A Systematic Analysis of XSS Sanitization in Web Application Frameworks

  • Joel Weinberger
  • Prateek Saxena
  • Devdatta Akhawe
  • Matthew Finifter
  • Richard Shin
  • Dawn Song
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6879)

Abstract

While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of real-world applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
  3. 3.
    Adsafe : Making javascript safe for advertising, http://www.adsafe.org/
  4. 4.
    How To: Prevent Cross-Site Scripting in ASP.NET, http://msdn.microsoft.com/en-us/library/ff649310.aspx
  5. 5.
    Microsoft ASP.NET: Request Validation – Preventing Script Attacks, http://www.asp.net/LEARN/whitepapers/request-validation
  6. 6.
    Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development (2010)Google Scholar
  7. 7.
    Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (2008)Google Scholar
  8. 8.
    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities (2010)Google Scholar
  9. 9.
    Baron, D.: Mozilla’s quirks mode, https://developer.mozilla.org/en/mozilla's_quirks_mode
  10. 10.
    Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers or how to stop papers from reviewing themselves. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, Oakland, CA (May 2009)Google Scholar
  11. 11.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities (2009)Google Scholar
  12. 12.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 91–100. ACM, New York (2010)Google Scholar
  13. 13.
    Bisht, P., Venkatakrishnan, V.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 23–43 (2008)Google Scholar
  14. 14.
    Google-caja: A source-to-source translator for securing javascript-based web content, http://code.google.com/p/google-caja/
  15. 15.
    CakePHP: Sanitize Class Info, http://api.cakephp.org/class/sanitize
  16. 16.
    Chin, E., Wagner, D.: Efficient character-level taint tracking for java. In: Proceedings of the 2009 ACM Workshop on Secure Web Services, SWS 2009, pp. 3–12. ACM, New York (2009)CrossRefGoogle Scholar
  17. 17.
    Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 31–44. ACM, New York (2007)CrossRefGoogle Scholar
  18. 18.
    ClearSilver: Template Filters, http://www.clearsilver.net/docs/man_filters.hdf
  19. 19.
  20. 20.
    CodeIgniter User Guide Version 1.7.2: Input Class, http://codeigniter.com/user_guide/libraries/input.html
  21. 21.
  22. 22.
    django: Built-in template tags and filters, http://docs.djangoproject.com/en/dev/ref/templates/builtins
  23. 23.
    Django sites : Websites powered by django, http://www.djangosites.org/
  24. 24.
  25. 25.
    Finifter, M., Wagner, D.: Exploring the Relationship Between Web Application Development Tools and Security. In: Proceedings of the 2nd USENIX Conference on Web Application Development. USENIX (June 2011)Google Scholar
  26. 26.
    Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure javascript subsets. In: Proc. of Network and Distributed System Security Symposium (2010)Google Scholar
  27. 27.
    Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for ajax intrusion detection. In: Proceedings of the 18th International Conference on World Wide Web, WWW 2009, pp. 561–570. ACM, New York (2009)Google Scholar
  28. 28.
    Google Web Toolkit: Developer’s Guide – SafeHtml, http://code.google.com/webtoolkit/doc/latest/DevGuideSecuritySafeHtml.html
  29. 29.
    Hansen, R.: XSS cheat sheet (2008)Google Scholar
  30. 30.
    Hickson, I.: HTML 5 : A vocabulary and associated apis for html and xhtml, http://www.w3.org/TR/html5/
  31. 31.
    HTML Purifier Team: Css quoting full disclosure (2010), http://htmlpurifier.org/security/2010/css-quoting
  32. 32.
    HTML Purifier : Standards-Compliant HTML Filtering, http://htmlpurifier.org/
  33. 33.
    Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, WWW 2004, pp. 40–52. ACM, New York (2004)Google Scholar
  34. 34.
    Jean, J.: Facebook CSRF and XSS vulnerabilities: Destructive worms on a social network, http://seclists.org/fulldisclosure/2010/Oct/35
  35. 35.
  36. 36.
    Jovanovic, N., Krügel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy (2006)Google Scholar
  37. 37.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM, New York (2006)CrossRefGoogle Scholar
  38. 38.
    KSES Developer Team: Kses php html/xhtml filter, http://sourceforge.net/projects/kses/
  39. 39.
    Livshits, B., Lam, M.S.: Finding security errors in Java programs with static analysis. In: Proceedings of the Usenix Security Symposium (2005)Google Scholar
  40. 40.
    Livshits, B., Martin, M., Lam, M.S.: SecuriFly: Runtime protection and recovery from Web application vulnerabilities. Tech. rep., Stanford University (September 2006)Google Scholar
  41. 41.
    Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: 17th USENIX Security Symposium (2008)Google Scholar
  42. 42.
    The Mason Book: Escaping Substitutions, http://www.masonbook.com/book/chapter-2.mhtml
  43. 43.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: NDSS (2009)Google Scholar
  44. 44.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: 20th IFIP International Information Security Conference (2005)Google Scholar
  45. 45.
  46. 46.
    Pullicino, J.: Google XSS Flaw in Website Optimizer Explained (December 2010), http://www.acunetix.com/blog/web-security-zone/articles/google-xss-website-optimizer-scripts/
  47. 47.
    Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 283–298. USENIX Association, Berkeley (2009)Google Scholar
  48. 48.
    Ruby on Rails Security Guide, http://guides.rubyonrails.org/security.html
  49. 49.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for javascript. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 513–528. IEEE Computer Society, Washington, DC, USA (2010)CrossRefGoogle Scholar
  50. 50.
    Saxena, P., Hanna, S., Poosankam, P., Song, D.: FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In: 17th Annual Network & Distributed System Security Symposium NDSS (2010)Google Scholar
  51. 51.
    Saxena, P., Molnar, D., Livshits, B.: Scriptgard: Preventing script injection attacks in legacy web applications with automatic sanitization. Tech. rep., Microsoft Research (September 2010)Google Scholar
  52. 52.
    Schmidt, B.: Google Analytics XSS Vulnerability, http://spareclockcycles.org/2011/02/03/google-analytics-xss-vulnerability/
  53. 53.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 317–331. IEEE Computer Society, Washington, DC, USA (2010)CrossRefGoogle Scholar
  54. 54.
    Seo, J., Lam, M.S.: Invisitype: Object-oriented security policies (2010)Google Scholar
  55. 55.
  56. 56.
    Stamm, S.: Content security policy (2009), https://wiki.mozilla.org/Security/CSP/Spec
  57. 57.
    Swamy, N., Corcoran, B., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2008)Google Scholar
  58. 58.
  59. 59.
    Mike, T.L., Venkatakrishnan, V.N.: BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: Proceedings of the IEEE Symposium on Security and Privacy (2009)Google Scholar
  60. 60.
  61. 61.
    Twitter: All about the “onMouseOver” incident, http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html
  62. 62.
  63. 63.
  64. 64.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS), vol. 42. Citeseer (2007)Google Scholar
  65. 65.
    Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: An empirical analysis of xss sanitization in web application frameworks. Tech. Rep. UCB/EECS-2011-11, EECS Department, University of California, Berkeley (February 2011)Google Scholar
  66. 66.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the Usenix Security Symposium (2006)Google Scholar
  67. 67.
  68. 68.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: Proceedings of the 15th USENIX Security Symposium, pp. 121–136 (2006)Google Scholar
  69. 69.
  70. 70.
    Zalewski, M.: Browser security handbook. Google Code (2010), http://code.google.com/p/browsersec/wiki/Part1
  71. 71.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Joel Weinberger
    • 1
  • Prateek Saxena
    • 1
  • Devdatta Akhawe
    • 1
  • Matthew Finifter
    • 1
  • Richard Shin
    • 1
  • Dawn Song
    • 1
  1. 1.University of CaliforniaBerkeleyUSA

Personalised recommendations