1

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web NetworksYinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan ChenNorthwestern University, Evanston, ILSRI International, Menlo Park, CANDSS Symposium 2012

2012/05/14 曾毓傑

2

Outline• Introduction• Design• Implementation• Evaluation• Performance• Discussion

3

INTRODUCTION

4

Self-Propagating XSS Attacks

Samy’s Page

User’s Page

(1) Access (2) Gain Page DOM Access

MySpace

(4) Post Malicious Data onto User’s Wall(5) Affect Other Users

<div style="background: url('java script:eval(...)')">...

(3) Send Forge RequestUser

5

XSS Taxonomy• Server-side XSS Attacks

• Stored XSS (Persistent)• Reflected XSS (Non-Persistent)

• Client-side XSS Attacks• Plug-in XSS (e.g. Flash, Java)• Content Sniffing XSS• DOM-based XSS

6

Path Cutter• Path Cutter can successfully block all kinds of XSS attack

for self-propagation• Easy implementation on both server-side and proxy

server

7

Problem DefinitionExploitation of a web application vulnerability that enables an attacker to inject client-side scripts into web pages owned by other users.

Four steps of Self-Propagating XSS Attack:• Step 1 – Enticement and Exploitation• Step 2 – Privilege Escalation• Step 3 – Replication• Step 4 – Propagation

8

Related Work• Spectator System – track propagation activity• Sun et al. – Firefox plug-in• Xu et al. – monitor social graph

9

DESIGN

10

Main Mechanisms• View Separation• Request Authentication

11

Key Concepts• Views

• A form of a web page or a part of web page• Actions

• An operation belonging to a view• Access Control List (ACL)

• Actions which a view can perform • Capability

• A secret key to validate a request

12

Dividing Web Applications into Views• Based on semantics

User A’s blog websiteUser B’s blog website

• Based on URLshttp://blog.com/optionshttp://blog.com/update

• Based on elementsBlogpostUser Comments

13

View Separation• Isolate different pages/views from the server at the client

side• Taking advantage of Same-Origin-Policy to prevent DOM

access and request forgery

User B’s Blogpost

User A Login

http://isolate.blog.com/user/B

<div>

User B’s Blogpost

User A Login

http://isolate.blog.com/user/B

http://contents.blog.com/user/B/post/1

<iframe>

14

Request AuthenticationAuthenticate actions using:• Secret Tokens/Capability

A secret token per view which is not be able to guess, and server-side verify this token to accept the request

• Referer-based View ValidationCheck if an action is permitted from certain view in the access control list(ACL)

Referer: http://isolate.blog.com/user/B

POST http://isolate.blog.com/user/postReferer: http://contents.blog.com/user/B/post/1

User B’s Blogpost

User A Login

<iframe>

15

IMPLEMENTATION

16

Server-side Implementation• WordPress

Open Source Blog SystemTotally 43 lines of code modificationURLs Separation

• ElggOpen Social Network EngineTotally 2 lines of code modification and 23 lines of plug-inIsolate comment add form into different view

echo "<iframe style = ’background:inherit;border:0;margin:0;padding:0’ sandbox=’allow-forms’ scrolling=’no’ height=’400pt’ width=’100%’ src=’http://other.com/echo.php?content=" .urlencode(elgg_view(’input/form’, array(’body’ => $form_body, action’ => "{$vars[’url’]}action/comments/add")))."’/>";

17

Proxy Implementation• Facebook

Separate user comments into views, and use different URL to get comment contents

FacebookProxy

(1) Request content.x.com

(2) Redirect isolate.x.com

(3) Request isolate.x.com

(4) isolate.x.com contents<html><body> <iframe src="content.x.com/?token=***"> </iframe></body></html>

(5) Request content.x.com/?token=***

(6)

(7)

18

Proxy Implementation (Cont.)• User comment separation using echo server

... <span data-jsid="text">user comment</span>...

http://content.x.com

Proxy content modification

... <span data-jsid="text"> <iframe scrolling="no" height="100%" sandbox src=“http://foo.com/echo.php?content=user%20coment"> </span>...

http://content.x.com

19

EVALUATION

20

Case 1: Boonana WormJava Applet worm released in October 2010

Propagation Steps:1. Visit a profile with malicious Java Applet2. Escalate privilege and inject JavaScript into page in

client-side using Java vulnerability3. Post itself on visitor's wall

Path Cutter let Java Applet only gain privilege on isolated page

21

Case 2: Renren WormFlash-based worm spread on the Renren Social Network in 2009

Propagation Steps:1. Visit a profile with malicious Flash Object2. Escalate privilege and inject JavaScript into page in

client-side using Flash vulnerability3. Replicate itself on the visitor’s wall

Path Cutter block sharing request by isolated views

22

Case 3: MySpace Samy WormFirst XSS worms in MySpace in 2005

Propagation Steps:1. Visit a profile with malicious code in a style attribute of

<div> tag2. Use XMLHttpRequest to get a secret token3. Post itself on visitor’s profile using the secret token

Path Cutter make XMLHttpRequest unaccessible by view isolation

23

Case 4: SpaceFlash WormFlash-based worm on MySpace in 2006

Propagation Steps:1. Visit a “About Me” page with malicious Flash Object2. Access user’s profile to gain privilege3. Send AJAX request to post itself on visitor’s “About Me”

page

Path Cutter block post request since referer is not “About Me” page

24

Case 5: Yamanner WormJavaScript worm spreading in Yahoo! Mail in 2006

Propagation Steps:1. Victim open a malicious email and JavaScript executed

due to a bug in Yahoo!’s script filter2. Worm open victim’s address book and send email to

those who are listed in the book

Path Cutter deny email sending request because there is no secret token in the request

25

Experimental Worms• Proof-of-Concept worm• Implementation of worm template• Apply on WordPress and Elgg

check_infected();// check if the user is infected or notxmlhttp = new XMLHttpRequest;xmlhttp.open("POST", post_url,true);xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { set_infected(); }}xmlhttp.setRequestHeader("Content-type" , "application/x-www-form-urlencoded");xmlhttp.setRequestHeader("Content-length" , payload.length);xmlhttp.send(payload);

function xhr() { ... }Object.prototype.post = function(uri,arg) { /*** usage: xhr().post(’foo.php’); ***/ this.open(’POST’, uri, true); this.setRequestHeader(’Content-type’ ,’application/x-www-form-urlencoded’); ... this.send(arg);};/*** source morphing component ***/Object.prototype.morph = function(s) { ... switch(morphtype) { case "unicode": ... case "charcodes": ... }}

26

PERFORMANCE

27

Memory Overhead• <iframe> tags introduce memory overhead• < 10 frames < 10% memory overhead• ~ 45 frames ~ 30% memory overhead

28

Rendering Time Overhead• Observing onload event in Webpage• Elgg implementation: 1.14 secs 1.18 secs (3.5%)

29

DISSCUSSION

30

Limitation• Cookie and Content Stealing Attacks• Phishing and ClickJacking Attacks• Drive-by Download Worms

31

Conclusion• Implement view separation and http request

authentication to severing self-propagating XSS attack