ABSTRACT
Scripting vulnerabilities, such as cross-site scripting (XSS), plague web applications today. Most research on defense techniques has focused on securing existing legacy applications written in general-purpose languages, such as Java and PHP. However, recent and emerging applications have widely adopted web templating frameworks that have received little attention in research. Web templating frameworks offer an ideal opportunity to ensure safety against scripting attacks by secure construction, but most of today's frameworks fall short of achieving this goal.
We propose a novel and principled type-qualifier based mechanism that can be bolted onto existing web templating frameworks. Our solution permits rich expressiveness in the templating language while achieving backwards compatibility, performance and formal security through a context-sensitive auto-sanitization (CSAS) engine. To demonstrate its practicality, we implement our mechanism in Google Closure Templates, a commercially used open-source templating framework that is used in GMail, Google Docs and other applications. Our approach is fast, precise and retrofits to existing commercially deployed template code without requiring any changes or annotations.
- D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2008. Google ScholarDigital Library
- S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. VEX: Vetting browser extensions for security vulnerabilities, 2010.Google Scholar
- Google autoescape implementation for ctemplate (c code). http://google-ctemplate.googlecode.com/svn/trunk/doc/auto_escape.html.Google Scholar
- D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th international conference on World wide web, WWW '10, 2010. Google ScholarDigital Library
- P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 2008. Google ScholarDigital Library
- H. Bojinov, E. Bursztein, and D. Boneh. XCS: Cross channel scripting and its impact on web applications. In CCS, 2009. Google ScholarDigital Library
- Google Analytics XSS vulnerability. http://spareclockcycles.org/2011/02/03/google-analytics-xss-vulnerabili%ty/ .Google Scholar
- Google XSS Flaw in Website Optimizer Scripts explained. http://www.acunetix.com/blog/web-security-zonełinebreak/articles%/google-xss-website-optimizer-scripts/.Google Scholar
- How I met your girlfriend, DEFCON'10. ohack.us/xss/2010-defcon.ppt.Google Scholar
- XSS Attack Identified and Patch-Twitter. http://statusłinebreak.twitter.com/post/1161435117/xss-attackł%inebreak-identified-and-patched.Google Scholar
- ClearSilver: Template Filters. http://www.clearsilver.net/docs/man_filters.hdf.Google Scholar
- CodeIgniter/system/libraries/Security.php. https://bitbucket.org/ellislab/codeigniter/src/8af0fb079f90/system/libr%aries/Security.php.Google Scholar
- Ctemplate: Guide to Using Auto Escape. http://google-łinebreakctemplate.googlecode.com/svn/trunk/doc/auto_escape.html.Google Scholar
- django: Built-in template tags and filters. http://docs.djangoproject.com/en/dev/ref/templates/builtins.Google Scholar
- Google autoescape implementation for gwt (java code). http://code.google.com/p/google-web-toolkit/source/browse/tools/lib/str%eamhtmlparser/streamhtmlparser-jsilver-r10/streamhtmlparser-jsilver-r10--1.5.ja%r.Google Scholar
- J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, PLDI '02, 2002. Google ScholarDigital Library
- B. Gourdin, C. Soman, H. Bojinov, and E. Bursztein. Towards secure embedded web interfaces. In Proceedings of the Usenix Security Symposium, 2011. Google ScholarDigital Library
- A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for ajax intrusion detection. In Proceedings of the 18th international conference on World wide web, WWW '09. Google ScholarDigital Library
- M. V. Gundy and H. Chen. Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. 16th Annual Network & Distributed System Security Symposium, 2009.Google Scholar
- Google Web Toolkit: Developer's Guide -- SafeHtml. http://code.google.com/webtoolkit/doc/latest/DevGuideSecuritySafeHtml.h%tml.Google Scholar
- R. Hansen. XSS cheat sheet. http://ha.ckers.org/xss.html.Google Scholar
- P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the Usenix Security Symposium, 2011. Google ScholarDigital Library
- HTML Purifier : Standards-Compliant HTML Filtering. http://htmlpurifier.org/.Google Scholar
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW '04. Google ScholarDigital Library
- JiftyManual. http://jifty.org/view/JiftyManual.Google Scholar
- T. Jim, N. Swamy, and M. Hicks. BEEP: Browser-enforced embedded policies. 16th International World World Web Conference, 2007. Google ScholarDigital Library
- N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- Quasis demo - javascript shell 1.4. http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/index.html%.Google Scholar
- A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A solver for string constraints. In International Symposium on Software Testing and Analysis, 2009. Google ScholarDigital Library
- kses - PHP HTML/XHTML filter. http://sourceforge.net/projects/kses/.Google Scholar
- B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005. Google ScholarDigital Library
- B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and recovery from Web application vulnerabilities. Technical report, Stanford University, Sept. 2006.Google Scholar
- M. Martin and M. S. Lam. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In 17th USENIX Security Symposium, 2008. Google ScholarDigital Library
- The Mason Book: Escaping Substitutions. http://www.masonbook.com/book/chapter-2.mhtml.Google Scholar
- L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE Symposium on Security and Privacy, May 2010. Google ScholarDigital Library
- Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS, 2009.Google Scholar
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. 20th IFIP International Information Security Conference, 2005.Google ScholarCross Ref
- XSS Prevention Cheat Sheet. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Ch%eat_Sheet.Google Scholar
- W. Robertson and G. Vigna. Static Enforcement of Web Application Integrity Through Strong Typing. In Proceedings of the USENIX Security Symposium, Montreal, Canada, August 2009. Google ScholarDigital Library
- Ruby on Rails Security Guide. http://guides.rubyonrails.org/security.html.Google Scholar
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for JavaScript. Technical Report UCB/EECS-2010--26, EECS Department, University of California, Berkeley, 2010.Google ScholarDigital Library
- P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In 17th Annual Network & Distributed System Security Symposium, (NDSS), 2010.Google Scholar
- P. Saxena, D. Molnar, and B. Livshits. SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the ACM Computer and communications security(CCS), 2011. Google ScholarDigital Library
- Smarty Template Engine: escape. http://www.smarty.net/manual/en/language.modifier.escape.php.Google Scholar
- Google Closure Templates. http://code.google.com/closure/templates/.Google Scholar
- S. Stamm. Content security policy, 2009.Google Scholar
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. 2006.Google Scholar
- Template::Manual::Filters. http://template-toolkit.org/docs/manual/Filters.html.Google Scholar
- Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of the IEEE Symposium on Security and Privacy, 2009. Google ScholarDigital Library
- J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In Proceedings of the European Symposium on Research in Computer Security, 2011. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006. Google ScholarDigital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. USENIX Security Symposium, 2006. Google ScholarDigital Library
- Yii Framework: Security. http://www.yiiframework.com/doc/guide/1.1/en/topics.security.Google Scholar
- Zend Framework: Zend\_Filter. http://framework.zend.com/manual/en/zend.filter.set.html.Google Scholar
Index Terms
- Context-sensitive auto-sanitization in web templating languages using type qualifiers
Recommendations
An Empirical Study of the Framework Impact on the Security of JavaScript Web Applications
WWW '18: Companion Proceedings of the The Web Conference 2018\textitBackground: JavaScript frameworks are widely used to create client-side and server-side parts of contemporary web applications. Vulnerabilities like cross-site scripting introduce significant risks in web applications.\\ \textitAim: The goal of ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Static Typing for Ruby on Rails
ASE '09: Proceedings of the 24th IEEE/ACM International Conference on Automated Software EngineeringRuby on Rails (or just "Rails") is a popular web application framework built on top of Ruby, an object-oriented scripting language. While Ruby’s powerful features such as dynamic typing help make Rails development extremely lightweight, this comes at a ...
Comments