Embed Size (px)
Citation preview
hybrid security analysis of web JavaScript code via dynamic
partial evaluation
Omer Tripp Pietro Ferrara Marco Pistoia !
IBM Research, NY
1
Work published at the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2014) ���Recipient of the ACM SIGSOFT Distinguished Paper Award
web client-side code*
5%
25%30%
0%
8%
15%
23%
30%
38%
9 years ago 4 years ago today
* data due to IBM application security research team
2
client-side vulnerabilities*
DOM-based XSS
var pos = document.location.href.indexOf("name=");document.write(document.URL.substring(pos, document.URL.length));
open redirect
var pos = document.location.href.indexOf("target=");var val = document.location.href.substring(pos);
document.location.href = "http://" + val;
>15% vulnerable to these attacks!* data due to IBM application security research team
3
reflected XSS
attacker !
web app!script reflected into HTML response without proper encoding
attacker’s evil script executed using ���victim’s credentials
link embedded with evil script
victim !
4!
DOM-based XSS
attacker !
NO reflection intoHTML response
evil script NOT sent to server
victim !
www.ibm.com/index.html?name=<script>…</script>
ibm.com !
5
client-side vulnerabilities*
DOM-based XSS
var pos = document.location.href.indexOf("name=");document.write(document.URL.substring(pos, document.URL.length));
open redirect
var pos = document.location.href.indexOf("target=");var val = document.location.href.substring(pos);
document.location.href = "http://" + val;
>15% vulnerable to these attacks!* data due to IBM application security research team
6
open redirect
attacker !
ibm.com !
victim !
attacker.com !
www.ibm.com/index.html?target=attacker.com
7
client-side vulnerabilities*
DOM-based XSS
var pos = document.location.href.indexOf("name=");document.write(document.URL.substring(pos, document.URL.length));
open redirect
var pos = document.location.href.indexOf("target=");var val = document.location.href.substring(pos);
document.location.href = "http://" + val;
>15% vulnerable to these attacks!* data due to IBM application security research team
8
JavaScript complexities
9!
JavaScript complexities
eval and its relatives !eval("document.write('evil')");
10!
JavaScript complexities
reflective property access !var a = "foo" + "bar";
var b = obj[a];
11!
JavaScript complexities
arguments array !bar() { if (arguments.length > 3) foo(arguments[2]); }
bar(1, ”x”, 3)
12!
JavaScript complexities
prototype-chain property lookup !function F() { this.f = document.location; }
function G() { }G.prototype = new F(); var g = new G(); write(g.bar);
13!
JavaScript complexities
function pointers !var m = function() { … }
var k = function(f) { f(); }k(m);
14!
JavaScript complexities
lexical scoping!function foo() {
var y = 42; var bar = function() { write(y); } }
15!
JavaScript complexities
…!
16!
motivating examplevar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
17
motivating examplevar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
18
taint analysisvar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
19
taint analysisvar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
20
taint analysisvar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
21
taint analysisvar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
22
taint analysisvar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
23
taint analysisvar search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
(real-world JavaScript code from the Alcatel-Lucent website)!
BOOM?!
24
var search_term = ‘login.html’;
var str = document.url; // source
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = str.substring(0, url_check);
result = result + ‘login.jsp’ +
str.substring(url_check +
search_term.length), str.length);
document.url = result; // sink
}
dynamic partial evaluation
(real-world JavaScript code from the Alcatel-Lucent website)!
25
dynamic partial evaluationvar search_term = ‘login.html’;
var str = “http://x.com/login.html?p1=v1”;
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = “http://x.com/“;
result= “http://x.com/login.jsp?p1=v1”;
document.url = result;
}
(real-world JavaScript code from the Alcatel-Lucent website)!
document.location;
str.substring(0, url_check);result + ‘login.jsp’ +
str.substring(url_check +
search_term.length),str.length);
26
dynamic partial evaluationvar search_term = ‘login.html’;
var str = “http://x.com/login.html?p1=v1”;
var url_check = str.indexOf(search_term);
if (url_check > -1) {
var result = “http://x.com/“;
result= “http://x.com/login.jsp?p1=v1”;
document.url = result;
}
(real-world JavaScript code from the Alcatel-Lucent website)!
27
our hybrid approach
var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
GET http://x.com/login.html?p1=v1 !
var search_term = ‘login.html’;var str = “http://x.com/login.html?p1=v1”;var url_check = str.indexOf(search_term);…
var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
http://x.com/login.html?p1=v1 !
28
Dynamic Oracle!• Crawls Web site!• Collects dynamic information!• Links references to the DOM with partially concretized values!
Traditional Static Taint Analysis!• Looks for flows from sources to sinks!
Static String Analysis!• Determines which parts of a string are beyond user control!• Leverages string information for better classification of findings!
our hybrid approach
var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
GET http://x.com/login.html?p1=v1 !
var search_term = ‘login.html’;var str = “http://x.com/login.html?p1=v1”;var url_check = str.indexOf(search_term);…
accuracy !var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
http://x.com/login.html?p1=v1 !
29
Dynamic Oracle!• Crawls Web site!• Collects dynamic information!• Links references to the DOM with partially concretized values!
Traditional Static Taint Analysis!• Looks for flows from sources to sinks!
Static String Analysis!• Determines which parts of a string are beyond user control!• Leverages string information for better classification of findings!
our hybrid approach
var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
GET http://x.com/login.html?p1=v1 !
var search_term = ‘login.html’;var str = “http://x.com/login.html?p1=v1”;var url_check = str.indexOf(search_term);…
coverage !var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
http://x.com/login.html?p1=v1 !
30
Dynamic Oracle!• Crawls Web site!• Collects dynamic information!• Links references to the DOM with partially concretized values!
Traditional Static Taint Analysis!• Looks for flows from sources to sinks!
Static String Analysis!• Determines which parts of a string are beyond user control!• Leverages string information for better classification of findings!
our hybrid approach
var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
GET http://x.com/login.html?p1=v1 !
var search_term = ‘login.html’;var str = “http://x.com/login.html?p1=v1”;var url_check = str.indexOf(search_term);…
lightweight !var search_term = ‘login.html’;var str = document.url; // sourcevar url_check = str.indexOf(search_term);…
http://x.com/login.html?p1=v1 !
31
Dynamic Oracle!• Crawls Web site!• Collects dynamic information!• Links references to the DOM with partially concretized values!
Traditional Static Taint Analysis!• Looks for flows from sources to sinks!
Static String Analysis!• Determines which parts of a string are beyond user control!• Leverages string information for better classification of findings!
http://x.com/login.html?p1=v1document.location
static analysis: JSA — intuition
http://x.com/login.html? .*
system-controlled prefix
attacker-controlled suffix
32
static analysis: JSA — domain
var str = document.location;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
33
static analysis: JSA — domain
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
34
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
static analysis: JSA — domain
Prx Idx
{str},HTTP://X.Com/login.html?,T
35
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
static analysis: JSA — domain
Prx Idx
{str},HTTP://X.Com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
36
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
static analysis: JSA — domain
Prx Idx
{str},HTTP://X.Com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T {n: 13}
37
static analysis: JSA — domain
Prx Idx
{str},HTTP://X.Com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T {n: 13}
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
…………………………………………………………………………………………………{tmp},HTTP://X.Com/,F
{n: 13}…………………
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
38
static analysis: JSA — domain
Prx Idx
{str},HTTP://X.Com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T {n: 13}
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
…………………………………………………………………………………………………{tmp},HTTP://X.Com/,F
{n: 13}…………………
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
39
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
static analysis: JSA — transformers
Prx Idx
{str},HTTP://X.Com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
40
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
static analysis: JSA — transformers
Prx Idx
{str},HTTP://X.Com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T {n: 13}
41
var str = “HTTP://X.Com/login.html?p1=v1”;
var lstr = str.toLowerCase();
var n = lstr.indexOf(“login.html”);
if (n > -1) {
var tmp = str.substring(0,n);
document.location.href = tmp;
}
static analysis: JSA — transformers
42
Prx Idx
{str},HTTP://X.Com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T {n: 13}
{str},HTTP://X.Com/login.html?,T{lstr},http://x.com/login.html?,T
…………………………………………………………………………………………………{tmp},HTTP://X.Com/,F
{n: 13}…………………
JSA written atop the WALA framework
IFDS problem / distributive analysis
optimization: staged analysis
1st stage: taint analysis
2nd stage: JSA applied to source/sink pairs not eliminated by taint analysis
featured in IBM Security AppScan Standard Edition (AppScan Std) V8.6
note on implementation
43
170,000 webpages / 675 websites:
Fortune 500
top 100 (www.web100.com)
handpicked security and IT websites
up to 500 pages per site via nonintrusive crawling
no login
only link crawling
evaluation — benchmarks
44
evaluation — benchmarksvar pageUrl = window.location;
var cId = document.getElementById("ctl00_ContentPlaceHolder1_hdnContentId").value;
var url = "/CMS/OverviewPrint.aspx?id=" + cid + "&url=" + pageUrl;
openPopupWindow(url);
45
var url = window.location.href;
var i = url.indexOf("?");
if (i>0) {url=url.substring(0, i); i = url.indexOf(“/ntopic/");}
if (i<0) { return; }
url = url.substring(0, i+1);
url = url+"livehelp/?pluginID="+a;
window.location.href = url;
(from the Corning website)!
(from the IBM Team Concert website)!
evaluation — benchmarksvar pageUrl = window.location;
var cId = document.getElementById("ctl00_ContentPlaceHolder1_hdnContentId").value;
var url = "/CMS/OverviewPrint.aspx?id=" + cid + "&url=" + pageUrl;
openPopupWindow(url);
46
var url = window.location.href;
var i = url.indexOf("?");
if (i>0) {url=url.substring(0, i); i = url.indexOf(“/ntopic/");}
if (i<0) { return; }
url = url.substring(0, i+1);
url = url+"livehelp/?pluginID="+a;
window.location.href = url;
(from the Corning website)!
(from the IBM Team Concert website)!
Both cId and pageURL flow into the!target URL’s query string, after the ‘?’!
var url = window.location.href;
var i = url.indexOf("?");
if (i>0) {url=url.substring(0, i); i = url.indexOf(“/ntopic/");}
if (i<0) { return; }
url = url.substring(0, i+1);
url = url+"livehelp/?pluginID="+a;
window.location.href = url;
evaluation — benchmarksvar pageUrl = window.location;
var cId = document.getElementById("ctl00_ContentPlaceHolder1_hdnContentId").value;
var url = "/CMS/OverviewPrint.aspx?id=" + cid + "&url=" + pageUrl;
openPopupWindow(url);
(from the Corning website)!
(from the IBM Team Concert website)!
47
Both cId and pageURL flow into the!target URL’s query string, after the ‘?’!
Computes a prefix of the URL string that!lies within the host path, and appends!
constant string livehelp/?pluginID=
1st experiment: comparison with taint analysis
compared against commercial taint analysis (used in AppScan Std V8.5)
entire set of webpages
manual classification of results by professional ethical hacker (from IBM application security team): TP/FP
48
1st experiment: results
2,639 2,639301
4,443
0
2000
4000
6000
8000
JSA taint analysis
TPs FPs
49
90% reduction!!
function changeZipRedirect(zipCodeRedirect) {
var currURL = document.location.href; ...;
wcmContext = currURL.split(’WCM GLOBAL CONTEXT’);
var redirectStr = wcmContext[1]; ...;
if (redirectStr .match(”pmapmc=”) == null) {
/∗ redirect to the zipcode page ∗/
document.location.href = zipCodeRedirect + ”&redirectURL”
+ redirectStr; } }
evaluation — FPs?
(from the Alltel website)!
50
function changeZipRedirect(zipCodeRedirect) {
var currURL = document.location.href; ...;
wcmContext = currURL.split(’WCM GLOBAL CONTEXT’);
var redirectStr = wcmContext[1]; ...;
if (redirectStr .match(”pmapmc=”) == null) {
/∗ redirect to the zipcode page ∗/
document.location.href = zipCodeRedirect + ”&redirectURL”
+ redirectStr; } }
evaluation — FPs?
(from the Alltel website)!
51
function changeZipRedirect(zipCodeRedirect) {
var currURL = document.location.href; ...;
wcmContext = currURL.split(’WCM GLOBAL CONTEXT’);
var redirectStr = wcmContext[1]; ...;
if (redirectStr .match(”pmapmc=”) == null) {
/∗ redirect to the zipcode page ∗/
document.location.href = zipCodeRedirect + ”&redirectURL”
+ redirectStr; } }
evaluation — FPs?
(from the Alltel website)!
52
unresolved constant !
2nd experiment: comparison with black-box testing
compared against commercial testing engine (that of AppScan Std V8.6)
~10% (60 / 675) of websites sampled at random
website fragment retrieved by crawler deployed locally for intrusive testing
53
2nd experiment: results
configuration! vulnerable websites ! false positives !
JSA enabled ! 33! 4!
JSA disabled ! 8! 0!
54
conclusion
JavaScript security: a BIG deal
taint analysis: poor user experience (>60% FPs!)
the key: dynamic partial evaluation
high coverage
precision boost with low overhead
JSA: novel form of string analysis
scalable (staged solution atop taint analysis)
90% reduction in FPs!
55
<script>alert(‘thank you!’)</script>
56
