nach oben

Empirical Software Engineering

Erschienen in:

01.09.2023

XSnare: application-specific client-side cross-site scripting protection

verfasst von: José Carlos Pazos, Jean-Sébastien Légaré, Ivan Beschastnikh

Erschienen in: Empirical Software Engineering | Ausgabe 5/2023

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We present XSnare, a client-side Cross-Site Scripting (XSS) solution implemented as a Firefox extension. The client-side design of XSnare can protect users before application developers release patches and before server operators apply them. XSnare blocks XSS attacks by using previous knowledge of a web application’s HTML template content and the rich DOM context. XSnare uses a database of exploit descriptions, which are written with the help of previously recorded CVEs. It singles out injection points for exploits in the HTML and dynamically sanitizes content to prevent malicious payloads from appearing in the DOM. XSnare displays a secured version of the site, even if is exploited. We evaluated XSnare on 81 recent CVEs related to XSS attacks, and found that it defends against 93.8% of these exploits. We compared XSnare’s funcitonality and protection with two well known content filtering extensions: NoScript and uBlockOrigin. To the best of our knowledge, XSnare is the first protection mechanism for XSS that is application-specific, and based on publicly available CVE information. We show that XSnare’s specificity protects users against exploits which evade other, more generic, XSS defenses. Our performance evaluation shows that our extension’s overhead on web page loading time is less than 10% for 72.6% of the sites in the Moz Top 500 list. We also show that XSnare has as a slowdown of less than 10% on 60% of the vulnerable sites that we considered. XSnare has a false positive rate of 1/4876 (0.0205%) on the Alexa top 5000 sites.

Vorheriger Artikel What have we learned? A conceptual framework on New Zealand software professionals and companies’ response to COVID-19

Nächster Artikel A comparison of reinforcement learning frameworks for software testing tasks

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

As early as 2012, JavaScript was used by almost 100% of the Alexa top 500 sites (Stock et al. 2017)

https://www.cvedetails.com/cve/CVE-2018-5213/

https://github.com/cure53/DOMPurify/tree/main/demos#what-is-this

In these cases, the signature developer can weigh the trade-offs and decide whether the added cost is worth it.

https://gist.github.com/chilts/7229605

https://www.cvedetails.com/cve/CVE-2018-5213/

This image was taken from the w3 spec: https://www.w3.org/TR/navigation-timing-2/

The Spearman’s correlation coefficient measures the strength and direction of association between two ranked variables: https://statistics.laerd.com/statistical-guides/spearmans-rank-order-correlation-statistical-guide.php

There are 15,303 CVEs related to XSS in CVE Details (xss 2020).

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/filterResponseData

https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/ResourceType

Abgrall E, Traon YL, Gombault S, et al (2014) Empirical investigation of the web browser attack surface under cross-site scripting: An urgent need for systematic security regression testing. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops. pp 34–41. https://doi.org/10.1109/ICSTW.2014.63

Acu (2021) Acunetix web vulnerability testing report 2021. https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2021/

adb (2018) How does adblock work? https://help.getadblock.com/support/solutions/articles/6000087914-how-does-adblock-work-

Artzi S, Kiezun A, Dolby J et al (2010) Finding bugs in web applications using dynamic test generation and explicit-state model checking. IEEE Trans Softw Eng 36(4):474–494. https://doi.org/10.1109/TSE.2010.31CrossRef

Bezemer CP, Mesbah A, van Deursen A (2009) Automated security testing of web widget interactions. In: Proceedings of the 7th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, ESEC/FSE ’09. pp 81-90. https://doi.org/10.1145/1595696.1595711

Bisht P, Venkatakrishnan VN (2008) XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, Berlin, Heidelberg, DIMVA ’08. pp 23–43. https://doi.org/10.1007/978-3-540-70542-0_2

CSP (2019) Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

cve (2019a) Wordpress cves. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

cve (2019b) Wordpress: Vulnerability statistics. https://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337

dep (2019) Intent to deprecate and remove: XSSAuditor. https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TuYw-EZhO9g/blGViehIAwAJ

exa (2018) Wordpress plugin responsive cookie consent 1.7 / 1.6 / 1.5 - (authenticated) persistent cross-site scripting. https://www.exploit-db.com/exploits/44563

exp (2019) Exploit database. https://www.exploit-db.com/

Hallaraker O, Vigna G (2005) Detecting malicious javascript code in mozilla. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems. IEEE Computer Society, Washington, DC, USA, ICECCS ’05, pp 85–94. https://doi.org/10.1109/ICECCS.2005.35

Heiderich M, Späth C, Schwenk J (2017) Dompurify: Client-side protection against XSS and markup injection. In: Foley SN, Gollmann D, Snekkenes E (eds) Computer Security - ESORICS 2017. Springer International Publishing, Cham, pp 116–134CrossRef

Jim T, Swamy N, Hicks M (2007) Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web. ACM, New York, NY, USA, WWW ’07, pp 601–610. https://doi.org/10.1145/1242572.1242654

Kieyzun A, Guo PJ, Jayaraman K, et al (2009) Automatic creation of sql injection and cross-site scripting attacks. In: 2009 IEEE 31st International Conference on Software Engineering. pp 199–209. https://doi.org/10.1109/ICSE.2009.5070521

Kirda E, Jovanovic N, Kruegel C et al (2009) Client-side cross-site scripting protection. Comput Secur 28(7):592–604. https://doi.org/10.1016/j.cose.2009.04.008CrossRef

Kocher P, Genkin D, Gruss D, et al (2018) Spectre attacks: Exploiting speculative execution. CoRR arXiv:1801.01203

Moz (2022) Moz top 500 websites. https://moz.com/top500

Nadji Y, Saxena P, Song D (2009) Document structure integrity: A robust basis for cross-site scripting defense. In: NDSS

nav (2019) Navigation timing level 2. https://www.w3.org/TR/navigation-timing-2/

Nguyen-Tuong A, Guarnieri S, Greene D et al (2005) Automatically hardening web applications using precise tainting. Security and Privacy in the Age of Ubiquitous Computing, IFIP TC11 20th International Conference on Information Security (SEC 2005), May 30 - June 1, 2005. Chiba, Japan, pp 295–308

nMa (2019) nmap network mapper. https://nmap.org/

Noscript (2022) Noscript homepage. https://noscript.net/

Pan J, Mao X (2017) Detecting dom-sourced cross-site scripting in browser extensions. In: 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). pp 24–34. https://doi.org/10.1109/ICSME.2017.11

Pazos JC, Légaré JS, Beschastnikh I (2021) Xsnare: Application-specific client-side cross-site scripting protection. In: 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). pp 154–165. https://doi.org/10.1109/SANER50967.2021.00023

Pietraszek T, Berghe CV (2006) Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection. Springer-Verlag, Berlin, Heidelberg, RAID’05. pp 124–145. https://doi.org/10.1007/11663812_7

Rap (2018) Security report for in-production web applications. https://www.rapid7.com/resources/security-report-for-in-production-web-applications/

Rap (2021) The 2021 vulnerability intelligence report. https://www.rapid7.com/products/insightvm/vulnerability-report-hub-page/

rcc (2019) Responsive cookie consent 1.8 patches. https://plugins.trac.wordpress.org/browser/responsive-cookie-consent/tags/1.8/includes/admin-page.php

saf (2019) Safely inserting external content into a page. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page

Snyder P, Taylor C, Kanich C (2017) Most websites don’t need to vibrate: A cost-benefit approach to improving browser security. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, CCS ’17. pp 179–194. https://doi.org/10.1145/3133956.3133966

Steffens M, Rossow C, Johns M, et al (2019) Don’t trust the locals: Investigating the prevalence of persistent client-side cross-site scripting in the wild. In: 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019

Stock B, Johns M, Steffens M, et al (2017) How the web tangled itself: Uncovering the history of client-side web (in)security. In: Proceedings of the 26th USENIX Conference on Security Symposium. USENIX Association, Berkeley, CA, USA, SEC’17, pp 971–987. http://dl.acm.org/citation.cfm?id=3241189.3241265

Stock B, Lekies S, Mueller T, et al (2014) Precise client-side protection against dom-based cross-site scripting. In: Proceedings of the 23rd USENIX Conference on Security Symposium. USENIX Association, Berkeley, CA, USA, SEC’14. pp 655–670. http://dl.acm.org/citation.cfm?id=2671225.2671267

stu (2019) Wordpress plugin responsive cookie consent 1.7 / 1.6 / 1.5 - (authenticated) persistent cross-site scripting. https://www.exploit-db.com/exploits/44563

Suc (2021) 2021 website threat research report. https://sucuri.net/wp-content/uploads/2022/04/sucuri-2021-hacked-report.pdf

Sundareswaran S, Squicciarini AC (2012) XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks. In: Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy. Springer-Verlag, Berlin, Heidelberg, DBSec’12. pp 223–238. https://doi.org/10.1007/978-3-642-31540-4_17

Sun F, Xu L, Su Z (2009) Client-side detection of XSS worms by monitoring payload propagation. In: Backes M, Ning P (eds) Computer Security - ESORICS 2009. Springer Berlin Heidelberg, Berlin, Heidelberg, pp 539–554

uBlockOrigin (2022) ublock origin. https://github.com/gorhill/uBlock#ublock-origin

w3s (2019) Usage of content management systems for websites. https://w3techs.com/technologies/overview/content_management/all

Wassermann G, Su Z (2008) Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering. Association for Computing Machinery, New York, NY, USA, ICSE ’08. p 171-180. https://doi.org/10.1145/1368088.1368112

Wassermann G, Yu D, Chander A, et al (2008) Dynamic test input generation for web applications. In: Proceedings of the 2008 International Symposium on Software Testing and Analysis. Association for Computing Machinery, New York, NY, USA, ISSTA ’08. p 249-260. https://doi.org/10.1145/1390630.1390661

wpp (2019) Wordpress: Plugins. https://wordpress.org/plugins/

wps (2019) Wpscan. https://wpscan.org/

wpw (2019) Statistics show why wordpress is a popular hacker target. https://www.wpwhitesecurity.com/statistics-70-percent-wordpress-installations-vulnerable/

Wurzinger P, Platzer C, Ludl C, et al (2009) Swap: Mitigating XSS attacks using a reverse proxy. In: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems. IEEE Computer Society, Washington, DC, USA, IWSESS ’09. pp 33–39. https://doi.org/10.1109/IWSESS.2009.5068456

Xiao X, Paradkar A, Thummalapenta S, et al (2012) Automated extraction of security policies from natural-language software documents. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, FSE ’12. https://doi.org/10.1145/2393596.2393608

xss (2019) XSS auditor. https://www.chromium.org/developers/design-documents/xss-auditor

xss (2020) Cve details vulnerabilities by type. https://www.cvedetails.com/vulnerabilities-by-types.php

Xu W, Bhatkar S, Sekar R (2006) Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15. USENIX Association, Berkeley, CA, USA, USENIX-SS’06. http://dl.acm.org/citation.cfm?id=1267336.1267345

Titel: XSnare: application-specific client-side cross-site scripting protection
verfasst von: José Carlos Pazos
Jean-Sébastien Légaré
Ivan Beschastnikh
Publikationsdatum: 01.09.2023
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 5/2023
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-023-10323-w

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 5/2023

Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study

Using the uniqueness of global identifiers to determine the provenance of Python software source code

What have we learned? A conceptual framework on New Zealand software professionals and companies’ response to COVID-19

Studying differentiated code to support smart contract update

On practitioners’ concerns when adopting service mesh frameworks

More than React: Investigating the Role of Emoji Reaction in GitHub Pull Requests

Premium Partner