An Empirical Analysis of XSS Sanitization in Web Application Frameworks

Filtering or sanitization is the predominant mechanism in today’s applications to defend against cross-site scripting (XSS) attacks. XSS sanitization can be difficult to get right as it ties in closely with the parsing behavior of the browser. This paper explains some of the subtleties of ensuring correct sanitization, as well as common pitfalls. We study several emerging web application frameworks including those presently used for development of commercial web applications. We evaluate how effective these frameworks are in guarding against the common pitfalls of sanitization. We find that while some web frameworks safeguard against the empirically relevant use cases, most do not. In addition, some of the security features in present web frameworks provide a false sense of security.

[1]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Benjamin Livshits,et al.  SecuriFly: Runtime Protection and Recovery from Web Application Vulnerabilities , 2006 .

[3]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[4]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[5]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[7]  Benjamin Livshits,et al.  SCRIPTGARD: Preventing Script Injection Attacks in Legacy Web Applications with Automatic Sanitization , 2010 .

[8]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[9]  Collin Jackson,et al.  Protecting browsers from cross-origin CSS attacks , 2010, CCS '10.

[10]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[11]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[12]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[13]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[15]  Dawn Xiaodong Song,et al.  Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[16]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[17]  R. Sekar An Efficient Black-box Technique for Defeating Web Application Attacks , 2009, NDSS.

[18]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[19]  Westley Weimer,et al.  A decision procedure for subset constraints over regular languages , 2009, PLDI '09.

[20]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[21]  Monica S. Lam,et al.  InvisiType: Object-Oriented Security Policies , 2010, NDSS.

[22]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[24]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[26]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[27]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[28]  Monica S. Lam,et al.  Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking , 2008, USENIX Security Symposium.

[29]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[30]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[31]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[32]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[33]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[34]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[35]  Adam Barth,et al.  Preventing Capability Leaks in Secure JavaScript Subsets , 2010, NDSS.

[36]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.