Transcript Path Cutter: Severing the Self

1
Path Cutter: Severing the Self-Propagation
Path of XSS JavaScript Worms in Social
Web Networks
Yinzhi Cao, Vinod Yegneswaran, Phillip Porras,
and Yan Chen
Northwestern University, Evanston, IL
SRI International, Menlo Park, CA
NDSS Symposium 2012
2012/05/14 曾毓傑
2
Outline
• Introduction
• Design
• Implementation
• Evaluation
• Performance
• Discussion
3
INTRODUCTION
4
Self-Propagating XSS Attacks
<div style="background: url('java script:eval(...)')">...
(1) Access
User
(2) Gain Page DOM Access
Samy’s Page
(5) Affect Other Users
(3) Send Forge Request
MySpace
(4) Post Malicious Data onto User’s Wall
User’s Page
5
XSS Taxonomy
• Server-side XSS Attacks
• Stored XSS (Persistent)
• Reflected XSS (Non-Persistent)
• Client-side XSS Attacks
• Plug-in XSS (e.g. Flash, Java)
• Content Sniffing XSS
• DOM-based XSS
6
Path Cutter
• Path Cutter can successfully block all kinds of XSS attack
for self-propagation
• Easy implementation on both server-side and proxy
server
7
Problem Definition
Exploitation of a web application vulnerability that enables
an attacker to inject client-side scripts into web pages
owned by other users.
Four steps of Self-Propagating XSS Attack:
• Step 1 – Enticement and Exploitation
• Step 2 – Privilege Escalation
• Step 3 – Replication
• Step 4 – Propagation
8
Related Work
• Spectator System – track propagation activity
• Sun et al. – Firefox plug-in
• Xu et al. – monitor social graph
9
DESIGN
10
Main Mechanisms
• View Separation
• Request Authentication
11
Key Concepts
• Views
• A form of a web page or a part of web page
• Actions
• An operation belonging to a view
• Access Control List (ACL)
• Actions which a view can perform
• Capability
• A secret key to validate a request
12
Dividing Web Applications into Views
• Based on semantics
User A’s blog website
User B’s blog website
• Based on URLs
http://blog.com/options
http://blog.com/update
• Based on elements
Blogpost
User Comments
13
View Separation
• Isolate different pages/views from the server at the client
side
• Taking advantage of Same-Origin-Policy to prevent DOM
access and request forgery
http://isolate.blog.com/user/B
User A Login
http://isolate.blog.com/user/B
User A Login
<div>
<iframe>
User B’s Blogpost
User B’s Blogpost
http://contents.blog.com/user/B/post/1
14
Request Authentication
Authenticate actions using:
• Secret Tokens/Capability
A secret token per view which is not be able to guess, and
server-side verify this token to accept the request
• Referer-based View Validation
Check if an action is permitted from certain view in the
access control list(ACL)
User A Login
Referer: http://isolate.blog.com/user/B
<iframe>
User B’s Blogpost
POST http://isolate.blog.com/user/post
Referer: http://contents.blog.com/user/B/post/1
15
IMPLEMENTATION
16
Server-side Implementation
• WordPress
Open Source Blog System
Totally 43 lines of code modification
URLs Separation
• Elgg
Open Social Network Engine
Totally 2 lines of code modification and 23 lines of plug-in
Isolate comment add form into different view
echo "<iframe style = ’background:inherit;border:0;margin:0;padding:0’
sandbox=’allow-forms’ scrolling=’no’ height=’400pt’ width=’100%’
src=’http://other.com/echo.php?content="
.urlencode(elgg_view(’input/form’, array(’body’ => $form_body,
action’ => "{$vars[’url’]}action/comments/add")))."’/>";
17
Proxy Implementation
• Facebook
Separate user comments into views, and use different
URL to get comment contents
(1) Request content.x.com
(2) Redirect isolate.x.com
(6)
Proxy
(7)
Facebook
(3) Request isolate.x.com
(4) isolate.x.com contents
<html><body>
<iframe src="content.x.com/?token=***">
</iframe>
</body></html>
(5) Request content.x.com/?token=***
18
Proxy Implementation (Cont.)
• User comment separation using echo server
http://content.x.com
...
<span data-jsid="text">user comment</span>
...
Proxy content modification
http://content.x.com
...
<span data-jsid="text">
<iframe scrolling="no" height="100%" sandbox
src=“http://foo.com/echo.php?content=user%20coment">
</span>
...
19
EVALUATION
20
Case 1: Boonana Worm
Java Applet worm released in October 2010
Propagation Steps:
1. Visit a profile with malicious Java Applet
2. Escalate privilege and inject JavaScript into page in
client-side using Java vulnerability
3. Post itself on visitor's wall
Path Cutter let Java Applet only gain privilege on isolated
page
21
Case 2: Renren Worm
Flash-based worm spread on the Renren Social Network in
2009
Propagation Steps:
1. Visit a profile with malicious Flash Object
2. Escalate privilege and inject JavaScript into page in
client-side using Flash vulnerability
3. Replicate itself on the visitor’s wall
Path Cutter block sharing request by isolated views
22
Case 3: MySpace Samy Worm
First XSS worms in MySpace in 2005
Propagation Steps:
1. Visit a profile with malicious code in a style attribute of
<div> tag
2. Use XMLHttpRequest to get a secret token
3. Post itself on visitor’s profile using the secret token
Path Cutter make XMLHttpRequest unaccessible by view
isolation
23
Case 4: SpaceFlash Worm
Flash-based worm on MySpace in 2006
Propagation Steps:
1. Visit a “About Me” page with malicious Flash Object
2. Access user’s profile to gain privilege
3. Send AJAX request to post itself on visitor’s “About Me”
page
Path Cutter block post request since referer is not “About
Me” page
24
Case 5: Yamanner Worm
JavaScript worm spreading in Yahoo! Mail in 2006
Propagation Steps:
1. Victim open a malicious email and JavaScript executed
due to a bug in Yahoo!’s script filter
2. Worm open victim’s address book and send email to
those who are listed in the book
Path Cutter deny email sending request because there is
no secret token in the request
25
Experimental Worms
• Proof-of-Concept worm
• Implementation of worm template
• Apply on WordPress and Elgg
check_infected();
// check if the user is infected or not
xmlhttp = new XMLHttpRequest;
xmlhttp.open("POST", post_url,true);
xmlhttp.onreadystatechange=function() {
if (xmlhttp.readyState==4) {
set_infected();
}
}
xmlhttp.setRequestHeader("Content-type"
, "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length"
, payload.length);
xmlhttp.send(payload);
function xhr() { ... }
Object.prototype.post = function(uri,arg) {
/*** usage: xhr().post(’foo.php’); ***/
this.open(’POST’, uri, true);
this.setRequestHeader(’Content-type’
,’application/x-www-form-urlencoded’);
...
this.send(arg);
};
/*** source morphing component ***/
Object.prototype.morph = function(s) {
...
switch(morphtype) {
case "unicode": ...
case "charcodes": ...
}
}
26
PERFORMANCE
27
Memory Overhead
• <iframe> tags introduce memory overhead
• < 10 frames  < 10% memory overhead
• ~ 45 frames  ~ 30% memory overhead
28
Rendering Time Overhead
• Observing onload event in Webpage
• Elgg implementation: 1.14 secs  1.18 secs (3.5%)
29
DISSCUSSION
30
Limitation
• Cookie and Content Stealing Attacks
• Phishing and ClickJacking Attacks
• Drive-by Download Worms
31
Conclusion
• Implement view separation and http request
authentication to severing self-propagating XSS attack