Embed Size (px)
DESCRIPTION
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 3 Why JavaScript Analysis? (cont.) 15 % According to an IBM study performed in 2010 of Fortune 500 websites have exploitable security issues in JavaScript. DOM-based XSS document.write(document.URL.substring( pos,document.URL.length)); DOM-based XSS document.write(document.URL.substring( pos,document.URL.length)); Open Redirect var pos = document.location.href.indexOf("name="); var val = document.location.href.substring(pos); document.location.href = "http://" + val; Open Redirect var pos = document.location.href.indexOf("name="); var val = document.location.href.substring(pos); document.location.href = "http://" + val;
Citation preview
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
Omer TrippOmri WeismanSalvatore Guarnieri
IBM Software Group
Sep 2011
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
2
Why JavaScript Analysis?
Client-side Logic in Web Applications
5%
25%
0%
5%
10%
15%
20%
25%
30%
5 Years Ago TodayAccording to an IBM study performed in 2010
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
3
Why JavaScript Analysis? (cont.)
15%According to an IBM study performed in 2010
of Fortune 500 websites have exploitable security issues in JavaScript.
DOM-based XSSdocument.write(document.URL.substring(document.write(document.URL.substring(
pos,document.URL.length));pos,document.URL.length));
Open Redirect
var pos = document.location.href.indexOf("name=");var pos = document.location.href.indexOf("name=");var val = document.location.href.substring(pos);var val = document.location.href.substring(pos);document.location.href = "http://" + val;document.location.href = "http://" + val;
• Reflective property access
• Prototype chain property lookup
• Lexical scoping• Function pointers• Arguments array• eval and its
relatives
Complexities of JavaScript
var a = "foo" + "bar";var b = obj[a];function F() { this.bar = document.url;}
function G() {}
G.prototype = new F();var a = new G();write(g.bar);
function foo() { var y = 42; var bar = function() { write(y); }}
var m = function() ...var k = function(f) { f();}k(m);
function sum() { if (arguments.length > 3) { eval(arguments[1]); }}sum(1, "...”, 3)
eval("document.write('evil')");
4
Analysis Examplefunction foo(p1, p2) { p1.f = p2.f;}
var a = new Object();var b = new Object();b.f = window.location.toString();
var c = new Object();var d = new Object();d.f = "safe";
foo(a, b);foo(c, d);
document.write(a.f); // This is a taint violationdocument.write(c.f); // This is NOT a taint violation
Since d.f is not tainted, c.f will not be tainted
Install taint summary for foo: p2.f -> p1.f
5
Taint variable: (v2, foo, <f, *>)
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
6
Hybrid analysis
Why Hybrid Analysis?
Static analysis
+ Performance+ Soundness+ Coverage
-Frameworks -Dynamic
loading
Dynamic analysis
+ Dynamic behavior
-Coverage
+ Performance+ Soundness+ Coverage
+ Dynamic Behavior
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
7
Static Analysis
Typically applied to server-side JavaScript content
Misses dynamically generated JavaScript!
<script type="text/javascript"> document.write('<scr'+'ipt '); document.write('src="http://affinity-numerology.com/cgibin/
EmailThisLink.cgi?g'+Email_This_Link+'"'); document.write(' type="text/javascript">'); document.write('</scr'+'ipt>');</script>
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
8
Traditional Black-box Testing
Sends test payload in HTTP request
Checks response for reflected payload
Does not work for DOM-based XSS!
Attacker Victim
Web Application
link embedded with
evil script
Attacker’s evil scriptexecuted using
victim’s credentials
Evil script not sent to server
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
9
Sandboxed JavaScript Execution
http://mysite/search.aspx?search=<script>alert('hacked')</script>
Black-boxScanner
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
10
Dynamic Taint Analysis
Source
Sink
document.URL
document.write()
execution flow
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
11
Our Hybrid Architecture
Black-boxScanner
DOMmodeling
Taintanalysis
Stringanalysis
Reduce scope
Find issues
Eliminatefalse positives
HTML/JavaScript, concrete URLs, …
issues
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
12
Specialized string analysis using dynamic pieces of information (e.g., concrete URL)
Part controlled by attacker is unknown, but known prefix modeled precisely
var str = document.URL;var url_check = str.indexOf('login.html');if (url_check > -1) { result = str.substring(0,url_check); result = result + 'login.jsp' + str.substring((url_check+search_term.length), str.length); document.URL = result;}
Hybrid Elimination of False Reports
http://www.mysite.com/folder/page?a=1&b=2#anchorCONTROLLED BY ATTACKERNOT CONTROLLED BY ATTACKER
URL as Source
"https://some-site/release/jsp/sso/login.html?..."
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
13
String Analysis: Example
Stringvariable
Integervariable
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
14
Hybrid DOM Modeling
The HTML DOM is an important channel of data propagation, but often too big (>105 lines of text) for the analysis to model!
In the hybrid setting– the analysis operates on a
fully resolved DOM– the analysis can thus
“reduce” the DOM
BEFOREDOMreduction
AFTER
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
15
Implementation & Evaluation
Algorithm featured in IBM Rational AppScan Standard Edition, a black-box security-scanning product
Experimental hypotheses:– (1st experiment) The DOM-modeling and string-analysis specialization
features have significant impact on the quality of the static security scanner
– (2nd experiment) The hybrid solution is significantly better than the baseline security scanner, which performs sandboxed JavaScript execution
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
16
1st Experiment: Results
2639 2639
4448
301
0
1000
2000
3000
4000
5000
6000
7000
8000
Before String Analysis elimination After String Analysis elimination
False PositivesTrue Positives
200-500 pages from each site
4 configurations: with/without DOM modeling, string analysis
Results:– Without DOM modeling:
too many crashes!– String analysis highly
effective
Total number of JavaScript security vulnerabilitiesdetected for 675 websites
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
17
2nd Experiment: Results
Number of websites tested 60
Websites found to be vulnerable by baseline scanner (w/o hybrid capabilities)
8 (0 false positives)
Websites found to be vulnerable by scannerwith hybrid capabilities
33 (4 false positives)
Sites selected at random (out of 675 sites used for 1st experiment)
False reports due to infeasible/rare path conditions
Client-side vulnerabilities found by black-boxscanner with and without hybrid capabilities
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
18
Summary
Hybrid JavaScript security analysis is a powerful approach– Allows new and exciting specialization techniques– Transcends inherent weaknesses of static and dynamic analyses
Thousands of real vulnerabilities discovered using our tool when applied to highly popular sites (Fortune 500, top 100 sites list, etc.)
– Very low rate of false reports (thanks to string analysis)– Scales to real-world JavaScript and HTML (thanks to DOM modeling)
© 2011 IBM Corporation
Hybrid Analysis for JavaScript Security Assessment
Thank you
19
