Security Jorina van Malsen 1 FLAX Systematic Discovery of ClientSide Validation Vulnerabilities in Rich Web Applications ClientSide Validation CSV Vulnerabilities ID: 285300
Download Presentation The PPT/PDF document "Software" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Software SecurityJorina van Malsen
1
FLAX:
Systematic
Discovery
of
Client-Side
Validation
Vulnerabilities
in
Rich
Web
ApplicationsSlide2
Client-Side Validation (CSV) Vulnerabilities
“A CSV vulnerability results
from
unsafe usage of untrusted data in the client-side code of the web application”CSV more common than ever due to the increased complexity of JavaScript applications
2Slide3
FLAX3
Tool to analyze
a web
application
in an end-to-end manner, aimed to discover vulnerabilities in the client-side codeThe framework simplifies JavaScript analysis and explicitly models reflected
flows
and
path
constraints
.
Challenges
:
-
Complexity
of
JavaScript
-
Parsing
operations
are
syntactically
indistinguishable
from
validation
checks
-
Difficulties
with
the
reflected
flowsSlide4
Existing Approaches
4
Fuzzing
/Black Box
TestingDynamic Taint-TrackingSymbolic Execution TechniquesFLAX is a hybrid approach named a ‘taint enhanced blackbox fuzzing
approach
’Slide5
Attacks resulting from CSV Vulnerabilities
5
Origin
Misattribution Arises because the application checks the domain field of the
origin
parameter
insufficiently
,
though
the protocol
sub-field
is
correctly
validated
Code
Injection
Possible
because
JavaScript
can
dynamically
evaluate
both
HTML and script code
using
various
DOM
methods
as
well
as
JavaScript
native
constructs
(
often
referred
to as
DOM-based
XSS)
Command
Injection
Allows
the
attacker
to
perform
unintended
actions
on
behalf
of the user.
Cookie-Sink
Vulnerabilities
An
attacker
could
,
among
others
,
fix
the
values
of the
session
identifiers
which
may
result
in a
session
fixationSlide6
FLAXTechnical Challenges
and Design Points
6
Modeling
path constraints Improvement Saner by enabling FLAX to capture the validation
checks
as
branch
conditions
Simplifying
JavaScript
By
the
use
of JASIL
Dealing
with
reflected
flows
This
is
done
by
testing
the
client-side
code
independently
of the
server-side
cody
by
generating
candidate
inputs
that
make
simple
assumptions
about
the
transformations
occurring
in
reflected
flows
.
Subsequently
, the tool
verifies
the
assumption
by
running the
candidate
attack
concretely
, and reports a
vulnerability
if
the concrete test
succeedsSlide7
The System’s Architecture
7 The
taint
enhanced blackbox fuzzing algorithm consists of five steps at a high level:Dynamic trace generation and conversion to JASILDynamic
taint
analysis
Generate
an
acceptor
slice
Sink-aware
random
testing
Verification
of
candidate
inputsSlide8
Evaluation FLAX
8FLAX discovered
several
real-world bugs (incl. several iGoogle gadgets, websites and AJAX applications for instance)11 of the founded vulnerabilities were unknown
before
,
so
it
proves
that
the tool is a
valuable
resource
for
security
analysts
and
developers
of
rich
web
applications
The
technique
is
light-weight
compared
to
symbolic
execution
techniques
, has
no
false
positives
and is
scalable
enough
to
use
on
real-world
applications