Code Injection Vulnerabilities in Web Applications [Elektronische Ressource] : Exemplified at Cross-site Scripting / Martin Johns. Betreuer: Joachim Posegga

universitat_passau

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

252 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Sujets

Informatik

Informations

Publié par	universitat_passau
Publié le	01 janvier 2011
Nombre de lectures	46
Langue	English
Poids de l'ouvrage	6 Mo

Extrait

Dissertation
zur Erlangung des akademischen Grades eines
Doktors der Naturwissenschaften
Code Injection Vulnerabilities in Web
Applications - Exempliﬁed at Cross-site
Scripting
Martin Johns
Eingereicht an der Fakult¨at fur¨ Informatik und Mathematik der Universit¨at Passau
Gutachter: Prof. Dr. Joachim Posegga
Prof. Dr. Dieter Gollmann
Submitted April 14th 2009, defended July 22nd 20092Abstract
The majority of all security problems in today’s Web applications is caused by string-
based code injection, with Cross-site Scripting (XSS) being the dominant representative
of this vulnerability class. This thesis discusses XSS and suggests defense mechanisms.
We do so in three stages:
First, we conduct a thorough analysis of JavaScript’s capabilities and explain how
these capabilities are utilized in XSS attacks. We subsequently design a systematic,
hierarchical classiﬁcation of XSS payloads. In addition, we present a comprehensive sur-
vey of publicly documented XSS payloads which is structured according to our proposed
classiﬁcation scheme.
Secondly, we explore defensive mechanisms which dynamically prevent the execution
of some payload types without eliminating the actual vulnerability. More speciﬁcally,
we discuss the design and implementation of countermeasures against the XSS payloads
“Session Hijacking”, “Cross-site Request Forgery”, and attacks that target intranet re-
sources. We build upon this and introduce a general methodology for developing such
countermeasures: We determine a necessary set of basic capabilities an adversary needs
for successfully executing an attack through an analysis of the targeted payload type.
The resulting countermeasure relies on revoking one of these capabilities, which in turn
renders the payload infeasible.
Finally, we present two language-based approaches that prevent XSS and related vul-
nerabilities: We identify the implicit mixing of data and code during string-based syn-
tax assembly as the root cause of string-based code injection attacks. Consequently,
we explore data/code separation in web applications. For this purpose, we propose a
novel methodology for token-level data/code partitioning of a computer language’s syn-
tactical elements. This forms the basis for our two distinct techniques: For one, we
present an approach to detect data/code confusion on run-time and demonstrate how
this can be used for attack prevention. Furthermore, we show how vulnerabilities can
be avoided through altering the underlying programming language. We introduce a
dedicated datatype for syntax assembly instead of using string datatypes themselves for
this purpose. We develop a formal, type-theoretical model of the proposed datatype
and proof that it provides reliable separation between data and code hence, preventing
codeinjectionvulnerabilities. Weverifyourapproach’sapplicabilityutilizingapractical
implementation for the J2EE application server.
34Acknowledgments
This thesis would not exist without the help, advice, inspiration, dialogue, and encour-
agement of many, many people. I would like to thank (in no particular order): Joachim
Posegga, Dieter Gollmann, Daniel Schreckling, Jan Meier, Jan Seedorf, Christopher
Alm, Henrich C. P¨ohls, Bastian Braun, Hannah Lee, Rosemaria Giesecke, Tom Schroer,
ThiloZieschang, StefanFu¨nfrocken, BorisHemkemeier, KaiBuchholz-Stepputiz, Sashar
Paulus, Moritz Jodeit, Justus Winter, Christian Beyerlein, Bj¨orn Engelmann, Jeremias
Reith, Christian Weitendorf, Roland Illig, Mieke Hildenbrandt, Christopher Schward,
Daniel Kreischer, the CInsects & SecToolers, Siglinde B¨ock, Erika Langer, Marita Ward,
Melanie Volkamer, Michael Schrank, Andreas Gu¨nther, Ingo Desombre, Tim Scharfen-
berg, Andre Lu¨rssen, Andrei Sabelfeld, Frank Piessens, Yves Younan, Ulfar Erlingsson,
HelenWang,ErikMeijer,fukami,AlexKouzemtchenko,DragosRuiu,WolfgangKoeppl,
Martin Wimmer, Hoko Onshi,
and last but not least: Team Johns (you rock!).
56Contents
Introduction 12
Motivation ...................................... 13
Thesis overview.................................... 15
Thesis outline and contributions .................. 16
I. Cross-Site Scripting Attacks 21
1. Technical Background 23
1.1. The web application paradigm ........................ 23
1.1.1. The web browser ................ 24
1.1.2. Uniform Resource Locators ...................... 25
1.2. Web application session management and authentication tracking..... 26
1.2.1. Browser-level authentication tracking ................ 29
1.2.2. Application-level authentication tracking .............. 30
1.3. JavaScript................................ 31
1.3.1. The Same Origin Policy (SOP) ................ 31
1.3.2. JavaScript networking capabilities .................. 33
1.3.3. Encapsulation and information hiding ................ 34
2. Cross-Site Scripting (XSS) 35
2.1. Types of XSS .................................. 37
2.1.1. XSS caused by insecure programming ............ 37
2.1.2. XSS caused by insecure infrastructure ....... 39
2.2. Selected XSS techniques ........................ 40
2.3. XSS outside the browser....... 43
2.4. Avoiding XSS.................................. 43
3. Exploiting XSS Issues 45
3.1. Browser-based attacks using JavaScript ................... 45
3.1.1. JavaScript Driven Attacks (JSDAs) ................. 45
3.1.2. Defensive browsing....................... 46
3.2. XSS Payloads.................................. 46
3.2.1. Executing JSDAs in trusted contexts through XSS ..... 46
3.2.2. A malware analogy........................... 47
3.3. Frequently used attacks techniques .............. 48
3.3.1. A loophole in the Same Origin Policy ................ 48
7Contents
3.3.2. Creating state-changing HTTP requests ............... 48
3.3.3. The basic reconnaissance attack (BRA) ... 49
3.3.4. DNS rebinding ............................. 50
3.4. Systematic overview of JSDAs / XSS Payloads ....... 51
3.4.1. Execution-contexts........................... 52
3.4.2. Attack-targets ............................. 52
3.4.3. Attack-types and -capabilities................. 53
3.4.4. Systematic classiﬁcation of XSS Payloads .............. 54
3.5. Thesis scope: Countering XSS Payloads ............... 61
4. XSS Payloads: Application Context 63
4.1. Session hijacking ................................ 63
4.1.1. Session ID theft..................... 64
4.1.2. Browser hijacking............... 64
4.1.3. Background XSS propagation................. 65
4.2. Password theft .................... 66
4.2.1. Manipulating the application’s authentication dialogue... 67
4.2.2. Abusing the browser’s password manager .............. 68
4.2.3. Spooﬁng of authentication forms ............... 68
5. XSS Payloads: Browser and Computer Context 71
5.1. Cross-Site Request Forgery .......................... 71
5.1.1. Attack speciﬁcation ..... 71
5.1.2. Attack surface ............................. 72
5.1.3. Notable real-world CSRF exploits .................. 73
5.2. Fingerprinting and privacy attacks .................. 74
5.2.1. Privacy attacks based on cascading style sheets ........... 75
5.2.2. Privacy attacks through timing attacks ....... 76
5.2.3. BRA-based privacy attacks ...................... 78
6. XSS Payloads: Intranet and Internet Context 81
6.1. Intranet reconnaissance and exploitation................... 81
6.1.1. Using a webpage to execute code within the ﬁrewall perimeter .. 81
6.1.2. Intranet reconnaissance attacks.................... 82
6.1.3. Local CSRF attacks on intranet servers ....... 86
6.1.4. Cross protocol communication .................... 87
6.2. DNS rebinding attacks on intranet hosts...... 87
6.2.1. Leaking intranet content........................ 87
6.2.2. Breaking the browser’s DNS pinning ................. 88
6.2.3. Further DNS rebinding attacks ................ 90
6.3. Selected XSS Payloads in the internet context................ 92
6.3.1. Scanning internet web applications for vulnerabilities........ 92
6.3.2. Assisting worm propagation.................. 93
6.3.3. Committing click-fraud through DNS rebinding........... 93
8Contents
II. Mitigating Cross-Site Scripting Attacks 95
7. Protection Against Session Hijacking 99
7.1. Concept overview and methodology...................... 99
7.2. Practical session hijacking countermeasures .............100
7.2.1. Session ID protection through deferred loading ...........100
7.2.2. One-time URLs.........................103
7.2.3. Subdomain switching .....................106
7.3. Discussion....................................107
7.3.1. Combination of the methods .....................107
7.3.2. Limitations ...........................108
7.3.3. Transparent implementation......................108
7.3.4. Client-side protection .................109
7.4. Conclusion ...................................110
8. Protection Against Cross-Site Request Forgery 113
8.1. Motivation ...................................113
8.2. Current defence.................................113
8.2.1. Flawed protection approaches due to existing misconceptions ...113
8.2.2. Manual protection ...........................115
8.3. Concept overview and methodology..............116
8.4. Implementation.................................118