FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Prateek Saxena* Pongsin Poosankam‡* Steve Hanna* Dawn Song* * UC Berkeley ‡ Carnegie Mellon University 1
Client-side Validation(CSV) Vulnerabilities • A new class of input validation vulnerabilities • Analogous to server-side bugs – Unsafe data usage in the client-side JS code – Involves data flows – Purely client-side, data never sent to server – Returned from server, then used in client-side code 2
Rich Web Applications • Lots of JS code • Rich cross-domain interaction APP 1 APP 2 APP 3 APP 4 3
Outline • CSV Vulnerability Examples • FLAX: Tool and Techniques – Challenges & Key Idea – Tool Architecture – Design • Real Attacks and Evaluation Results • Related Work & Conclusion 4
Vulnerability Example (I): Origin Misattribution • Cross-domain Communication – Example: HTML 5 post. Message Sender Receiver facebook. com cnn. com post. Message Origin: www. facebook. com Data: “Chatuser: Joe, Msg: Hi” Origin: www. evil. com Data: “Chatuser: Joe, Msg: onlinepharmacy. com” 5
Vulnerability Example (II): Code Injection Receiver • Code/data mixing • Dynamic code evaluation facebook. com – eval – DOM methods …… • Eval also deserializes objects …… – JSON eval (. . + event. data); Data: “alert(‘ 0 wned’); ” 6
Vulnerability Example (III): Application Command Injection • Application-specific commands • Example: Chat application “. . =nba&cmd=addbuddy&user=evil” http: //chat. com/roomname=nba Injected Command Application Java. Script Join this room XMLHttp. Req. open (url) http: //chat. com? cmd=joinroom&room=nba &cmd=addbuddy&user=evil http: //chat. com? cmd=joinroom&room=nba Application Server 7
Vulnerability Example (IV): Cookie Sink Vulnerabilities • Cookies – Store session ids, user’s history and preferences – Have their own control format, using attributes • Can be read/written in Java. Script • Attacks – Session fixation – History and preference data manipulation – Cookie attribute manipulation, changes 8
Summary of Goals • Systematic discovery techniques – FLAX: An Automatic tool for discovery – A new hybrid technique for Java. Script analysis • Evaluate prevalence in real code – An empirical evaluation of real-world applications – Find several unknown CSV vulnerabilities 9
Outline • CSV Vulnerabilities • FLAX: Tool and Techniques – Challenges & Key Idea – Tool Architecture – Design • Real Attacks and Evaluation Results • Related Work & Conclusion 10
Problem Definition • Definition – Unsafe usage of untrusted data in a critical sink • Systematically discovery of CSV vulnerabilities • Two sub-problems – Exploring program space – Finding bugs in some explored functionality • Attacker Model – Web attacker (evil. com) – User-as-an-attacker 11
Challenges End-to-end Web Application Analysis • Java. Script complexity – Highly dynamic language – String-heavy • Parsing ops. indistinguishable from validation checks – Custom sanity routines are common • Hidden server-side logic – Assumes no knowledge of the server – Handles reflected flows: data flows to server and back 12
Key Insight • Taint-enhanced black-box fuzzing (TEBF) – – A simple idea Combine benefits of taint-tracking & fuzzing Requires no source code annotations No false positives • FLAX: An End-to-end System Efficiency – Simplifies JS first of finding – Implements TEBF Bugs – Handles reflected flow using approximate tainting Purely dynamic Taint-tracking TEBF Syntax-driven fuzzing Black-box fuzzing False Positives 13
![FLAX Tool Design function acceptor(input) Initial { Input must_match = ’{]: ], ]: ]}’;](https://present5.com/presentation/8399c2fee08f67fcb8e3898fb2ac5c6f/image-14.jpg "FLAX Tool Design function acceptor(input) Initial { Input must_match = ’{]: ], ]: ]}’;")
FLAX Tool Design function acceptor(input) Initial { Input must_match = ’{]: ], ]: ]}’; re 1 =/\(? : ["\/bfnrt]|u[0 -9 a-f. A-F]{4})/g; re 2 =/"[ˆ"\nr]*"|true|false|null| Source -? d+(? : . d*)? (? : [e. E][+-]? d+)? /g; re 3 = /(? : ˆ|: |, )(? : s*[)+/g; rep 1 = input. replace(re 1, "@"); rep 2 = rep 1. replace(re 2, "]"); rep 3 = rep 2. replace(re 3, ""); Transformation Operations if(rep 3 == must_match) { return true; } Java. Script return false; Program } Execution Trace Taint-tracking SINKAWARE FUZZER Sink EXPLOIT ? Path Constraints Acceptor Slice 14
![FLAX Implementation JAVASCRIPT INTERPRETER X = INPUT[4] Y = Sub. Str(X, 0, 4) Z](https://present5.com/presentation/8399c2fee08f67fcb8e3898fb2ac5c6f/image-15.jpg "FLAX Implementation JAVASCRIPT INTERPRETER X = INPUT[4] Y = Sub. Str(X, 0, 4) Z")
FLAX Implementation JAVASCRIPT INTERPRETER X = INPUT[4] Y = Sub. Str(X, 0, 4) Z = (Y==“http”) TAINT ENGINE ACCEPTOR SLICE GENERATO R PC = IF (Z) THEN (T) ELSE (NEXT) JASIL EXECUTION TRACE 15
Simplifying Java. Script • JASIL : Our intermediate language – A simple type system – Small set of operations • Enables string-centric, fine-grained taint tracking on JS 16
Simplifying Java. Script (II) • Benefits of JASIL simplification to taint-tracking • Example: Taint semantics for replace are difficult! rep 1 = INPUT. replace(/\(? : ["\/bfnrt]|u[0 -9 a-f. A-F]{4})/g, "@"); R Emitted JASIL Instructions INPUT sub. String convert R @ @ concat @ @ OUTPUT 17
Outline • CSV Vulnerabilities • FLAX: Tool and Techniques – Challenges & Key Idea – Tool Architecture – Design • Attacks and Evaluation Results • Related Work & Conclusion 18
Evaluation • 40 Subjects – i. Google gadgets – AJAX applications and web sites • Setup – Untrusted sources » All cross-domain channels » Text boxes – Critical sinks » Code evaluation constructs » XHR url data » Cookies 19
Results (I) • Summary – Taint observed in 18 / 40 subjects – FLAX found 11 previously unknown vulnerabilities Vulnerability Type Number of vulnerabilities Code Injection 8 Origin Misattribution 1 Application Command Injection 1 Cookie Sink 1 TOTAL FOUND BY FLAX 11 • Examples – – Origin Misattribution leading to XSS in Facebook Connect Gadget Overwriting Attacks on Google/IG Application Command Injection on Ajax. IM Code injection and cookie attribute manipulation via cookie sinks 20
Example Attacks: Gadget Overwriting Legitimate URL bar <Attack Link to IGoogle page> Compromised Gadget with Overwritten Contents 21
Effectiveness • Character-level precise taint-tracking helps fuzzing • Reduction in input sizes 22
Effectiveness (II) • Reduction in false positives, TEBF vs. pure taint-tracking 23
Conclusion • A new class of vulnerabilities: CSV • Example attacks • A systematic discovery tool: FLAX – No annotations, no false positives – Employs a simple TEBF techniques – Robust analysis using JASIL • CSV vulnerabilities are actually prevalent today – Found 11 previously unknown vulns – Demonstrate proof-of-concept exploits 24
Contact • Contact: – Prateek Saxena (prateeks@cs. berkeley. edu) • Please visit our project web site – http: //webblaze. cs. berkeley. edu THANKS FOR LISTENING 25
Скачать презентацию FLAX Systematic Discovery of Client-Side Validation Vulnerabilities in
8399c2fee08f67fcb8e3898fb2ac5c6f.ppt