flax: systematic discovery of client-side validation vulnerabilities in rich web applications
DESCRIPTION
FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications . Prateek Saxena *. Steve Hanna *. Pongsin Poosankam ‡*. Dawn Song *. * UC Berkeley. ‡ Carnegie Mellon University. Client-side Validation(CSV) Vulnerabilities. - PowerPoint PPT PresentationTRANSCRIPT
1
FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities
in Rich Web Applications
Pongsin Poosankam‡*
Prateek Saxena* Steve Hanna*
Dawn Song*
‡ Carnegie Mellon University* UC Berkeley
2
Client-side Validation(CSV) Vulnerabilities• A new class of input validation vulnerabilities• Analogous to server-side bugs
– Unsafe data usage in the client-side JS code– Involves data flows
– Purely client-side, data never sent to server– Returned from server, then used in client-side code
3
Rich Web Applications• Lots of JS code• Rich cross-domain interaction
APP 1
APP 2APP 3
APP 4
4
Outline• CSV Vulnerability Examples• FLAX: Tool and Techniques
– Challenges & Key Idea– Tool Architecture– Design
• Real Attacks and Evaluation Results• Related Work & Conclusion
5
Vulnerability Example (I): Origin Misattribution
• Cross-domain Communication– Example: HTML 5 postMessage
facebook.com cnn.com
postMessage
Origin: www.facebook.comData: “Chatuser: Joe, Msg: Hi”
Origin: www.evil.comData: “Chatuser: Joe, Msg: onlinepharmacy.com”
Sender Receiver
6
Vulnerability Example (II): Code Injection
• Code/data mixing• Dynamic code evaluation
– eval– DOM methods
• Eval also deserializes objects– JSON
Data: “alert(‘0wned’);”
…………
eval (.. + event.data);
Receiver
facebook.com
7
Vulnerability Example (III): Application Command Injection
• Application-specific commands• Example: Chat application
ApplicationJavaScript
ApplicationServer
http://chat.com?cmd=joinroom&room=nba&cmd=addbuddy&user=evil
“..=nba&cmd=addbuddy&user=evil”
http://chat.com/roomname=nba
http://chat.com?cmd=joinroom&room=nbaXMLHttpReq.open (url)
Join this room
Injected Command
8
Vulnerability Example (IV): Cookie Sink Vulnerabilities
• Cookies – Store session ids, user’s history and preferences– Have their own control format, using attributes
• Can be read/written in JavaScript
• Attacks – Session fixation– History and preference data manipulation– Cookie attribute manipulation, changes
9
Summary of Goals• Systematic discovery techniques
– FLAX: An Automatic tool for discovery– A new hybrid technique for JavaScript analysis
• Evaluate prevalence in real code– An empirical evaluation of real-world applications– Find several unknown CSV vulnerabilities
10
Outline• CSV Vulnerabilities• FLAX: Tool and Techniques
– Challenges & Key Idea– Tool Architecture– Design
• Real Attacks and Evaluation Results• Related Work & Conclusion
11
Problem Definition• Definition
– Unsafe usage of untrusted data in a critical sink
• Systematically discovery of CSV vulnerabilities• Two sub-problems
– Exploring program space– Finding bugs in some explored functionality
• Attacker Model– Web attacker (evil.com)– User-as-an-attacker
12
Challenges
• JavaScript complexity– Highly dynamic language– String-heavy
• Parsing ops. indistinguishable from validation checks– Custom sanity routines are common
• Hidden server-side logic– Assumes no knowledge of the server– Handles reflected flows: data flows to server and back
End-to-end Web Application Analysis
13
Key Insight• Taint-enhanced black-box fuzzing (TEBF)
– A simple idea– Combine benefits of taint-tracking & fuzzing– Requires no source code annotations– No false positives
• FLAX: An End-to-end System– Simplifies JS first– Implements TEBF– Handles reflected flow using approximate tainting
False Positives
Efficiencyof findingBugs
Black-box fuzzing
Purely dynamicTaint-tracking
TEBF
Syntax-driven fuzzing
14
FLAX Tool Design
Taint-tracking Execution Trace
JavaScript Program
Initial Input
Source
AcceptorSlice
Sink
SINK-AWAREFUZZER
EXPLOIT ?
function acceptor(input) {must_match = ’{]:],]:]}’;re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g;re2 =/"[ˆ"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g;re3 = /(?:ˆ|:|,)(?:\s*\[)+/g;
rep1 = input.replace(re1, "@");rep2 = rep1.replace(re2, "]");rep3 = rep2.replace(re3,"");
if(rep3 == must_match) { return true; }return false;}
Transformation Operations
Path Constraints
15
FLAX Implementation
JAVASCRIPTINTERPRETER X = INPUT[4]
Y = SubStr(X,0,4)Z = (Y==“http”)
PC = IF (Z) THEN (T) ELSE (NEXT)
TAINT ENGINE
JASIL EXECUTION
TRACE
ACCEPTORSLICE
GENERATOR
16
Simplifying JavaScript• JASIL : Our intermediate language
– A simple type system– Small set of operations
• Enables string-centric, fine-grained taint tracking on JS
17
Simplifying JavaScript (II)• Benefits of JASIL simplification to taint-tracking• Example: Taint semantics for replace are difficult!rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@");
R
RsubString
convert@ @ @
concat@ @ @
INPUT
OUTPUT
Emitted JASIL
Instructions
18
Outline• CSV Vulnerabilities• FLAX: Tool and Techniques
– Challenges & Key Idea– Tool Architecture– Design
• Attacks and Evaluation Results• Related Work & Conclusion
19
Evaluation• 40 Subjects
– iGoogle gadgets– AJAX applications and web sites
• Setup – Untrusted sources
» All cross-domain channels» Text boxes
– Critical sinks» Code evaluation constructs» XHR url data» Cookies
20
• Summary– Taint observed in 18 / 40 subjects– FLAX found 11 previously unknown vulnerabilities
• Examples– Origin Misattribution leading to XSS in Facebook Connect– Gadget Overwriting Attacks on Google/IG– Application Command Injection on AjaxIM– Code injection and cookie attribute manipulation via cookie sinks
Results (I)
Vulnerability Type Number of vulnerabilitiesCode Injection 8Origin Misattribution 1Application Command Injection 1Cookie Sink 1TOTAL FOUND BY FLAX 11
21
Example Attacks: Gadget Overwriting
Compromised Gadget with
Overwritten Contents
Legitimate URL bar
<Attack Link to IGoogle page>
22
Effectiveness • Character-level precise taint-tracking helps fuzzing• Reduction in input sizes
23
Effectiveness (II)• Reduction in false positives, TEBF vs. pure taint-tracking
24
Conclusion• A new class of vulnerabilities: CSV• Example attacks• A systematic discovery tool: FLAX
– No annotations, no false positives– Employs a simple TEBF techniques– Robust analysis using JASIL
• CSV vulnerabilities are actually prevalent today– Found 11 previously unknown vulns– Demonstrate proof-of-concept exploits
25
Contact• Contact:
– Prateek Saxena ([email protected])
• Please visit our project web site– http://webblaze.cs.berkeley.edu
THANKS FOR LISTENING