path cutter: severing the self-propagation path of xss javascript worms in social web networks
DESCRIPTION
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks. Yinzhi Cao, Vinod Yegneswaran , Phillip Porras , and Yan Chen Northwestern University, Evanston, IL SRI International, Menlo Park, CA NDSS Symposium 2012. 2012/05/14 曾毓傑. Outline. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/1.jpg)
1
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web NetworksYinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan ChenNorthwestern University, Evanston, ILSRI International, Menlo Park, CANDSS Symposium 2012
2012/05/14 曾毓傑
![Page 2: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/2.jpg)
2
Outline• Introduction• Design• Implementation• Evaluation• Performance• Discussion
![Page 3: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/3.jpg)
3
INTRODUCTION
![Page 4: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/4.jpg)
4
Self-Propagating XSS Attacks
Samy’s Page
User’s Page
(1) Access (2) Gain Page DOM Access
MySpace
(4) Post Malicious Data onto User’s Wall(5) Affect Other Users
<div style="background: url('java script:eval(...)')">...
(3) Send Forge RequestUser
![Page 5: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/5.jpg)
5
XSS Taxonomy• Server-side XSS Attacks
• Stored XSS (Persistent)• Reflected XSS (Non-Persistent)
• Client-side XSS Attacks• Plug-in XSS (e.g. Flash, Java)• Content Sniffing XSS• DOM-based XSS
![Page 6: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/6.jpg)
6
Path Cutter• Path Cutter can successfully block all kinds of XSS attack
for self-propagation• Easy implementation on both server-side and proxy
server
![Page 7: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/7.jpg)
7
Problem DefinitionExploitation of a web application vulnerability that enables an attacker to inject client-side scripts into web pages owned by other users.
Four steps of Self-Propagating XSS Attack:• Step 1 – Enticement and Exploitation• Step 2 – Privilege Escalation• Step 3 – Replication• Step 4 – Propagation
![Page 8: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/8.jpg)
8
Related Work• Spectator System – track propagation activity• Sun et al. – Firefox plug-in• Xu et al. – monitor social graph
![Page 9: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/9.jpg)
9
DESIGN
![Page 10: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/10.jpg)
10
Main Mechanisms• View Separation• Request Authentication
![Page 11: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/11.jpg)
11
Key Concepts• Views
• A form of a web page or a part of web page• Actions
• An operation belonging to a view• Access Control List (ACL)
• Actions which a view can perform • Capability
• A secret key to validate a request
![Page 12: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/12.jpg)
12
Dividing Web Applications into Views• Based on semantics
User A’s blog websiteUser B’s blog website
• Based on URLshttp://blog.com/optionshttp://blog.com/update
• Based on elementsBlogpostUser Comments
![Page 13: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/13.jpg)
13
View Separation• Isolate different pages/views from the server at the client
side• Taking advantage of Same-Origin-Policy to prevent DOM
access and request forgery
User B’s Blogpost
User A Login
http://isolate.blog.com/user/B
<div>
User B’s Blogpost
User A Login
http://isolate.blog.com/user/B
http://contents.blog.com/user/B/post/1
<iframe>
![Page 14: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/14.jpg)
14
Request AuthenticationAuthenticate actions using:• Secret Tokens/Capability
A secret token per view which is not be able to guess, and server-side verify this token to accept the request
• Referer-based View ValidationCheck if an action is permitted from certain view in the access control list(ACL)
Referer: http://isolate.blog.com/user/B
POST http://isolate.blog.com/user/postReferer: http://contents.blog.com/user/B/post/1
User B’s Blogpost
User A Login
<iframe>
![Page 15: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/15.jpg)
15
IMPLEMENTATION
![Page 16: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/16.jpg)
16
Server-side Implementation• WordPress
Open Source Blog SystemTotally 43 lines of code modificationURLs Separation
• ElggOpen Social Network EngineTotally 2 lines of code modification and 23 lines of plug-inIsolate comment add form into different view
echo "<iframe style = ’background:inherit;border:0;margin:0;padding:0’ sandbox=’allow-forms’ scrolling=’no’ height=’400pt’ width=’100%’ src=’http://other.com/echo.php?content=" .urlencode(elgg_view(’input/form’, array(’body’ => $form_body, action’ => "{$vars[’url’]}action/comments/add")))."’/>";
![Page 17: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/17.jpg)
17
Proxy Implementation• Facebook
Separate user comments into views, and use different URL to get comment contents
FacebookProxy
(1) Request content.x.com
(2) Redirect isolate.x.com
(3) Request isolate.x.com
(4) isolate.x.com contents<html><body> <iframe src="content.x.com/?token=***"> </iframe></body></html>
(5) Request content.x.com/?token=***
(6)
(7)
![Page 18: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/18.jpg)
18
Proxy Implementation (Cont.)• User comment separation using echo server
... <span data-jsid="text">user comment</span>...
http://content.x.com
Proxy content modification
... <span data-jsid="text"> <iframe scrolling="no" height="100%" sandbox src=“http://foo.com/echo.php?content=user%20coment"> </span>...
http://content.x.com
![Page 19: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/19.jpg)
19
EVALUATION
![Page 20: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/20.jpg)
20
Case 1: Boonana WormJava Applet worm released in October 2010
Propagation Steps:1. Visit a profile with malicious Java Applet2. Escalate privilege and inject JavaScript into page in
client-side using Java vulnerability3. Post itself on visitor's wall
Path Cutter let Java Applet only gain privilege on isolated page
![Page 21: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/21.jpg)
21
Case 2: Renren WormFlash-based worm spread on the Renren Social Network in 2009
Propagation Steps:1. Visit a profile with malicious Flash Object2. Escalate privilege and inject JavaScript into page in
client-side using Flash vulnerability3. Replicate itself on the visitor’s wall
Path Cutter block sharing request by isolated views
![Page 22: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/22.jpg)
22
Case 3: MySpace Samy WormFirst XSS worms in MySpace in 2005
Propagation Steps:1. Visit a profile with malicious code in a style attribute of
<div> tag2. Use XMLHttpRequest to get a secret token3. Post itself on visitor’s profile using the secret token
Path Cutter make XMLHttpRequest unaccessible by view isolation
![Page 23: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/23.jpg)
23
Case 4: SpaceFlash WormFlash-based worm on MySpace in 2006
Propagation Steps:1. Visit a “About Me” page with malicious Flash Object2. Access user’s profile to gain privilege3. Send AJAX request to post itself on visitor’s “About Me”
page
Path Cutter block post request since referer is not “About Me” page
![Page 24: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/24.jpg)
24
Case 5: Yamanner WormJavaScript worm spreading in Yahoo! Mail in 2006
Propagation Steps:1. Victim open a malicious email and JavaScript executed
due to a bug in Yahoo!’s script filter2. Worm open victim’s address book and send email to
those who are listed in the book
Path Cutter deny email sending request because there is no secret token in the request
![Page 25: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/25.jpg)
25
Experimental Worms• Proof-of-Concept worm• Implementation of worm template• Apply on WordPress and Elgg
check_infected();// check if the user is infected or notxmlhttp = new XMLHttpRequest;xmlhttp.open("POST", post_url,true);xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { set_infected(); }}xmlhttp.setRequestHeader("Content-type" , "application/x-www-form-urlencoded");xmlhttp.setRequestHeader("Content-length" , payload.length);xmlhttp.send(payload);
function xhr() { ... }Object.prototype.post = function(uri,arg) { /*** usage: xhr().post(’foo.php’); ***/ this.open(’POST’, uri, true); this.setRequestHeader(’Content-type’ ,’application/x-www-form-urlencoded’); ... this.send(arg);};/*** source morphing component ***/Object.prototype.morph = function(s) { ... switch(morphtype) { case "unicode": ... case "charcodes": ... }}
![Page 26: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/26.jpg)
26
PERFORMANCE
![Page 27: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/27.jpg)
27
Memory Overhead• <iframe> tags introduce memory overhead• < 10 frames < 10% memory overhead• ~ 45 frames ~ 30% memory overhead
![Page 28: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/28.jpg)
28
Rendering Time Overhead• Observing onload event in Webpage• Elgg implementation: 1.14 secs 1.18 secs (3.5%)
![Page 29: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/29.jpg)
29
DISSCUSSION
![Page 30: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/30.jpg)
30
Limitation• Cookie and Content Stealing Attacks• Phishing and ClickJacking Attacks• Drive-by Download Worms
![Page 31: Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks](https://reader035.vdocuments.mx/reader035/viewer/2022062814/56816782550346895ddc9300/html5/thumbnails/31.jpg)
31
Conclusion• Implement view separation and http request
authentication to severing self-propagating XSS attack