PMForce: Systematically Analyzing postMessage Handlers at Scale

The Web has become a platform in which sites rely on intricate interactions that span across the boundaries of origins. While the Same-Origin Policy prevents direct data exchange with documents from other origins, the postMessage API offers one relaxation that allows developers to exchange data across these boundaries. While prior manual analysis could show the presence of issues within postMessage handlers, unfortunately, a steep increase in postMessage usage makes any manual approach intractable. To deal with this increased work load, we set out to automatically find issues in postMessage handlers that allow an attacker to execute code in the vulnerable sites, alter client-side state, or leak sensitive information. To achieve this goal, we present an automated analysis framework running inside the browser, which uses selective forced execution paired with lightweight dynamic taint tracking to find traces in the analyzed handlers that end in sinks allowing for code-execution or state alterations. We use path constraints extracted from the program traces and augment them with Exploit Templates, i.e., additional constraints, ascertaining that a valid assignment that solves all these constraints produces a code-invoking or state-manipulating behavior. Based on these constraints, we use Z3 to generate postMessages aimed at triggering the insecure functionality to prove exploitability, and validate our findings at scale. We use this framework to conduct the most comprehensive experiment studying the security issues of postMessage handlers found throughout the top 100,000 most influential sites yet, which allows us to find potentially exploitable data flows in 252 unique handlers out of which 111 were automatically exploitable.

[1]  Lujo Bauer,et al.  Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting , 2018, NDSS.

[2]  Heng Yin,et al.  JSForce: A Forced Execution Engine for Malicious JavaScript Detection , 2017, SecureComm.

[3]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[4]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Michael Backes,et al.  How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security , 2017, USENIX Security Symposium.

[6]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[7]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[8]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[10]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[11]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[12]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[13]  Christian Rossow,et al.  Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild , 2019, NDSS.

[14]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[15]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.

[16]  Vitaly Shmatikov,et al.  The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites , 2013, NDSS.

[17]  Xiangyu Zhang,et al.  J-Force: Forced Execution on JavaScript , 2017, WWW.

[18]  Johannes Kinder,et al.  ExpoSE: practical symbolic execution of standalone JavaScript , 2017, SPIN.

[19]  Angelos D. Keromytis,et al.  The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information , 2016, 2016 IEEE Symposium on Security and Privacy (SP).