SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications

We empirically analyzed sanitizer use in a shipping web ap- plication with over 400,000 lines of code and over 23,244 methods, the largest empirical analysis of sanitizer use of which we are aware. Our analysis reveals two novel classes of errors: context-mismatched sanitization and inconsistent multiple sanitization. Both of these arise not because sanitizers are incorrectly implemented, but rather because they are not placed in code correctly. Much of the work on crosssite scripting detection to date has focused on finding missing sanitizers in programs of average size. In large legacy applications, other sanitization issues leading to cross-site scripting emerge. To address these errors, we propose ScriptGard, a system for ASP.NET applications which can detect and repair the incorrect placement of sanitizers. ScriptGard serves both as a testing aid to developers as well as a runtime mitigation technique. While mitigations for cross site scripting attacks have seen intense prior research, we consider both server and browser context, none of them achieve the same degree of precision, and many other mitigation techniques require major changes to server side code or to browsers. Our approach, in contrast, can be incrementally retrofitted to legacy systems with no changes to the source code and no browser changes. With our optimizations, when used for mitigation, ScriptGard incurs virtually no statistically significant overhead.

[1]  G. Broll,et al.  Microsoft Corporation , 1999 .

[2]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[3]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[5]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[6]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[8]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[9]  Yi-Min Wang,et al.  An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism , 2007, CCS '07.

[10]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[11]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[12]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[13]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[14]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[15]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[16]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[17]  Trishul M. Chilimbi,et al.  HOLMES: Effective statistical debugging via efficient path profiling , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[18]  Dan Boneh,et al.  XCS: cross channel scripting and its impact on web applications , 2009, CCS.

[19]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[20]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[21]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[22]  B. Livshits,et al.  Decision Procedures for Composition and Equivalence of Symbolic Finite State Transducers , 2011 .

[23]  Engin Kirda,et al.  Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications , 2011, NDSS.

[24]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.