Benjamin Livshits
Úlfar Erlingsson
ABSTRACT
In recent years, the security landscape has changed, with Web applications vulnerabilities becoming more prominent that vulnerabilities stemming from the lack of type safety, such as buffer overruns. Many reports point to code injection attacks such as cross-site scripting and RSS injection as being the most common attacks against Web applications to date. With Web 2.0 existing security problems are further exacerbated by the advent of Ajax technology that allows one to create and compose HTML content from different sources within the browser at runtime, as exemplified by customizable mashup pages like My Yahoo! or Live.com
This paper proposes a simple to support, yet a powerful scheme for eliminating a wide range of script injection vulnerabilities in applications built on top of popular Ajax development frameworks such as the Dojo Toolkit, prototype.js, and AJAX.NET. Unlike other client-side runtime enforcement proposals, the approach we are advocating requires only minor browser modifications. This is because our proposal can be viewed as a natural finer-grained extension of the same-origin policy for JavaScript already supported by the majority of mainstream browsers, in which we treat individual user interface widgets as belonging to separate domains
Fortunately, in many cases no changes to the development process need to take place: for applications that are built on top of frameworks described above, a slight framework modification will result in appropriate changes in the generated HTML, completely obviating the need for manual code annotation. In this paper we demonstrate how these changes can prevent cross-site scripting and RSS injection attacks using the Dojo Toolkit, a popular Ajax library, as an example.
- Robert Auger. Feed injection in Web 2.0. www.spidynamics.com/assets/documents/HackingFeeds.pdf, 2006.Google Scholar
- Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K. Rajamani, and Abdullah Ustuner. Thorough static analysis of device drivers. In Proceedings of the European Systems Conference, 2006. Google ScholarDigital Library
- CGI Security. The cross-site scripting FAQ. http://www.cgisecurity.net/articles/xss-faq.shtml.Google Scholar
- Eric Chien. Malicious Yahooligans. http://www.symantec.com/avcenter/reference/malicious.yahooligans.pdf, August 2006.Google Scholar
- Dojo Foundation. Dojo, the JavaScript toolkit. http://dojotoolkit.org, 2007.Google Scholar
- Úlfar Erlingsson, Benjamin Livshits, and Yinglian Xie. End-to-end Web application security. In Proceedings of the Workshop on Hot Topics in Operating Systems, May 2007. Google ScholarDigital Library
- Úlfar Erlingsson and Fred B. Schneider. IRM enforcement of Java stack inspection. In IEEE Symposium on Security and Privacy, pages 246--255, 2000. Google ScholarDigital Library
- Steven Garrity. Private RSS feeds: Support for security in aggregators. http://labs.silverorange.com/archives/2003/july/privaterss, July 2003.Google Scholar
- Google Web toolkit. http://code.google.com/webtoolkit.Google Scholar
- Jeremiah Grossman. Cross-site scripting worms and viruses: the impending threat and the best defense. http://www.whitehatsec.com/downloads/WHXSSThreats.pdf, April 2006.Google Scholar
- Vivek Haldar, Deepak Chandra, and Michael Franz. Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference, pages 303--311, December 2005. Google ScholarDigital Library
- Seth Hallem, Ben Chelf, Yichen Xie, and Dawson Engler. A system and language for building system-specific, static analyses. In Proceedings of the Conference on Programming Language Design and Implementation, pages 69--82, June 2002. Google ScholarDigital Library
- Jon Howell, Collin Jackson, Helen J. Wang, and Xiaofeng Fan. MashupOS: Operating system abstractions for client mashups. In Proceedings of the Workshop on Hot Topics in Operating Systems, May 2007. Google ScholarDigital Library
- Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the Conference on World Wide Web, pages 40--52, May 2004. Google ScholarDigital Library
- Collin Jackson and Helen J. Wang. Subspace: Secure cross-domain communication for Web mashups. In Proceedings of the World Wide Web Conference, May 2007. Google ScholarDigital Library
- Trevor Jim, Nikhil Swamy, and Michael Hicks. BEEP: Browser-enforced embedded policies. Technical report, Department of Computer Science, University of Maryland, 2006.Google Scholar
- Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the International World Wide Web Conference, 2007. Google ScholarDigital Library
- Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: a static analysis tool for detecting Web application vul-nerabilities (short paper). In Proceedings of the Symposium on Security and Privacy, May 2006. Google ScholarDigital Library
- David Kierznowski. Cross context scripting with sage. http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2, September 2006.Google Scholar
- Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the Symposium on Applied Computing, April 2006. Google ScholarDigital Library
- Laszlo Systems, Inc. OpenLaszlo: the premier open-source platform for rich Internet applications. http://www.openlaszlo.org, 2007.Google Scholar
- Benjamin Livshits and Monica S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, pages 271--286, August 2005. Google ScholarDigital Library
- Michael Martin, Benjamin Livshits, and Monica S. Lam. Finding application errors and security vulnerabilities using PQL: a program query language. In Proceedings of the Conference on Object-Oriented Programming, Systems, Languages, and Applications, October 2005. Google ScholarDigital Library
- Michael Martin, Benjamin Livshits, and Monica S. Lam. SecuriFly: Runtime vulnerability protection for Web applications. Technical report, Stanford University, October 2006.Google Scholar
- Jeremy Moeder. Yahoo RSS XSS vulnerability. http:// www.securityfocus.com/archive/1/413594, October 2005.Google Scholar
- Laurence Moroney. Foundations of Atlas: Rapid Ajax Development with ASP.NET 2.0. Apress, 2006. Google ScholarDigital Library
- Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, June 2005.Google ScholarCross Ref
- Tadeusz Pietraszek and Chris Vanden Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, September 2005. Google ScholarDigital Library
- C. Reis, J. Dunagan, H. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of Operating Systems Design and Implementation, 2006. Google ScholarDigital Library
- RSnake. XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html.Google Scholar
- Samy. The Samy worm. http://namb.la/popular, October 2005.Google Scholar
- willCode4Beer. Introducing the Dojo tree widget. http://willcode4beer.com/ware.jsp?set=dojoTreeWidget, January 2007.Google Scholar
- Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, pages 271--286, August 2006. Google ScholarDigital Library
- Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. JavaScript instrumentation for browser security. In Proceedings of the Conference on the Principle of Programming Languages, January 2007. Google ScholarDigital Library
Index Terms
- Using web application construction frameworks to protect against code injection attacks
Recommendations
Defining code-injection attacks
POPL '12This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Mitigation of SQL Injection Attacks using Threat Modeling
Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityWe describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Comments