1

FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities

in Rich Web Applications

Pongsin Poosankam‡*

Prateek Saxena* Steve Hanna*

Dawn Song*

‡ Carnegie Mellon University

* UC Berkeley

2

Client-side Validation(CSV) Vulnerabilities• A new class of input validation vulnerabilities• Analogous to server-side bugs

– Unsafe data usage in the client-side JS code– Involves data flows

– Purely client-side, data never sent to server– Returned from server, then used in client-side code

3

Rich Web Applications

• Lots of JS code• Rich cross-domain interaction

APP 1

APP 2APP 3

APP 4

4

Outline

• CSV Vulnerability Examples• FLAX: Tool and Techniques

– Challenges & Key Idea– Tool Architecture– Design

• Real Attacks and Evaluation Results• Related Work & Conclusion

5

Vulnerability Example (I): Origin Misattribution

• Cross-domain Communication– Example: HTML 5 postMessage

facebook.com cnn.com

postMessage

Origin: www.facebook.comData: “Chatuser: Joe, Msg: Hi”

Origin: www.evil.comData: “Chatuser: Joe, Msg: onlinepharmacy.com”

Sender Receiver

6

Vulnerability Example (II): Code Injection

• Code/data mixing• Dynamic code evaluation

– eval– DOM methods

• Eval also deserializes objects– JSON

Data: “alert(‘0wned’);”

…………

eval (.. + event.data);

Receiver

facebook.com

7

Vulnerability Example (III): Application Command Injection

• Application-specific commands• Example: Chat application

ApplicationJavaScript

ApplicationServer

http://chat.com?cmd=joinroom&room=nba&cmd=addbuddy&user=evil

“..=nba&cmd=addbuddy&user=evil”

http://chat.com/roomname=nba

http://chat.com?cmd=joinroom&room=nbaXMLHttpReq.open (url)

Join this room

Injected Command

8

Vulnerability Example (IV): Cookie Sink Vulnerabilities

• Cookies – Store session ids, user’s history and preferences– Have their own control format, using attributes

• Can be read/written in JavaScript

• Attacks – Session fixation– History and preference data manipulation– Cookie attribute manipulation, changes

9

Summary of Goals

• Systematic discovery techniques– FLAX: An Automatic tool for discovery– A new hybrid technique for JavaScript analysis

• Evaluate prevalence in real code– An empirical evaluation of real-world applications– Find several unknown CSV vulnerabilities

10

Outline

• CSV Vulnerabilities• FLAX: Tool and Techniques

– Challenges & Key Idea– Tool Architecture– Design

• Real Attacks and Evaluation Results• Related Work & Conclusion

11

Problem Definition

• Definition– Unsafe usage of untrusted data in a critical sink

• Systematically discovery of CSV vulnerabilities• Two sub-problems

– Exploring program space– Finding bugs in some explored functionality

• Attacker Model– Web attacker (evil.com)– User-as-an-attacker

12

Challenges

• JavaScript complexity– Highly dynamic language– String-heavy

• Parsing ops. indistinguishable from validation checks– Custom sanity routines are common

• Hidden server-side logic– Assumes no knowledge of the server– Handles reflected flows: data flows to server and back

End-to-end Web Application Analysis

13

Key Insight

• Taint-enhanced black-box fuzzing (TEBF)– A simple idea– Combine benefits of taint-tracking & fuzzing– Requires no source code annotations– No false positives

• FLAX: An End-to-end System– Simplifies JS first– Implements TEBF– Handles reflected flow

using approximate tainting

False Positives

Efficiencyof findingBugs

Black-box fuzzing

Purely dynamicTaint-tracking

TEBF

Syntax-driven fuzzing

14

FLAX Tool Design

Taint-tracking Execution Trace

JavaScript Program

Initial Input

Source

AcceptorSlice

Sink

SINK-AWAREFUZZER

EXPLOIT ?

function acceptor(input) {must_match = ’{]:],]:]}’;re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g;re2 =/"[ˆ"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g;re3 = /(?:ˆ|:|,)(?:\s*\[)+/g;

rep1 = input.replace(re1, "@");rep2 = rep1.replace(re2, "]");rep3 = rep2.replace(re3,"");

if(rep3 == must_match) { return true; }return false;}

Transformation Operations

Path Constraints

15

FLAX Implementation

JAVASCRIPTINTERPRETER X = INPUT[4]

Y = SubStr(X,0,4)Z = (Y==“http”)

PC = IF (Z) THEN (T) ELSE (NEXT)

TAINT ENGINE

JASIL EXECUTION

TRACE

ACCEPTORSLICE

GENERATOR

16

Simplifying JavaScript

• JASIL : Our intermediate language– A simple type system– Small set of operations

• Enables string-centric, fine-grained taint tracking on JS

17

Simplifying JavaScript (II)

• Benefits of JASIL simplification to taint-tracking• Example: Taint semantics for replace are difficult!rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@");

R

RsubString

convert@ @ @

concat

@ @ @

INPUT

OUTPUT

Emitted JASIL

Instructions

18

Outline

• CSV Vulnerabilities• FLAX: Tool and Techniques

– Challenges & Key Idea– Tool Architecture– Design

• Attacks and Evaluation Results• Related Work & Conclusion

19

Evaluation

• 40 Subjects– iGoogle gadgets– AJAX applications and web sites

• Setup – Untrusted sources

» All cross-domain channels» Text boxes

– Critical sinks» Code evaluation constructs» XHR url data» Cookies

20

• Summary– Taint observed in 18 / 40 subjects– FLAX found 11 previously unknown vulnerabilities

• Examples– Origin Misattribution leading to XSS in Facebook Connect– Gadget Overwriting Attacks on Google/IG– Application Command Injection on AjaxIM– Code injection and cookie attribute manipulation via cookie sinks

Results (I)

Vulnerability Type Number of vulnerabilities

Code Injection 8

Origin Misattribution 1

Application Command Injection 1

Cookie Sink 1

TOTAL FOUND BY FLAX 11

21

Example Attacks: Gadget Overwriting

Compromised Gadget with

Overwritten Contents

Legitimate URL bar

<Attack Link to IGoogle page>

22

Effectiveness

• Character-level precise taint-tracking helps fuzzing• Reduction in input sizes

23

Effectiveness (II)

• Reduction in false positives, TEBF vs. pure taint-tracking

24

Conclusion

• A new class of vulnerabilities: CSV• Example attacks• A systematic discovery tool: FLAX

– No annotations, no false positives– Employs a simple TEBF techniques– Robust analysis using JASIL

• CSV vulnerabilities are actually prevalent today– Found 11 previously unknown vulns– Demonstrate proof-of-concept exploits

25

Contact

• Contact:– Prateek Saxena (prateeks@cs.berkeley.edu)

• Please visit our project web site– http://webblaze.cs.berkeley.edu

THANKS FOR LISTENING