Auto-patching DOM-based XSS at scale

DOM-based cross-site scripting (XSS) is a client-side code injection vulnerability that results from unsafe dynamic code generation in JavaScript applications, and has few known practical defenses. We study dynamic code evaluation practices on nearly a quarter million URLs crawled starting from the the Alexa Top 1000 websites. Of 777,082 cases of dynamic HTML/JS code generation we observe, 13.3% use unsafe string interpolation for dynamic code generation — a well-known dangerous coding practice. To remedy this, we propose a technique to generate secure patches that replace unsafe string interpolation with safer code that utilizes programmatic DOM construction techniques. Our system transparently auto-patches the vulnerable site while incurring only 5.2 − 8.07% overhead. The patching mechanism requires no access to server-side code or modification to browsers, and thus is practical as a turnkey defense.

[1]  Dawn Xiaodong Song,et al.  Data-Confined HTML5 Applications , 2013, ESORICS.

[2]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[3]  Úlfar Erlingsson,et al.  Let's parse to prevent pwnage invited position paper , 2012 .

[4]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[5]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[6]  Dawn Xiaodong Song,et al.  Context-sensitive auto-sanitization in web templating languages using type qualifiers , 2011, CCS '11.

[7]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[8]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[9]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[10]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[11]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[12]  Christopher Krügel,et al.  deDacota: toward preventing server-side XSS via automatic code and data separation , 2013, CCS.

[13]  Vinod Ganapathy,et al.  Analyzing Information Flow in JavaScript-Based Browser Extensions , 2009, 2009 Annual Computer Security Applications Conference.

[14]  Alessandro Orso,et al.  Precise interface identification to improve testing and analysis of web applications , 2009, ISSTA.

[15]  Patrick Mutchler,et al.  GuardRails: A Data-Centric Web Application Security Framework , 2011, WebApps.

[16]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[17]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[18]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[19]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[20]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[21]  Benjamin Livshits,et al.  AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications , 2007, TWEB.

[22]  Alessandro Orso,et al.  AutoCSP: Automatically Retrofitting CSP to Web Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[23]  Koushik Sen,et al.  Jalangi: a selective record-replay and dynamic analysis framework for JavaScript , 2013, ESEC/FSE 2013.

[24]  Zhenkai Liang,et al.  You Can't Be Me: Enabling Trusted Paths and User Sub-origins in Web Browsers , 2014, RAID.

[25]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[26]  Tobias Lauinger,et al.  Why Is CSP Failing? Trends and Challenges in CSP Adoption , 2014, RAID.

[27]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[28]  Xian Ming Sun,et al.  Hydrocyclone Numerical Simulation and Separation Efficiency Optimization , 2014 .

[29]  Úlfar Erlingsson,et al.  Let's Parse to Prevent Pwnage , 2012, LEET.

[30]  Sergey Bratus,et al.  Katana: Towards Patching as a Runtime Part of the Compiler-Linker-Loader Toolchain , 2010, Int. J. Secur. Softw. Eng..

[31]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[32]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[33]  Christopher Krügel,et al.  ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities , 2015, USENIX Security Symposium.

[34]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[35]  Pietro Ferrara,et al.  Hybrid security analysis of web JavaScript code via dynamic partial evaluation , 2014, ISSTA 2014.

[36]  Arie van Deursen,et al.  Crawling AJAX by Inferring User Interface State Changes , 2008, 2008 Eighth International Conference on Web Engineering.

[37]  Benjamin Livshits,et al.  Practical static analysis of JavaScript applications in the presence of frameworks and libraries , 2013, ESEC/FSE 2013.

[38]  Barbara G. Ryder,et al.  Practical blended taint analysis for JavaScript , 2013, ISSTA.

[39]  Kyung-Goo Doh,et al.  Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts , 2012 .

[40]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[41]  Simon Holm Jensen,et al.  Remedying the eval that men do , 2012, ISSTA 2012.