Noncespaces: Using randomization to defeat cross-site scripting attacks

Cross-site scripting (XSS) vulnerabilities are among the most common and serious web application vulnerabilities. It is challenging to eliminate XSS vulnerabilities because it is difficult for web applications to sanitize all user input appropriately. We present Noncespaces, a technique that enables web clients to distinguish between trusted and untrusted content to prevent exploitation of XSS vulnerabilities. Using Noncespaces, a web application randomizes the the (X)HTML tags and attributes in each document before delivering it to the client. As long as the attacker is unable to guess the random mapping, the client can distinguish between trusted content created by the web application and untrusted content provided by an attacker. To implement Noncespaces with minimal changes to web applications, we leverage a popular web application architecture to automatically apply Noncespaces to static content processed through a popular PHP template engine. We design a policy language for Noncespaces, implement a training mode to assist policy development, and conduct extensive security testing of a generated policy for two large web applications to show the effectiveness of our technique.

[1]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[2]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[3]  Úlfar Erlingsson,et al.  End-to-End Web Application Security , 2007, HotOS.

[4]  Salim Hariri,et al.  Randomized Instruction Set Emulation To Disrupt Binary Code Injection Attacks , 2003 .

[5]  C. M. Sperberg-McQueen,et al.  Extensible markup language , 1997 .

[6]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[7]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[8]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[9]  Onur Aciiçmez,et al.  Alhambra: a system for creating, enforcing, and testing browser security policies , 2010, WWW '10.

[10]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[11]  S. Hadjiefthymiades,et al.  Hypertext Transfer Protocol (HTTP) , 1996 .

[12]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[13]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[14]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[15]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[16]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[17]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[18]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[19]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[20]  Dirk Fox,et al.  Cross Site Scripting (XSS) , 2012, Datenschutz und Datensicherheit - DuD.

[21]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[22]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[23]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[24]  Christian Kirkegaard,et al.  Static Analysis for Java Servlets and JSP , 2006, SAS.

[25]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[26]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[27]  Steven Pemberton,et al.  XHTML™ Modularization 1.1 , 2008 .

[28]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[29]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[30]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[31]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.