a systematic analysis of xss sanitization in web application frameworks
DESCRIPTION
A Systematic Analysis of XSS Sanitization in Web Application Frameworks. Joel Weinberger, Prateek Saxena , Devdatta Akhawe , Matthew Finifter , Richard Shin, and Dawn Song University of California, Berkeley. Content Injection. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/1.jpg)
A SYSTEMATIC ANALYSIS OF XSS SANITIZATION IN WEB APPLICATION FRAMEWORKSJoel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter,Richard Shin, and Dawn Song
University of California, Berkeley
![Page 2: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/2.jpg)
Content Injection
<div class=“comment”><iframe src=“http://www.voteobama.com”></iframe>
</div>
![Page 3: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/3.jpg)
Web Frameworks
• Systems to aid the development of web applications
• Dynamically generated pages on the server
• Templates for code reuse
• Untrusted data dynamically inserted into programs• User responses, SQL data, third party code, etc.
![Page 4: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/4.jpg)
Code in Web Frameworks
<html><p>hello, world</p>
</html>
![Page 5: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/5.jpg)
Code in Web Frameworks
<html><?php echo "<p>hello, world</p>"; ?>
</html>
![Page 6: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/6.jpg)
Code in Web Frameworks
<html> <?php echo $USERDATA ?>
</html>
What happens if$USERDATA =
<script>doEvil()</script>
![Page 7: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/7.jpg)
Code in Web Frameworks
<html><script>doEvil()</script>
</html>
![Page 8: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/8.jpg)
Sanitization
The encoding or elimination of dangerousconstructs in untrusted data.
![Page 9: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/9.jpg)
Contributions• Build a detailed model of the browser to explain subtleties
in data sanitization
• Evaluate the effectiveness of auto sanitization in popular web frameworks
• Evaluate the ability of frameworks to sanitize different contexts
• Evaluate the tools of frameworks in relation to what web applications actually use and need
![Page 10: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/10.jpg)
Sanitization Example
• "<p>" + "<script> doEvil()</script> " + "</p>"
Untrusted
![Page 11: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/11.jpg)
Sanitization Example
"<p>" +sanitizeHTML( "<script> doEvil() </script>") +"</p>"
<p> doEvil()</p>
![Page 12: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/12.jpg)
Are we done?
"<a href='" +sanitizeHTML( "javascript: …") +"' />"
<a href=' javascript: … '/>
URI Context,not HTML
HTML context sanitizer
![Page 13: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/13.jpg)
Now are we done?
<divonclick='displayComment("
SANITIZED_ATTRIBUTE
")'></div>
What if SANITIZED_ATTRIBUTE = ");stealInfo(""
![Page 14: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/14.jpg)
Now are we done?
<divonclick='displayComment("");stealInfo("")'></div>
<divonclick='displayComment("
SANITIZED_ATTRIBUTE
")'></div>
![Page 15: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/15.jpg)
Browser Model
OMG!!!
![Page 16: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/16.jpg)
Framework and Application Evaluation
• What support for auto sanitization do frameworks provide?
• What support for context sensitivity do frameworks provide?
• Does the support of frameworks match the requirements of web applications?
![Page 17: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/17.jpg)
Using Auto Sanitization
{% if header.sortable %}<a href="{{header.url}}">
{% endif %}Django doesn’t know how to auto sanitize this context!
![Page 18: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/18.jpg)
Overriding Auto Sanitization
Whoops! Wrong
sanitizer.
{% if header.sortable %}<a href="{{header.url | escape}}">
{% endif %}
![Page 19: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/19.jpg)
Auto Sanitization Support
No Auto Sanitization HTML Context Only Auto sanitization
Context Aware
7 4 3
• Examined 14 different frameworks
• 7 have no auto sanitization support at all
• 4 provide auto sanitization for HTML contexts only
• 3 automatically determine correct context and which sanitizer to apply• …although may only support a limited number of contexts
![Page 20: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/20.jpg)
Sanitization Context Support
HTML Tag Context
URI Attribute (excluding scheme)
URI Attribute (including scheme)
JS String JS Number or Boolean
Style Attribute or Tag
14 14 4 4 1 2
• Examined 14 different frameworks
• Only 1 handled all of these contexts
• Numbers indicate sanitizer support for a context regardless of auto sanitization support
![Page 21: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/21.jpg)
Contexts Used By Web Applications
HTML Tag Context
URI Attribute (excluding scheme)
URI Attribute (including scheme)
JS String, Number, or Boolean
Style Attribute or Tag
8/8 7/8 7/8 6/8 8/8
• Web applications (all in PHP):• RoundCube, Drupal, Joomla, WordPress, MediaWiki, PHPBB3, OpenEMR,
Moodle• Ranged from ~19k LOC to ~530k LOC
![Page 22: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/22.jpg)
Further Complexity in Sanitization Policies
User
"<img src='…'></img>"
""
Admin
"<img src='…'></img>"
"<img src='…'></img>"
wordpress/post_comment.php
![Page 23: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/23.jpg)
Evaluation Summary
• Auto sanitization alone is insufficient
• Frameworks lack sufficient expressivity
• Web applications already use more features than frameworks provide
![Page 24: A Systematic Analysis of XSS Sanitization in Web Application Frameworks](https://reader035.vdocuments.us/reader035/viewer/2022062323/56816305550346895dd3814c/html5/thumbnails/24.jpg)
Take Aways
• Defining correct sanitization policies is hard• And it’s in the browser spec!
• Frameworks can do more• More sanitizer contexts, better automation, etc.
• Is sanitization the best form of policy going forward?