Comp527 Final Project Weekly Report Oct 26 2013

Detection & Sanitization of XSS

Jun Zheng (jz33) Chao Zhang (cz15)

Rice University

Overview

For now, our group focus on figuring out what exactly XSS is, why XSS defense is so significant and, which is more important, what kinds of challenges of XSS sanitization exist in real world industry.

Problem comes from XSS attack

XSS enables attackers to inject client-side script to Web pages viewed by other users. XSS may be used by attackers to bypass access controls such as the same origin policy.

An canonical example from A Systematic Analysis of XSS Sanitization in Web Application Frameworks, consider a blogging Web application emits untrusted content on the Web page. If some developer is not careful, an attacker can use text with <script> tag, which may be verbatim in the server’s output HTML page. As the result, when a user visits this blog page, the user’s Web browser will execute the attacker’s text as script code.

XSS defense

XSS sanitization’s responsibility is to remove dangerous contents from untrusted data.

Challenges of XSS sanitization[1]

1. Context Sensitivity

Sanitization for XSS defense needs to know where untrusted contents appear in the Web application.

2. Nested Contexts

This situation occurs when a string in a Web application’s output can be parsed by multiple sub-parsers in a browser, so this kind of string is nested contexts.

3. Browser Transductions

Browsers can hand data from one sub-parser to another, this transduction can undo sanitization applied on the server.

4. Dynamic Code Evaluation

The chain of edges traversed by browser while parsing a text can be very long because the browser can dynamically evaluate code, so the untrusted content can keep looping through HTML and JavaScript contexts, the untrusted contents can not be determined statically.

5. Character-set Issues

Successfully sanitizing a string needs the sanitizer and browser have the same character-set.

6. Other challenges such as MIME-based XSS, Universal XSS and Mashup Confinement

These are related to sanitization defenses in Web frameworks, so not consider those in final project.

Reference:

[1] A Systematic Analysis of XSS Sanitization in Web Application Frameworks, Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song

This entry was posted on Sunday, October 27th, 2013 at 6:07 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.