Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks
description
Transcript of Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks
1
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web NetworksYinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan ChenNorthwestern University, Evanston, ILSRI International, Menlo Park, CANDSS Symposium 2012
2012/05/14 曾毓傑
2
Outline• Introduction• Design• Implementation• Evaluation• Performance• Discussion
3
INTRODUCTION
4
Self-Propagating XSS Attacks
Samy’s Page
User’s Page
(1) Access (2) Gain Page DOM Access
MySpace
(4) Post Malicious Data onto User’s Wall(5) Affect Other Users
<div style="background: url('java script:eval(...)')">...
(3) Send Forge RequestUser
5
XSS Taxonomy• Server-side XSS Attacks
• Stored XSS (Persistent)• Reflected XSS (Non-Persistent)
• Client-side XSS Attacks• Plug-in XSS (e.g. Flash, Java)• Content Sniffing XSS• DOM-based XSS
6
Path Cutter• Path Cutter can successfully block all kinds of XSS attack
for self-propagation• Easy implementation on both server-side and proxy
server
7
Problem DefinitionExploitation of a web application vulnerability that enables an attacker to inject client-side scripts into web pages owned by other users.
Four steps of Self-Propagating XSS Attack:• Step 1 – Enticement and Exploitation• Step 2 – Privilege Escalation• Step 3 – Replication• Step 4 – Propagation
8
Related Work• Spectator System – track propagation activity• Sun et al. – Firefox plug-in• Xu et al. – monitor social graph
9
DESIGN
10
Main Mechanisms• View Separation• Request Authentication
11
Key Concepts• Views
• A form of a web page or a part of web page• Actions
• An operation belonging to a view• Access Control List (ACL)
• Actions which a view can perform • Capability
• A secret key to validate a request
12
Dividing Web Applications into Views• Based on semantics
User A’s blog websiteUser B’s blog website
• Based on URLshttp://blog.com/optionshttp://blog.com/update
• Based on elementsBlogpostUser Comments
13
View Separation• Isolate different pages/views from the server at the client
side• Taking advantage of Same-Origin-Policy to prevent DOM
access and request forgery
User B’s Blogpost
User A Login
http://isolate.blog.com/user/B
<div>
User B’s Blogpost
User A Login
http://isolate.blog.com/user/B
http://contents.blog.com/user/B/post/1
<iframe>
14
Request AuthenticationAuthenticate actions using:• Secret Tokens/Capability
A secret token per view which is not be able to guess, and server-side verify this token to accept the request
• Referer-based View ValidationCheck if an action is permitted from certain view in the access control list(ACL)
Referer: http://isolate.blog.com/user/B
POST http://isolate.blog.com/user/postReferer: http://contents.blog.com/user/B/post/1
User B’s Blogpost
User A Login
<iframe>
15
IMPLEMENTATION
16
Server-side Implementation• WordPress
Open Source Blog SystemTotally 43 lines of code modificationURLs Separation
• ElggOpen Social Network EngineTotally 2 lines of code modification and 23 lines of plug-inIsolate comment add form into different view
echo "<iframe style = ’background:inherit;border:0;margin:0;padding:0’ sandbox=’allow-forms’ scrolling=’no’ height=’400pt’ width=’100%’ src=’http://other.com/echo.php?content=" .urlencode(elgg_view(’input/form’, array(’body’ => $form_body, action’ => "{$vars[’url’]}action/comments/add")))."’/>";
17
Proxy Implementation• Facebook
Separate user comments into views, and use different URL to get comment contents
FacebookProxy
(1) Request content.x.com
(2) Redirect isolate.x.com
(3) Request isolate.x.com
(4) isolate.x.com contents<html><body> <iframe src="content.x.com/?token=***"> </iframe></body></html>
(5) Request content.x.com/?token=***
(6)
(7)
18
Proxy Implementation (Cont.)• User comment separation using echo server
... <span data-jsid="text">user comment</span>...
http://content.x.com
Proxy content modification
... <span data-jsid="text"> <iframe scrolling="no" height="100%" sandbox src=“http://foo.com/echo.php?content=user%20coment"> </span>...
http://content.x.com
19
EVALUATION
20
Case 1: Boonana WormJava Applet worm released in October 2010
Propagation Steps:1. Visit a profile with malicious Java Applet2. Escalate privilege and inject JavaScript into page in
client-side using Java vulnerability3. Post itself on visitor's wall
Path Cutter let Java Applet only gain privilege on isolated page
21
Case 2: Renren WormFlash-based worm spread on the Renren Social Network in 2009
Propagation Steps:1. Visit a profile with malicious Flash Object2. Escalate privilege and inject JavaScript into page in
client-side using Flash vulnerability3. Replicate itself on the visitor’s wall
Path Cutter block sharing request by isolated views
22
Case 3: MySpace Samy WormFirst XSS worms in MySpace in 2005
Propagation Steps:1. Visit a profile with malicious code in a style attribute of
<div> tag2. Use XMLHttpRequest to get a secret token3. Post itself on visitor’s profile using the secret token
Path Cutter make XMLHttpRequest unaccessible by view isolation
23
Case 4: SpaceFlash WormFlash-based worm on MySpace in 2006
Propagation Steps:1. Visit a “About Me” page with malicious Flash Object2. Access user’s profile to gain privilege3. Send AJAX request to post itself on visitor’s “About Me”
page
Path Cutter block post request since referer is not “About Me” page
24
Case 5: Yamanner WormJavaScript worm spreading in Yahoo! Mail in 2006
Propagation Steps:1. Victim open a malicious email and JavaScript executed
due to a bug in Yahoo!’s script filter2. Worm open victim’s address book and send email to
those who are listed in the book
Path Cutter deny email sending request because there is no secret token in the request
25
Experimental Worms• Proof-of-Concept worm• Implementation of worm template• Apply on WordPress and Elgg
check_infected();// check if the user is infected or notxmlhttp = new XMLHttpRequest;xmlhttp.open("POST", post_url,true);xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { set_infected(); }}xmlhttp.setRequestHeader("Content-type" , "application/x-www-form-urlencoded");xmlhttp.setRequestHeader("Content-length" , payload.length);xmlhttp.send(payload);
function xhr() { ... }Object.prototype.post = function(uri,arg) { /*** usage: xhr().post(’foo.php’); ***/ this.open(’POST’, uri, true); this.setRequestHeader(’Content-type’ ,’application/x-www-form-urlencoded’); ... this.send(arg);};/*** source morphing component ***/Object.prototype.morph = function(s) { ... switch(morphtype) { case "unicode": ... case "charcodes": ... }}
26
PERFORMANCE
27
Memory Overhead• <iframe> tags introduce memory overhead• < 10 frames < 10% memory overhead• ~ 45 frames ~ 30% memory overhead
28
Rendering Time Overhead• Observing onload event in Webpage• Elgg implementation: 1.14 secs 1.18 secs (3.5%)
29
DISSCUSSION
30
Limitation• Cookie and Content Stealing Attacks• Phishing and ClickJacking Attacks• Drive-by Download Worms
31
Conclusion• Implement view separation and http request
authentication to severing self-propagating XSS attack