DOCSLIB.ORG

Untangling the Web of Client-Side Cross-Site Scripting

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Untangling the Web of Client-Side Cross-Site Scripting Untangling the Web of Client-Side Cross-Site Scripting Untersuchungen zu Client-seitigem Cross-Site Scripting Der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg zur Erlangung des Grades DOKTOR-INGENIEUR vorgelegt von Benjamin Stock aus Mainz Als Dissertation genehmigt von der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg Tag der mündlichen Prüfung: 31.08.2015 Vorsitzende des Promotionsorgans: Prof. Dr.-Ing. habil. Marion Merklein Gutachter: Prof. Dr.-Ing. Felix Freiling Prof. Dr. Michael Backes Abstract The Web’s functionality has shifted from purely server-side code to rich client-side applications, which allow the user to interact with a site without the need for a full page load. While server-side attacks, such as SQL or command injection, still pose a threat, this change in the Web’s model also increases the impact of vulnerabilities aiming at exploiting the client. The most prominent representative of such client- side attacks is Cross-Site Scripting, where the attacker’s goal is to inject code of his choosing into the application, which is subsequently executed by the victimized browsers in the context of the vulnerable site. This thesis provides insights into different aspects of Cross-Site Scripting. First, we show that the concept of password managers, which aim to allow users to choose more secure passwords and, thus, increase the overall security of user accounts, is susceptible to attacks which abuse Cross-Site Scripting flaws. In our analysis, we found that almost all built-in password managers can be leveraged by a Cross-Site Scripting attacker to steal stored credentials. Based on our observations, we present a secure concept for password managers, which does not insert password data into the document such that it is accessible from the injected JavaScript code. We evaluate our approach from a functional and security standpoint and find that our proposal provides additional security benefits while not causing any incompatibilities. Our work then focusses on a sub-class of Cross-Site Scripting, namely Client-Side Cross-Site Scripting. We design, implement and execute a study into the prevalence of this class of flaws at scale. To do so, we implement a taint-aware browsing en- gine and an exploit generator capable of precisely producing exploits based on our gathered data on suspicious, tainted flows. Our subsequent study of the Alexa top 5,000 domains shows that almost one out of ten of these domains carry at least one Client-Side Cross-Site Scripting vulnerability. We follow up on these flaws by analyzing the gathered flow data in depth in search of the root causes of this class of vulnerability. To do so, we first discuss the complexities inherent to JavaScript and define a set of metrics to measure said complexity. We then classify the vulnerable snippets of code we discovered according to these metrics and present the key insights gained from our analysis. In doing so, we find that the reasons for such flaws are manifold, ranging from simple unawareness of developers to incompatibilities between, otherwise safe, first- and third-party code. In addition, we investigate the capability of the state of the art of Cross-Site Script- ing filters in the client, the XSS Auditor, finding that several conceptual issuesexist which an attacker to subvert of its protection capabilities. In total, we show that the Auditor can be bypassed on over 80% of the vulnerable domains in our data set, high- lighting that it is ill-equipped to stop Client-Side Cross-Site Scripting. Motivated by our findings, we present a concept for a filter targeting Client-Side Cross-Site Script- ing, combining taint tracking in the browser in conjunction with taint-aware HTML and JavaScript parsers, allowing us to robustly protect users from such attacks. Zusammenfassung Das Web hat sich gewandelt: von rein server-seitig implementierter Funktionalität zu mächtigen client-seitigen Applikation, die einem Benutzer die Interaktion mit einer Seite ohne Neuladen ermöglichen. Obwohl server-seitige Angriffe, wie etwa SQL- oder Command-Injections, weiterhin ein Risiko darstellen, erhöht sich durch die Änderung am Konzept des Webs auch die Auswirkung von client-seitigen An- griffen. Der bekannteste Vertreter solcher Verwundbarkeiten ist Cross-Site Script- ing (XSS), eine Code-Injection-Attacke, die darauf abzielt, dass der vom Angreifer eingeschleuste Code im Browser seines Opfers mit der verwundbaren Applikation interagieren kann. Diese Arbeit beschäftigt sich mit verschiedenen Aspekten von Cross-Site Script- ing. Zuerst legt sie die Funktionsweise von Passwort-Managern dar, die Benutzer bei der Wahl sichererer Passwörter unterstützen sollen. Eine Analyse des Konzepts an sich und aktueller Browser zeigt jedoch auf, dass Passwort-Manager anfällig für Cross-Site Scripting-Angriffe sind, die das Stehlen von gespeicherten Zugangs- daten ermöglichen. Basierend auf den Erkenntnissen stellt diese Arbeit daraufhin das Konzept eines Passwort-Managers vor, der Zugangsdaten für eingeschleusten Code unerreichbar macht. Die Evaluation in Hinblick auf Funktionalität und Sicherheit zeigt, dass sich durch den vorgestellten Ansatz Vorzüge für die Sicherheit bieten und der präsentierte Ansatz keinen negativen Einfluss auf bestehende Applikationen hat. Anschließend liegt der Fokus dieser Arbeit auf einer Unterklasse von XSS, dem Client-Seitigen Cross-Site Scripting. Sie präsentiert das Design, die Implementierung und die Durchführung einer Studie, deren Ziel es ist, die Verbreitung von Client- Seitigem XSS im Web zu erforschen. Dazu kombiniert die Arbeit einen Browser, der Taint Tracking unterstützt, und einen Exploit-Generator, der basierend auf den gesammelten Datenflüssen Exploits erzeugen kann. Die daraufhin durchgeführte Studie zeigt auf, dass fast jede zehnte Webseite in den Alexa Top 5000 Domains anfällig für Client-Seitiges Cross-Site Scripting ist. Anschließend analysiert diese Arbeit die gefundenen Schwachstellen ausführlich, um die zugrunde liegenden Ur- sachen von Client-Seitigem XSS zu erkunden. Dazu erläutert sie die Komplexität von JavaScript, leitet daraus Metriken zur Messung der Komplexität von verwundbarem Code ab, klassifiziert die erkannten Verwundbarkeiten und präsentiert die Schlüssel- erkenntnisse. Dabei zeigt sich, dass Client-Seitiges Cross-Site Scripting sowohl durch Unwissen von Entwicklern, aber auch durch die Kombination von inkompatiblem eigenen und fremden Code verursacht wird. Im Anschluss analysiert diese Arbeit aktuelle XSS-Filter und zeigt auf, dass mod- erne Filter, wie der XSS Auditor, konzeptionelle Probleme aufweisen, die es einem Angreifer erlauben, den Filter auf 80% der verwundbaren Domains zu umgehen. Diese Arbeit präsentiert daraufhin ein neues Konzept, welches auf Taint Tracking basierend von einem Angreifer eingeschleusten Code im HTML- und JavaScript- Parser erkennt und stoppt. Dies ermöglicht es, Client-Seitiges XSS zu unterbinden, wobei ein akzeptabler Performanz-Verlust und geringe False Positives entstehen. Acknowledgments This thesis was made possible by the invaluable support given to me by others. First and foremost, I want to thank my PhD advisor Felix Freiling for providing me with the opportunity to conduct my research and, more importantly, for initiating my interest in the field of computer security during my days as a student. In addition, I would like to thank Michael Backes for agreeing to be the secondary reviewer for my dissertation. Also, the research conducted throughout this thesis would not have been possible without Martin Johns and Sebastian Lekies, whom I want to thank for the fruitful collaboration during the pursuit of my PhD. I also want to thank my colleagues (in alphabetical order) for supporting this the- sis by proofreading it: Johannes Götzfried, Michael Gruhn, Tilo Müller, Lena Rein- felder, and Johannes Stüttgen. Next to these, I want to thank all my colleagues from the Security Research Group of the University Erlangen-Nuremberg for a friendly and entertaining work environment. Last but not least, I want to thank my parents Karin and Gerd as well as my wife Corina for their love and support over the years and especially during my time in Erlangen. Contents 1 Introduction ................................................... 3 1.1 Contributions . 4 1.2 Publications . 6 1.3 Related work . 7 1.3.1 Password Manager Security . 7 1.3.2 Finding DOM-based Cross-Site Scripting Vulnerabilities . 8 1.3.3 Analysis of Vulnerable JavaSript Code . 9 1.3.4 Filtering and Mitigating Cross-Site Scripting . 10 1.3.5 Utilizing Taint Tracking to Combat Injection Attacks . 12 1.4 Outline . 12 2 Technical Background ......................................... 15 2.1 Web Technologies . 15 2.1.1 HTML and Browsers . 15 2.1.2 JavaScript . 16 2.1.3 Document Object Model . 16 2.2 The Same-Origin Policy . 17 2.3 Cross-Site Scripting. 18 2.3.1 Server-Side Cross-Site Scripting . 19 2.3.2 Client-Side Cross-Site Scripting . 20 2.4 Taint Tracking . 23 2.5 Summary. 24 3 XSS in Action: Abusing Password Managers................. 25 3.1 Attacking Browser-based Password Managers . 25 3.1.1 Functionality of a Password Manager . 25 3.1.2 Stealing Passwords with XSS . 26 3.1.3 Leveraging Password Managers to Automate Attacks . 26 i Contents 3.1.4 Specific Attack Patterns . 27 3.2 Exploring the Password (Manager) Landscape . 29 3.2.1 Password Managers . 29 3.2.2 Password Fields . 33 3.2.3 Assessment . 37 3.3 Client-Side Protection . 37 3.3.1 Concept . 38 3.3.2 Implementation . 38 3.3.3 Evaluation . 40 3.4 Summary. 42 4 Detecting Client-Side Cross-Site Scripting on the Web ...... 43 4.1 Vulnerability Detection . 43 4.1.1 Labeling Sources and Encoding Functions . 44 4.1.2 Patching the V8 JavaScript Engine . 44 4.1.3 Patching the WebKit DOM Implementation . 45 4.1.4 Detection of Sink Access . 45 4.2 Automated Exploit Generation . 46 4.3 Empirical Study . 49 4.3.1 Architecture Overview . 49 4.3.2 Observed Data Flows . 51 4.3.3 Selective Exploit Generation. 52 4.3.4 Discovered Vulnerabilities . 53 4.3.5 Insights of our Study .
Load more

Recommended publications
  • Lecture Notes on Language-Based Security
    Lecture Notes on Language-Based Security Erik Poll Radboud University Nijmegen Updated September 2019 These lecture notes discuss language-based security, which is the term loosely used for the collection of features and mechanisms that a programming language can provide to help in building secure applications. These features include: memory safety and typing, as offered by so-called safe pro- gramming languages; language mechanisms to enforce various forms of access con- trol (such as sandboxing), similar to access control traditionally offered by operating systems; mechanisms that go beyond what typical operating systems do, such as information flow control. Contents 1 Introduction 4 2 Operating system based security 7 2.1 Operating system abstractions and access control . .7 2.2 Imperfections in abstractions . 10 2.3 What goes wrong . 10 3 Safe programming languages 12 3.1 Safety & (un)definedness . 13 3.1.1 Safety and security . 14 3.2 Memory safety . 15 3.2.1 Ensuring memory safety . 15 3.2.2 Memory safety and undefinedness . 16 3.2.3 Stronger notions of memory safety . 16 3.3 Type safety . 17 3.3.1 Expressivity . 18 3.3.2 Breaking type safety . 18 3.3.3 Ensuring type safety . 19 3.4 Other notions of safety . 19 3.4.1 Safety concerns in low-level languages . 20 3.4.2 Safe arithmetic . 20 3.4.3 Thread safety . 21 3.5 Other language-level guarantees . 22 3.5.1 Visibility . 22 3.5.2 Constant values and immutable data structures . 23 4 Language-based access control 26 4.1 Language platforms .
    [Show full text]
  • Detecting PHP-Based Cross-Site Scripting Vulnerabilities Using Static Program Analysis
    Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Cyber Security by Steven M. Kelbley B.S. Biological Sciences, Wright State University, 2012 2016 Wright State University i WRIGHT STATE UNIVERSITY GRADUATE SCHOOL December 1, 2016 I HEREBY RECOMMEND THAT THE THESIS PREPARED UNDER MY SUPERVISION BY Steven M. Kelbley ENTITLED Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis BE ACCEPTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF Master of Science in Cyber Security. _________________________________ Junjie Zhang, Ph.D. Thesis Director _________________________________ Mateen Rizki, Ph.D. Chair, Department of Computer Science and Engineering Committee on Final Examination _________________________________ Junjie Zhang, Ph.D. _________________________________ Krishnaprasad Thirunarayan, Ph.D. _________________________________ Adam Bryant, Ph.D. _________________________________ Robert E. W. Fyffe, Ph.D. Vice President for Research and Dean of the Graduate School ABSTRACT Kelbley, Steven. M.S. Cyber Security, Department of Computer Science, Wright State University, 2016. Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis. With the widespread adoption of dynamic web applications in recent years, a number of threats to the security of these applications have emerged as significant challenges for application developers. The security of developed applications has become a higher pri- ority for both developers and their employers as cyber attacks become increasingly more prevalent and damaging. Some of the most used web application frameworks are written in PHP and have be- come major targets due to the large number of servers running these applications world- wide.
    [Show full text]
  • Experiences with Building Security Checking and Understanding Tool
    RC24243 (W0704-095) April 18, 2007 Computer Science IBM Research Report Experiences with Building Security Checking and Understanding Tool Ted Habeck, Larry Koved, Orlando Marquez, Vugranam C. Sreedhar, Michael Steiner, Wietse Venema, Samuel Weber IBM Research Division Thomas J. Watson Research Center P.O. Box 704 Yorktown Heights, NY 10598 Gabriela Cretu Columbia University New York, NY 10027 Krishnaprasad Vikram Cornell University Ithaca, NY 14850 Research Division Almaden - Austin - Beijing - Haifa - India - T. J. Watson - Tokyo - Zurich LIMITED DISTRIBUTION NOTICE: This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g. , payment of royalties). Copies may be requested from IBM T. J. Watson Research Center , P. O. Box 218, Yorktown Heights, NY 10598 USA (email: [email protected]). Some reports are available on the internet at http://domino.watson.ibm.com/library/CyberDig.nsf/home . Experiences With Building Security Checking and Understanding Tool Ted Habeck Vugranam C. Sreedhar Gabriela Cretu ∗ Larry Koved Michael Steiner Columbia University Orlando Marquez Wietse Venema New York, NY 10027 IBM TJ Watson Research Center Samuel Weber [email protected] Hawthrone, NY 10532 IBM TJ Watson Research Center {habeck,koved,omarquez}@us.ibm.com Hawthrone, NY 10532 {vugranam,msteiner,wietse}@us.ibm.com, [email protected] Krishnaprasad Vikram∗ Cornell University Ithaca, NY 14850 [email protected] Abstract tive assistance to this large and growing community.
    [Show full text]
  • Secure Programming for Linux and Unix HOWTO
    Secure Programming for Linux and Unix HOWTO David A. Wheeler v3.010 Edition Copyright © 1999, 2000, 2001, 2002, 2003 David A. Wheeler v3.010, 3 March 2003 This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl, and Ada95 are included. For a current version of the book, see http://www.dwheeler.com/secure−programs This book is Copyright (C) 1999−2003 David A. Wheeler. Permission is granted to copy, distribute and/or modify this book under the terms of the GNU Free Documentation License (GFDL), Version 1.1 or any later version published by the Free Software Foundation; with the invariant sections being ``About the Author'', with no Front−Cover Texts, and no Back−Cover texts. A copy of the license is included in the section entitled "GNU Free Documentation License". This book is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Secure Programming for Linux and Unix HOWTO Table of Contents Chapter 1. Introduction......................................................................................................................................1 Chapter 2. Background......................................................................................................................................4
    [Show full text]
  • Detecting PHP-Based Cross-Site Scripting Vulnerabilities Using Static Program Analysis
    Wright State University CORE Scholar Browse all Theses and Dissertations Theses and Dissertations 2016 Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis Steven M. Kelbley Wright State University Follow this and additional works at: https://corescholar.libraries.wright.edu/etd_all Part of the Computer Engineering Commons, and the Computer Sciences Commons Repository Citation Kelbley, Steven M., "Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis" (2016). Browse all Theses and Dissertations. 1655. https://corescholar.libraries.wright.edu/etd_all/1655 This Thesis is brought to you for free and open access by the Theses and Dissertations at CORE Scholar. It has been accepted for inclusion in Browse all Theses and Dissertations by an authorized administrator of CORE Scholar. For more information, please contact [email protected]. Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Cyber Security by Steven M. Kelbley B.S. Biological Sciences, Wright State University, 2012 2016 Wright State University i WRIGHT STATE UNIVERSITY GRADUATE SCHOOL December 1, 2016 I HEREBY RECOMMEND THAT THE THESIS PREPARED UNDER MY SUPERVISION BY Steven M. Kelbley ENTITLED Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis BE ACCEPTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF Master of Science in Cyber Security. _________________________________ Junjie Zhang, Ph.D. Thesis Director _________________________________ Mateen Rizki, Ph.D. Chair, Department of Computer Science and Engineering Committee on Final Examination _________________________________ Junjie Zhang, Ph.D. _________________________________ Krishnaprasad Thirunarayan, Ph.D.
    [Show full text]
  • Designing Security Architecture Solutions
    TEAMFLY Team-Fly® Designing Security Architecture Solutions Jay Ramachandran Wiley Computer Publishing John Wiley & Sons, Inc. Designing Security Architecture Solutions Designing Security Architecture Solutions Jay Ramachandran Wiley Computer Publishing John Wiley & Sons, Inc. Publisher: Robert Ipsen Editor: Carol Long Managing Editor: Micheline Frederick Developmental Editor: Adaobi Obi Text Design & Composition: D&G Limited, LLC Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where John Wiley & Sons, Inc., is aware of a claim, the product names appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration. This book is printed on acid-free paper. Copyright © 2002 by Jay Ramachandran. All rights reserved. Published by John Wiley & Sons, Inc. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authoriza- tion through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-6011, fax (212) 850-6008, E-Mail: PERMREQ @ WILEY.COM. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered.
    [Show full text]
  • Comparing Selected Criteria of Programming Languages Java, PHP, C++, Perl, Haskell, Aspectj, Ruby, COBOL, Bash Scripts and Scheme Revision 1.0 Sultan S
    Comparing Selected Criteria of Programming Languages Java, PHP, C++, Perl, Haskell, AspectJ, Ruby, COBOL, Bash Scripts and Scheme Revision 1.0 Sultan S. Al-Qahtani Luis F. Guzman Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada [email protected] [email protected] Rafik Arif Adrien Tevoedjre Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada [email protected] [email protected] Pawel Pietrzynski Concordia University Montreal, Quebec, Canada [email protected] Abstract Comparison of programming languages is a common topic of discussion among software engineers. Few languages ever become sufficiently popular that they are used by more than a few people or find their niche in research or education; but professional programmers can easily use dozens of different languages during their career. Multiple programming languages are designed, specified, and implemented every year in order to keep up with the changing programming paradigms, hardware evolution, etc. In this paper we present a comparative study between ten programming languages: Haskell, Java, Perl, C++, AspectJ, COBOL, Ruby, PHP, Bash Scripts, and Scheme; with respect of the following criteria: Secure programming practices, web applications development, web services design and composition, object oriented-based abstraction, reflection, aspect-orientation, functional programming, declarative programming, batch scripting, and user interface prototype design. 1. Introduction The first high-level programming languages were designed during the 1950s. Ever since then, programming languages have been a fascinating and productive area of study [43]. Thousands of different programming languages have been created, mainly in the computer field, with many more being created every year; they are designed, specified, and implemented for the purpose of being up to date with the evolving programming paradigms (e.g.
    [Show full text]
  • Juturna: Lightweight, Pluggable and Selective Taint Tracking for Java
    Institut für Programmstrukturen und Datenorganisation (IPD) Lehrstuhl Prof. Dr.-Ing. Snelting Juturna: Lightweight, Pluggable and Selective Taint Tracking for Java Masterarbeit von Florian Dominik Loch an der Fakultät für Informatik / in Kooperation mit der SAP SE Erstgutachter: Prof. Dr.-Ing. Gregor Snelting Zweitgutachter: Prof. Dr. Bernhard Beckert Betreuer KIT: Dipl.-Inform. Martin Mohr Betreuer SAP SE: Dr. Martin Johns Bearbeitungszeit: 12. Juli 2017 – 19. Februar 2018 KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft www.kit.edu Erklärung Hiermit erkläre ich, Florian Dominik Loch, dass ich die vorliegende Masterarbeit selbstständig verfasst habe und keine anderen als die angegebenen Quellen und Hilfs- mittel benutzt habe, die wörtlich oder inhaltlich übernommenen Stellen als solche kenntlich gemacht und die Satzung des KIT zur Sicherung guter wissenschaftlicher Praxis beachtet habe. Ort, Datum Unterschrift III Abstract Injection-Angriffe, wie bspw. SQL-Injection oder Cross-site Scripting, sind vielfäl- tig und stellen eine große Bedrohung für (Web-)Applikationen und ihre Nutzer dar – für Privatpersonen gleichermaßen wie für Unternehmen. Bisherige Arbeiten haben klar gezeigt, dass die Idee des Taint-Trackings – Werte zu markieren und ihren Fluss durch die Applikation zur Laufzeit zu überwachen – effektiv sind bzgl. der Erkennung einer Vielzahl solcher Verwundbarkeiten sowie der Verhinderung einer Ausnutzung. Allerdings sind aktuelle Taint-Tracking-Systeme für Java SE/Java EE noch nicht wirklich für den produktiven Einsatz geeignet. Die vorliegende Arbeit setzt sich mit den Anforderungen eines solchen Umfeldes auseinander und stellt, in Form von Juturna, einen neuen Ansatz vor. Dieser versucht, jenen Anforderungen unter Verwendung etablierter Techniken und neuer Ideen gerecht zu werden. Eines der großen, aktuellen Probleme von Taint-Tracking ist dabei der immanen- te Overhead bzgl.
    [Show full text]
  • Techniques and Tools for Engineering Secure Web Applications
    Gary Michael Wassermann September 2008 Computer Science Techniques and Tools for Engineering Secure Web Applications Abstract With the rise of the Internet, web applications, such as online banking and web-based email, have become integral to many people’s daily lives. Web applications have brought with them new classes of computer security vulnerabilities, such as SQL injection and cross-site scripting (XSS), that in recent years have exceeded previously prominent vulner- ability classes, such as buffer overflows, in both reports of new vulnerabilities and reports of exploits. SQL injection and XSS are both instances of the broader class of input validation- based vulnerabilities. At their core, both involve one system receiving, transforming, and constructing string values, some of which come from untrusted sources, and presenting those values to another system that interprets them as programs or program fragments. These input validation-based vulnerabilities therefore require fundamentally new techniques to characterize and mitigate them. This dissertation addresses input validation-based vulnerabilities that arise in the con- text of web applications, or more generally, in the context of metaprogramming. This dissertation provides the first principled characteriztion, based on concepts from program- ming languages and compilers, for such vulnerabilities, with formal definitions for SQL injection and XSS in particular. Building on this characterization, the dissertation also contributes practical algorithms for runtime protection, static analysis, and testing-based analysis of web applications to identify vulnerabilities in application code and prevent at- tackers from exploiting them. This dissertation additionally reports on implementations of these algorithms, showing them to be effective for their respective settings. They have low runtime overhead, validate the definitions, scale to large code bases, have low false-positive rates, handle real-world application code, and find previously unreported vulnerabilities.
    [Show full text]
  • Dynamic Taint Tracking for Java-Based Web Applications
    DEGREE PROJECT IN THE FIELD OF TECHNOLOGY INFORMATION AND COMMUNICATION TECHNOLOGY AND THE MAIN FIELD OF STUDY COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2018 WebTaint: Dynamic Taint Tracking for Java-based Web Applications FREDRIK ADOLFSSON KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ARCHITECTURE AND THE BUILT ENVIRONMENT WebTaint: Dynamic Taint Tracking for Java-based Web Applications FREDRIK ADOLFSSON Master in Computer Science Date: June 21, 2018 Supervisor: Musard Balliu Examiner: Mads Dam Swedish title: WebTaint: Dynamic Taint Tracking för Java-baserade webbapplikationer School of Computer Science and Communication iii Abstract The internet is a source of information and it connects the world through a single platform. Many businesses have taken advantage of this to share information, to communicate with customers, and to cre- ate new business opportunities. However, this does not come without drawbacks as there exists an elevated risk to become targeted in attacks. The thesis implemented a dynamic taint tracker, named WebTaint, to detect and prevent confidentiality and integrity vulnerabilities in Java- based web applications. We evaluated to what extent WebTaint can combat integrity vulnerabilities. The possible advantages and disad- vantages of using the application is introduced as well as an explication whether the application was capable of being integrated into produc- tion services. The results show that WebTaint helps to combat SQL Injection and Cross-Site Scripting attacks. However, there are drawbacks in the form of additional time and memory overhead. The implemented solution is therefore not suitable for time or memory sensitive domains. WebTaint could be recommended for use in test environments where security ex- perts utilize the taint tracker to find TaintExceptions through manual and automatic attacks.
    [Show full text]