1 flax: systematic discovery of client-side validation vulnerabilities in rich web applications...
TRANSCRIPT
1
FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities
in Rich Web Applications
Pongsin Poosankam‡*
Prateek Saxena* Steve Hanna*
Dawn Song*
‡ Carnegie Mellon University
* UC Berkeley
2
Client-side Validation(CSV) Vulnerabilities• A new class of input validation vulnerabilities• Analogous to server-side bugs
– Unsafe data usage in the client-side JS code– Involves data flows
– Purely client-side, data never sent to server– Returned from server, then used in client-side code
3
Rich Web Applications
• Lots of JS code• Rich cross-domain interaction
APP 1
APP 2APP 3
APP 4
4
Outline
• CSV Vulnerability Examples• FLAX: Tool and Techniques
– Challenges & Key Idea– Tool Architecture– Design
• Real Attacks and Evaluation Results• Related Work & Conclusion
5
Vulnerability Example (I): Origin Misattribution
• Cross-domain Communication– Example: HTML 5 postMessage
facebook.com cnn.com
postMessage
Origin: www.facebook.comData: “Chatuser: Joe, Msg: Hi”
Origin: www.evil.comData: “Chatuser: Joe, Msg: onlinepharmacy.com”
Sender Receiver
6
Vulnerability Example (II): Code Injection
• Code/data mixing• Dynamic code evaluation
– eval– DOM methods
• Eval also deserializes objects– JSON
Data: “alert(‘0wned’);”
…………
eval (.. + event.data);
Receiver
facebook.com
7
Vulnerability Example (III): Application Command Injection
• Application-specific commands• Example: Chat application
ApplicationJavaScript
ApplicationServer
http://chat.com?cmd=joinroom&room=nba&cmd=addbuddy&user=evil
“..=nba&cmd=addbuddy&user=evil”
http://chat.com/roomname=nba
http://chat.com?cmd=joinroom&room=nbaXMLHttpReq.open (url)
Join this room
Injected Command
8
Vulnerability Example (IV): Cookie Sink Vulnerabilities
• Cookies – Store session ids, user’s history and preferences– Have their own control format, using attributes
• Can be read/written in JavaScript
• Attacks – Session fixation– History and preference data manipulation– Cookie attribute manipulation, changes
9
Summary of Goals
• Systematic discovery techniques– FLAX: An Automatic tool for discovery– A new hybrid technique for JavaScript analysis
• Evaluate prevalence in real code– An empirical evaluation of real-world applications– Find several unknown CSV vulnerabilities
10
Outline
• CSV Vulnerabilities• FLAX: Tool and Techniques
– Challenges & Key Idea– Tool Architecture– Design
• Real Attacks and Evaluation Results• Related Work & Conclusion
11
Problem Definition
• Definition– Unsafe usage of untrusted data in a critical sink
• Systematically discovery of CSV vulnerabilities• Two sub-problems
– Exploring program space– Finding bugs in some explored functionality
• Attacker Model– Web attacker (evil.com)– User-as-an-attacker
12
Challenges
• JavaScript complexity– Highly dynamic language– String-heavy
• Parsing ops. indistinguishable from validation checks– Custom sanity routines are common
• Hidden server-side logic– Assumes no knowledge of the server– Handles reflected flows: data flows to server and back
End-to-end Web Application Analysis
13
Key Insight
• Taint-enhanced black-box fuzzing (TEBF)– A simple idea– Combine benefits of taint-tracking & fuzzing– Requires no source code annotations– No false positives
• FLAX: An End-to-end System– Simplifies JS first– Implements TEBF– Handles reflected flow
using approximate tainting
False Positives
Efficiencyof findingBugs
Black-box fuzzing
Purely dynamicTaint-tracking
TEBF
Syntax-driven fuzzing
14
FLAX Tool Design
Taint-tracking Execution Trace
JavaScript Program
Initial Input
Source
AcceptorSlice
Sink
SINK-AWAREFUZZER
EXPLOIT ?
function acceptor(input) {must_match = ’{]:],]:]}’;re1 =/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g;re2 =/"[ˆ"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g;re3 = /(?:ˆ|:|,)(?:\s*\[)+/g;
rep1 = input.replace(re1, "@");rep2 = rep1.replace(re2, "]");rep3 = rep2.replace(re3,"");
if(rep3 == must_match) { return true; }return false;}
Transformation Operations
Path Constraints
15
FLAX Implementation
JAVASCRIPTINTERPRETER X = INPUT[4]
Y = SubStr(X,0,4)Z = (Y==“http”)
PC = IF (Z) THEN (T) ELSE (NEXT)
TAINT ENGINE
JASIL EXECUTION
TRACE
ACCEPTORSLICE
GENERATOR
16
Simplifying JavaScript
• JASIL : Our intermediate language– A simple type system– Small set of operations
• Enables string-centric, fine-grained taint tracking on JS
17
Simplifying JavaScript (II)
• Benefits of JASIL simplification to taint-tracking• Example: Taint semantics for replace are difficult!rep1 = INPUT.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@");
R
RsubString
convert@ @ @
concat
@ @ @
INPUT
OUTPUT
Emitted JASIL
Instructions
18
Outline
• CSV Vulnerabilities• FLAX: Tool and Techniques
– Challenges & Key Idea– Tool Architecture– Design
• Attacks and Evaluation Results• Related Work & Conclusion
19
Evaluation
• 40 Subjects– iGoogle gadgets– AJAX applications and web sites
• Setup – Untrusted sources
» All cross-domain channels» Text boxes
– Critical sinks» Code evaluation constructs» XHR url data» Cookies
20
• Summary– Taint observed in 18 / 40 subjects– FLAX found 11 previously unknown vulnerabilities
• Examples– Origin Misattribution leading to XSS in Facebook Connect– Gadget Overwriting Attacks on Google/IG– Application Command Injection on AjaxIM– Code injection and cookie attribute manipulation via cookie sinks
Results (I)
Vulnerability Type Number of vulnerabilities
Code Injection 8
Origin Misattribution 1
Application Command Injection 1
Cookie Sink 1
TOTAL FOUND BY FLAX 11
21
Example Attacks: Gadget Overwriting
Compromised Gadget with
Overwritten Contents
Legitimate URL bar
<Attack Link to IGoogle page>
22
Effectiveness
• Character-level precise taint-tracking helps fuzzing• Reduction in input sizes
23
Effectiveness (II)
• Reduction in false positives, TEBF vs. pure taint-tracking
24
Conclusion
• A new class of vulnerabilities: CSV• Example attacks• A systematic discovery tool: FLAX
– No annotations, no false positives– Employs a simple TEBF techniques– Robust analysis using JASIL
• CSV vulnerabilities are actually prevalent today– Found 11 previously unknown vulns– Demonstrate proof-of-concept exploits
25
Contact
• Contact:– Prateek Saxena ([email protected])
• Please visit our project web site– http://webblaze.cs.berkeley.edu
THANKS FOR LISTENING