riding out domsday - ndss symposium › wp-content › uploads › ... · riding out domsday:...
TRANSCRIPT
![Page 1: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/1.jpg)
Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting
William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia
![Page 2: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/2.jpg)
XSS vulnerabilities account for 25% of web vulnerabilities
Attacker
Craft exploit
User
Browser executes attacker code
Website with vulnerability
DOM XSS: vulnerability is inside JavaScript run on client 2
Return exploited page
Visit page
url.com/page#"></a><script>ATTACK</script>
<script>ATTACK</script>
document.write('<a href="' + document.location + '">Link</a>');
![Page 3: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/3.jpg)
Current client-side defenses are still inadequate
Example: CSP is often not configured properly
Example: Web application firewall filters easily bypassable
More promising solution: Detect bugs ahead of time
State of the art: taint tracking and recognize vulnerable flows [1]
3 [1] Lekies et al. 25 million flows later - large scale detection of DOM XSS. CSS ‘13.
![Page 4: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/4.jpg)
Our contributions
1. Improved methodology for detecting DOM XSS
2. Studied prevalence of DOM XSS in real world
3. Examined whether static analysis tools help
4
![Page 5: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/5.jpg)
var the_url = document.location.href; var markup = '<a href="' + the_url + '">Link</a>'; document.write(markup);
What are vulnerable flows?
5
Sinks: document.write, innerHTML, eval, ...
Sources: document.location, cross-origin messages, referrer, ...
![Page 6: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/6.jpg)
var the_url = document.location.href; var markup = '<a href="' + encodeURI(the_url) + '">Link</a>'; document.write(markup);
What are vulnerable flows?
6
![Page 7: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/7.jpg)
var the_url = document.location.href; var markup = '<a href="' + encodeURI(the_url) + '">Link</a>'; document.write(markup);
What are vulnerable flows?
7
Encoding function used
![Page 8: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/8.jpg)
Detecting vulnerable flows using taint tracking
8
var markup = '<a href="' + document.location + '">Link</a>');
Sources: document.location, cross-origin messages, referrer, ...
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT 000000000
'<a href="url.com/page#"></a><script>CODE</script>">Link</a>'
000000000TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT0000000000
000000000
![Page 9: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/9.jpg)
Taint tracking inside Chromium
9
document.write(markup);
document.write('<a href="url.com/page#"></a><script>CODE</script>">Link</a>');
000000000TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT000000000
Log tainted call: ● Code location ● Value of tainted argument ● Taint information ● ...
![Page 10: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/10.jpg)
Vulnerability confirmation: at-end injection
10
document.write('<a href="' + document.location + '">Link</a>');
url.com/path?param=test&a=b
url.com/path?param=test&a=b#INJECT
document.write('<a href="url.com/path?param=test&a=b#INJECT">Link</a>');
document.write('<a href="url.com/path?param=test&a=b">Link</a>');
Original URL: Our confirmation URL:
![Page 11: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/11.jpg)
Vulnerability confirmation: in-parameter injection
11
var data = getQueryParameter('link'); document.write('<a href="../' + data + '">Link</a>');
url.com/path?link=test&a=b
url.com/path?a=b#&link=INJECT&a=b
document.write('<a href="../INJECT">Link</a>')
document.write('<a href="../test">Link</a>')
Original URL: Our confirmation URL:
![Page 12: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/12.jpg)
Results
12
![Page 13: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/13.jpg)
Our contributions
1. Improved methodology for detecting DOM XSS
2. Studied prevalence of DOM XSS in real world
3. Examined whether static analysis tools help
13
![Page 14: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/14.jpg)
DOM XSS vulnerabilities on the Internet
10k seed domains
45k web pages
285k flows URL sources to JS/HTML sinks
55k flows after removing blocked by encoding
5,217 unique potentially vulnerable flows
Crawl 1-link deep subpages
Focus on a common category of exploitable flows
encodeURI, encodeURIComponent, ...
Uniqueness: domain, script URL, and script location
14
![Page 15: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/15.jpg)
How we confirm potentially vulnerable flows 5,217 unique potentially vulnerable flows
715 unique confirmed vulnerable flows
1,039 unique confirmed vulnerable flows
At-end method In-parameter method Both methods
1,465 unique confirmed vulnerable flows
3,219 unique confirmed vulnerable flows
Total:
15
83% more confirmed vulnerabilities using new in-parameter method
![Page 16: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/16.jpg)
How are vulnerabilities distributed across domains?
16 Domains sorted by # of bugs
Some very buggy domains
Long tail of many domains with one bug
![Page 17: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/17.jpg)
How are vulnerabilities distributed by category?
17
Top 3 categories: 1. Web ads/analytics 2. News/media 3. Entertainment C
ateg
ory
of w
ebsi
te
Number of vulnerabilities 0 1000 2000
![Page 18: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/18.jpg)
What is causing the vulnerabilities?
● Simple concatenation without effort to sanitize data document.write('<a href="' + document.location + '">Link</a>');
● Custom HTML templating code
'<a href="%s">Link</a>'
● Ad-hoc sanitization if (markup.indexOf("<script>") != -1) ...
18
![Page 19: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/19.jpg)
Have things changed over time?
● More flows per page: 92.6 vs. 48.5
● Larger ratio of vulnerabilities per page: 0.039 vs. 0.012
● Larger fraction of flows vulnerable: 0.04% vs. 0.03%
Trend towards more DOM XSS vulnerabilities 19
Prior work 5 years ago [1]
[1] Lekies et al. 25 million flows later - large scale detection of DOM XSS. CSS ‘13.
● Using same methodology as past experiment
![Page 20: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/20.jpg)
Our contributions
1. Improved methodology for detecting DOM XSS
2. Studied prevalence of DOM XSS in real world
3. Examined whether static analysis tools help
20
![Page 21: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/21.jpg)
Can static analysis tools help?
What we did: Sampled confirmed vulnerabilities Checked if they are found by some off-the-shelf tools
No tool found more than 10% of vulnerabilities we tested Burp Suite found 10% and had 0% false positives, and
found other bugs Other tools had high FP rate (95%)
21
![Page 22: Riding out DOMsday - NDSS Symposium › wp-content › uploads › ... · Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das](https://reader033.vdocuments.us/reader033/viewer/2022053018/5f1f0f9ef90906304e54e4b9/html5/thumbnails/22.jpg)
● Improved measurement methodology for DOM XSS vulnerabilities ● Gained insight into causes and distribution of vulnerabilities ● Found that DOM XSS vulnerabilities may be increasing ● Showed that static analysis tools likely do not find many vulnerabilities
github.com/wrmelicher/ChromiumTaintTracking
Toward Detecting and Preventing DOM Cross-Site Scripting
William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, Limin Jia {billy, anupamd, msharif, lbauer, liminjia}@cmu.edu
22