Upload
clare-buckmaster
View
216
Download
0
Embed Size (px)
Citation preview
1
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks
Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen
Northwestern University, Evanston, IL
SRI International, Menlo Park, CA
NDSS Symposium 2012
2012/05/14 曾毓傑
4
Self-Propagating XSS Attacks
Samy’s Page
User’s Page
(1) Access (2) Gain Page DOM Access
MySpace
(4) Post Malicious Data onto User’s Wall(5) Affect Other Users
<div style="background: url('java script:eval(...)')">...
(3) Send Forge RequestUser
5
XSS Taxonomy• Server-side XSS Attacks
• Stored XSS (Persistent)• Reflected XSS (Non-Persistent)
• Client-side XSS Attacks• Plug-in XSS (e.g. Flash, Java)• Content Sniffing XSS• DOM-based XSS
6
Path Cutter• Path Cutter can successfully block all kinds of XSS attack
for self-propagation• Easy implementation on both server-side and proxy
server
7
Problem Definition
Exploitation of a web application vulnerability that enables an attacker to inject client-side scripts into web pages owned by other users.
Four steps of Self-Propagating XSS Attack:• Step 1 – Enticement and Exploitation• Step 2 – Privilege Escalation• Step 3 – Replication• Step 4 – Propagation
8
Related Work• Spectator System – track propagation activity• Sun et al. – Firefox plug-in• Xu et al. – monitor social graph
11
Key Concepts• Views
• A form of a web page or a part of web page
• Actions• An operation belonging to a view
• Access Control List (ACL)• Actions which a view can perform
• Capability• A secret key to validate a request
12
Dividing Web Applications into Views• Based on semantics
User A’s blog website
User B’s blog website
• Based on URLshttp://blog.com/optionshttp://blog.com/update
• Based on elementsBlogpost
User Comments
13
View Separation• Isolate different pages/views from the server at the client
side• Taking advantage of Same-Origin-Policy to prevent DOM
access and request forgery
User B’s Blogpost
User A Login
http://isolate.blog.com/user/B
<div>
User B’s Blogpost
User A Login
http://isolate.blog.com/user/B
http://contents.blog.com/user/B/post/1
<iframe>
14
Request Authentication
Authenticate actions using:• Secret Tokens/Capability
A secret token per view which is not be able to guess, and server-side verify this token to accept the request
• Referer-based View ValidationCheck if an action is permitted from certain view in the access control list(ACL)
Referer: http://isolate.blog.com/user/B
POST http://isolate.blog.com/user/postReferer: http://contents.blog.com/user/B/post/1
User B’s Blogpost
User A Login
<iframe>
16
Server-side Implementation• WordPress
Open Source Blog SystemTotally 43 lines of code modificationURLs Separation
• ElggOpen Social Network EngineTotally 2 lines of code modification and 23 lines of plug-inIsolate comment add form into different view
echo "<iframe style = ’background:inherit;border:0;margin:0;padding:0’ sandbox=’allow-forms’ scrolling=’no’ height=’400pt’ width=’100%’ src=’http://other.com/echo.php?content=" .urlencode(elgg_view(’input/form’, array(’body’ => $form_body, action’ => "{$vars[’url’]}action/comments/add")))."’/>";
17
Proxy Implementation• Facebook
Separate user comments into views, and use different URL to get comment contents
FacebookProxy
(1) Request content.x.com
(2) Redirect isolate.x.com
(3) Request isolate.x.com
(4) isolate.x.com contents
<html><body> <iframe src="content.x.com/?token=***"> </iframe></body></html>
(5) Request content.x.com/?token=***
(6)
(7)
18
Proxy Implementation (Cont.)• User comment separation using echo server
... <span data-jsid="text">user comment</span>...
http://content.x.com
Proxy content modification
... <span data-jsid="text"> <iframe scrolling="no" height="100%" sandbox src=“http://foo.com/echo.php?content=user%20coment"> </span>...
http://content.x.com
20
Case 1: Boonana Worm
Java Applet worm released in October 2010
Propagation Steps:
1. Visit a profile with malicious Java Applet
2. Escalate privilege and inject JavaScript into page in client-side using Java vulnerability
3. Post itself on visitor's wall
Path Cutter let Java Applet only gain privilege on isolated page
21
Case 2: Renren Worm
Flash-based worm spread on the Renren Social Network in 2009
Propagation Steps:
1. Visit a profile with malicious Flash Object
2. Escalate privilege and inject JavaScript into page in client-side using Flash vulnerability
3. Replicate itself on the visitor’s wall
Path Cutter block sharing request by isolated views
22
Case 3: MySpace Samy Worm
First XSS worms in MySpace in 2005
Propagation Steps:
1. Visit a profile with malicious code in a style attribute of <div> tag
2. Use XMLHttpRequest to get a secret token
3. Post itself on visitor’s profile using the secret token
Path Cutter make XMLHttpRequest unaccessible by view isolation
23
Case 4: SpaceFlash Worm
Flash-based worm on MySpace in 2006
Propagation Steps:
1. Visit a “About Me” page with malicious Flash Object
2. Access user’s profile to gain privilege
3. Send AJAX request to post itself on visitor’s “About Me” page
Path Cutter block post request since referer is not “About Me” page
24
Case 5: Yamanner Worm
JavaScript worm spreading in Yahoo! Mail in 2006
Propagation Steps:
1. Victim open a malicious email and JavaScript executed due to a bug in Yahoo!’s script filter
2. Worm open victim’s address book and send email to those who are listed in the book
Path Cutter deny email sending request because there is no secret token in the request
25
Experimental Worms• Proof-of-Concept worm• Implementation of worm template• Apply on WordPress and Elgg
check_infected();// check if the user is infected or notxmlhttp = new XMLHttpRequest;xmlhttp.open("POST", post_url,true);xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { set_infected(); }}xmlhttp.setRequestHeader("Content-type" , "application/x-www-form-urlencoded");xmlhttp.setRequestHeader("Content-length" , payload.length);xmlhttp.send(payload);
function xhr() { ... }Object.prototype.post = function(uri,arg) { /*** usage: xhr().post(’foo.php’); ***/ this.open(’POST’, uri, true); this.setRequestHeader(’Content-type’ ,’application/x-www-form-urlencoded’); ... this.send(arg);};/*** source morphing component ***/Object.prototype.morph = function(s) { ... switch(morphtype) { case "unicode": ... case "charcodes": ... }}
27
Memory Overhead• <iframe> tags introduce memory overhead• < 10 frames < 10% memory overhead• ~ 45 frames ~ 30% memory overhead
28
Rendering Time Overhead• Observing onload event in Webpage• Elgg implementation: 1.14 secs 1.18 secs (3.5%)
30
Limitation• Cookie and Content Stealing Attacks• Phishing and ClickJacking Attacks• Drive-by Download Worms