
3
Trusted vs. Untrusted HTML
![Page 4: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/4.jpg)
4
Trusted vs. Untrusted HTML
![Page 5: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/5.jpg)
5
Cross-site Scripting (XSS)
• Code injection into untrusted HTML which exploits client-side browser parsing
• Hacker injects code into untrusted section,innocent user visits the web page,client browser displays all content,user encounters unintended content / hack
• JavaScript (HTML, CSS, Java, Flash, etc.)• Non-persistent (reflected), Persistent (stored)
![Page 6: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/6.jpg)
6
XSS Example
http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Healthcare/PCI_AppD.html#wp1026905
![Page 7: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/7.jpg)
7
XSS Example
http://www.zdnet.com/blog/security/facebook-vulnerable-to-critical-xss-could-lead-to-malware-attacks/1175
![Page 8: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/8.jpg)
8
XSS Example
http://news.netcraft.com/archives/2008/04/24/clinton_and_obama_xss_battle_develops.html
![Page 9: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/9.jpg)
9
XSS Example
Many web applications also store user preferences in JavaScript variables directly…
![Page 10: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/10.jpg)
10
www.xssed.com
XSS vulnerability found at these domains.
Not yet fixed…
![Page 11: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/11.jpg)
11
BLUEPRINT Goals
• W3C + dev cycle slow. Need solution now!
• Solution should be transparent to user, support current browsers, no plug-ins, etc.
• Retain expressiveness of untrusted HTML
• Do not rely on browser to parse this data!
• Enable web apps. to create a “blueprint” of untrusted web content free of XSS attacks,bridging divide between app. & browser
![Page 12: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/12.jpg)
12
HTML Interpretation Process
![Page 13: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/13.jpg)
13
Document Object Model (DOM)
http://www.wdvl.com/Authoring/DHTML/DOM/NS.htmlhttp://www.codeguru.com/csharp/csharp/cs_misc/userinterface/article.php/c12267
![Page 14: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/14.jpg)
14
BLUEPRINT Approach
• Reduce browser influence of parsing: HTML, CSS, URI, JavaScript
• Server encodes chunks as models,
• Server API uses whitelist to vet models,data encoded w/ syntactically inert chars
• Transmit encoded data via <code> nodes,so browser ignores them, + script calls tomodel interpreter ( _bp_ )
![Page 15: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/15.jpg)
15
BLUEPRINT API
![Page 16: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/16.jpg)
16
BLUEPRINT Model
Encoded to…
old new
HTMLpresented to client
![Page 17: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/17.jpg)
17
HTML Interpretation Process
Normal path:A, B, C, D, E
Untrusted data:A, B’, Q, P, E, R
_bp_ script +encoded models
A, B, C, D, E
![Page 18: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/18.jpg)
18
Reduce HTML Parser Influence
• Models encoded in syntactically inert lang: {a,…,z,A,…,Z,0,…,9,/,+,=}*
• Decode model w/ model interpreter _bp_,link embedded in <head> element
• Use of DOM API to create elements
• Original rendering order preserved, models embedded near original location, decoded synchronously as page renders
![Page 19: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/19.jpg)
19
Reduce CSS Parser Influence
• element.style obj. vetted by whitelist, only known static properties allowed
• expression() allows any dynamic property to contain exec code, so use setExpression() to function using whitelist to return valid static property
• Whitelist behavior and –moz-binding• @import (CSS files) not supported
![Page 20: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/20.jpg)
20
Reduce URI Parser Influence
• javascript: scheme very dangerous,no API exists for controlling the browser,scheme selection by browser URI parser.
• Use whitelist of schemes:http: https: ftp: mailto:
• Additional steps include testing browser scheme interpretation, and rewriting URIs,paper defers to previous work…
![Page 21: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/21.jpg)
21
Reduce JS Parser Influence
• Common for web apps to store user prefs. in JavaScript variables for customization,so allow this but convert to _bp_ call
![Page 22: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/22.jpg)
22
BLUEPRINT Model Generator
![Page 23: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/23.jpg)
23
Results
![Page 24: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/24.jpg)
24
Contributions
• W3C / browser development cycle is slow,offers effective XSS defense solution now
• No required plug-ins, browser, ext., etc.,empowers web developers, user benefits
• Innovative thinking:Web developers bypass browser parsing
![Page 25: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/25.jpg)
25
Weaknesses
• All websites now have to update their libraries of code to use BLUEPRINT…
• HTML interpretation process may change,especially on embedded browsers
• Large script (15.6kB) downloaded / cached,How safe is this script? One for each site?
• Client browser may disable JavaScript
• Page size overhead due to text encoding
![Page 26: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/26.jpg)
26
Improvement / Future Work
• Securely transfer script & keep up-to-date
• Perhaps different encoding scheme or compress w/ fast codec
• Maybe a scheme that empowers user?
![Page 27: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago](https://reader035.vdocuments.site/reader035/viewer/2022062304/56649e505503460f94b477ca/html5/thumbnails/27.jpg)
27
References
1 M. Ter Louw, V.N. Venkatakrishnan. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers, IEEE Symposium on Security & Privacy, 2009
2 DP, KF, et al. www.xssed.com, Cross-site Scripting Attacks Information, 2007-present
3 UIC, http://sisl.rites.uic.edu/blueprint, BLUEPRINT information site (Wiki), 2009
4 Wikipedia, http://en.wikipedia.org/wiki/Cross-site_scripting
5 W3C, http://www.w3.org/2002/07/26-dom-article, 2002