1 / 27

BLUEPRINT : Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

BLUEPRINT : Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago IEEE Symposium on Security and Privacy, 2009 --- Presented by Joseph Del Rocco University of Central Florida. Outline.

lyneth
Download Presentation

BLUEPRINT : Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago IEEE Symposium on Security and Privacy, 2009 --- Presented by Joseph Del Rocco University of Central Florida

  2. Outline • Cross-site Scripting Overview • BLUEPRINT • Overview • Specifics • Experiment / Results • Contributions • Weakness / Improvement • References

  3. Trusted vs. Untrusted HTML

  4. Trusted vs. Untrusted HTML

  5. Cross-site Scripting (XSS) • Code injection into untrusted HTML which exploits client-side browser parsing • Hacker injects code into untrusted section,innocent user visits the web page,client browser displays all content,user encounters unintended content / hack • JavaScript (HTML, CSS, Java, Flash, etc.) • Non-persistent (reflected), Persistent (stored)

  6. XSS Example http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Healthcare/PCI_AppD.html#wp1026905

  7. XSS Example http://www.zdnet.com/blog/security/facebook-vulnerable-to-critical-xss-could-lead-to-malware-attacks/1175

  8. XSS Example http://news.netcraft.com/archives/2008/04/24/clinton_and_obama_xss_battle_develops.html

  9. XSS Example Many web applications also store user preferences in JavaScript variables directly…

  10. www.xssed.com XSS vulnerability found at these domains. Not yet fixed…

  11. BLUEPRINT Goals • W3C + dev cycle slow. Need solution now! • Solution should be transparent to user, support current browsers, no plug-ins, etc. • Retain expressiveness of untrusted HTML • Do not rely on browser to parse this data! • Enable web apps. to create a “blueprint” of untrusted web content free of XSS attacks,bridging divide between app. & browser

  12. HTML Interpretation Process

  13. Document Object Model (DOM) http://www.wdvl.com/Authoring/DHTML/DOM/NS.html http://www.codeguru.com/csharp/csharp/cs_misc/userinterface/article.php/c12267

  14. BLUEPRINT Approach • Reduce browser influence of parsing:HTML, CSS, URI, JavaScript • Server encodes chunks as models, • Server API uses whitelist to vet models,data encoded w/ syntactically inert chars • Transmit encoded data via <code> nodes,so browser ignores them, + script calls to model interpreter ( _bp_ )

  15. BLUEPRINT API

  16. BLUEPRINT Model HTMLpresented to client Encoded to… old new

  17. HTML Interpretation Process _bp_ script +encoded modelsA, B, C, D, E Normal path:A, B, C, D, E Untrusted data:A, B’, Q, P, E, R

  18. Reduce HTML Parser Influence • Models encoded in syntactically inert lang:{a,…,z,A,…,Z,0,…,9,/,+,=}* • Decode model w/ model interpreter _bp_,link embedded in <head> element • Use of DOM API to create elements • Original rendering order preserved, models embedded near original location, decoded synchronously as page renders

  19. Reduce CSS Parser Influence • element.style obj. vetted by whitelist, only known static properties allowed • expression() allows any dynamic property to contain exec code, so use setExpression() to function using whitelist to return valid static property • Whitelist behavior and –moz-binding • @import (CSS files) not supported

  20. Reduce URI Parser Influence • javascript: scheme very dangerous,no API exists for controlling the browser,scheme selection by browser URI parser. • Use whitelist of schemes:http: https: ftp: mailto: • Additional steps include testing browser scheme interpretation, and rewriting URIs,paper defers to previous work…

  21. Reduce JS Parser Influence • Common for web apps to store user prefs. in JavaScript variables for customization,so allow this but convert to _bp_ call

  22. BLUEPRINT Model Generator

  23. Results

  24. Contributions • W3C / browser development cycle is slow,offers effective XSS defense solution now • No required plug-ins, browser, ext., etc.,empowers web developers, user benefits • Innovative thinking:Web developers bypass browser parsing

  25. Weaknesses • All websites now have to update their libraries of code to use BLUEPRINT… • HTML interpretation process may change,especially on embedded browsers • Large script (15.6kB) downloaded / cached,How safe is this script? One for each site? • Client browser may disable JavaScript • Page size overhead due to text encoding

  26. Improvement / Future Work • Securely transfer script & keep up-to-date • Perhaps different encoding scheme or compress w/ fast codec • Maybe a scheme that empowers user?

  27. References • M. Ter Louw, V.N. Venkatakrishnan. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers, IEEE Symposium on Security & Privacy, 2009 • DP, KF, et al. www.xssed.com, Cross-site Scripting Attacks Information, 2007-present • UIC, http://sisl.rites.uic.edu/blueprint, BLUEPRINT information site (Wiki), 2009 • Wikipedia,http://en.wikipedia.org/wiki/Cross-site_scripting • W3C, http://www.w3.org/2002/07/26-dom-article, 2002

More Related