Database Traffic Interception for Graybox Detection of Stored and Context-sensitive XSS

Cross site scripting (XSS) is a type of a security vulnerability that permits injecting malicious code into the client side of a web application. In the simplest situations, XSS vulnerabilities arise when a web application includes the user input in the web output without due sanitization. Such simple XSS vulnerabilities can be detected fairly reliably with blackbox scanners, which inject malicious payload into sensitive parts of HTTP requests and look for the reflected values in the web output. Contemporary blackbox scanners are not effective against stored XSS vulnerabilities, where the malicious payload in an HTTP response originates from the database storage of the web application, rather than from the associated HTTP request. Similarly, many blackbox scanners do not systematically handle context-sensitive XSS vulnerabilities, where the user input is included in the web output after a transformation that prevents the scanner from recognizing the original value but does not sanitize the value sufficiently. Among the combination of two basic data sources (stored vs. reflected) and two basic vulnerability patterns (context sensitive vs. not so), only one is therefore tested systematically by state-of-the-art blackbox scanners. Our work focuses on systematic coverage of the three remaining combinations. We present a graybox mechanism that extends a general purpose database to cooperate with our XSS scanner, reporting and injecting the test inputs at the boundary between the database and the web application. Furthermore, we design a mechanism for identifying the injected inputs in the web output even after encoding by the web application and check whether the encoding sanitizes the injected inputs correctly in the respective browser context. We evaluate our approach on eight mature and technologically diverse web applications, discovering previously unknown and exploitable XSS flaws in each of those applications.

[1]  François Gauthier,et al.  JSPChecker: Static Detection of Context-Sensitive Cross-Site Scripting Flaws in Legacy Web Applications , 2016, PLAS@CCS.

[2]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[3]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[5]  Wafa Ben Jaballah,et al.  A Grey-Box Approach for Detecting Malicious User Interactions in Web Applications , 2016, MIST@CCS.

[6]  Xiaowei Li,et al.  SENTINEL: securing database from logic flaws in web applications , 2012, CODASPY '12.

[7]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[8]  Davide Balzarotti,et al.  Toward Black-Box Detection of Logic Flaws in Web Applications , 2014, NDSS.

[9]  Ben Hardekopf,et al.  JSAI: a static analysis platform for JavaScript , 2014, SIGSOFT FSE.

[10]  Coen De Roover,et al.  Linvail: A General-Purpose Platform for Shadow Execution of JavaScript , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[11]  Srinivas Nidhra,et al.  BLACK BOX AND WHITE BOX TESTING TECHNIQUES -A LITERATURE REVIEW , 2012 .

[12]  Hung Dang,et al.  DexterJS: robust testing platform for DOM-based XSS vulnerabilities , 2015, ESEC/SIGSOFT FSE.

[13]  François Gauthier,et al.  AFFOGATO: runtime detection of injection attacks for Node.js , 2018, ISSTA/ECOOP Workshops.

[14]  Sanjay Rawat,et al.  KameleonFuzz: evolutionary fuzzing for black-box XSS detection , 2014, CODASPY '14.

[15]  Antonín Steinhauser,et al.  DjangoChecker: Applying extended taint tracking and server side parsing for detection of context‐sensitive XSS flaws , 2019, Softw. Pract. Exp..

[16]  Stefano Zanero,et al.  XSS PEEKER: Dissecting the XSS Exploitation Techniques and Fuzzing Mechanisms of Blackbox Web Application Scanners , 2016, SEC.

[17]  V. N. Venkatakrishnan,et al.  NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications , 2018, USENIX Security Symposium.

[18]  Omer Tripp,et al.  Finding your way in the testing jungle: a learning approach to web security testing , 2013, ISSTA.

[19]  Ricardo J. Rodríguez,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2016, Lecture Notes in Computer Science.

[20]  Xiaowei Li,et al.  BLOCK: a black-box approach for detection of state violation attacks towards web applications , 2011, ACSAC '11.

[21]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[22]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[23]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[24]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[25]  Pavol Zavarsky,et al.  Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities , 2015, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST).

[26]  Dave Aitel,et al.  The Advantages of Block - Based Protocol Analysis for Security Testing , 2002 .

[27]  Pranit H Bari,et al.  Software Testing Techniques and Strategies , 2012 .

[28]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[29]  Pavol Zavarsky,et al.  An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[30]  Dawn Xiaodong Song,et al.  Context-sensitive auto-sanitization in web templating languages using type qualifiers , 2011, CCS '11.

[31]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[32]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.