skip to main content
research-article

How to Train Your Browser: Preventing XSS Attacks Using Contextual Script Fingerprints

Published:19 July 2016Publication History
Skip Abstract Section

Abstract

Cross-Site Scripting (XSS) is one of the most common web application vulnerabilities. It is therefore sometimes referred to as the “buffer overflow of the web.” Drawing a parallel from the current state of practice in preventing unauthorized native code execution (the typical goal in a code injection), we propose a script whitelisting approach to tame JavaScript-driven XSS attacks. Our scheme involves a transparent script interception layer placed in the browser’s JavaScript engine. This layer is designed to detect every script that reaches the browser, from every possible route, and compare it to a list of valid scripts for the site or page being accessed; scripts not on the list are prevented from executing. To avoid the false positives caused by minor syntactic changes (e.g., due to dynamic code generation), our layer uses the concept of contextual fingerprints when comparing scripts.

Contextual fingerprints are identifiers that represent specific elements of a script and its execution context. Fingerprints can be easily enriched with new elements, if needed, to enhance the proposed method’s robustness. The list can be populated by the website’s administrators or a trusted third party. To verify our approach, we have developed a prototype and tested it successfully against an extensive array of attacks that were performed on more than 50 real-world vulnerable web applications. We measured the browsing performance overhead of the proposed solution on eight websites that make heavy use of JavaScript. Our mechanism imposed an average overhead of 11.1% on the execution time of the JavaScript engine. When measured as part of a full browsing session, and for all tested websites, the overhead introduced by our layer was less than 0.05%. When script elements are altered or new scripts are added on the server side, a new fingerprint generation phase is required. To examine the temporal aspect of contextual fingerprints, we performed a short-term and a long-term experiment based on the same websites. The former, showed that in a short period of time (10 days), for seven of eight websites, the majority of valid fingerprints stay the same (more than 92% on average). The latter, though, indicated that, in the long run, the number of fingerprints that do not change is reduced. Both experiments can be seen as one of the first attempts to study the feasibility of a whitelisting approach for the web.

References

  1. Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 1--10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Shay Artzi, Julian Dolby, Simon Holm Jensen, Anders Møller, and Frank Tip. 2011. A framework for automated testing of JavaScript web applications. In Proceedings of the 33rd International Conference on Software Engineering (ICSE’11). ACM, New York, NY, 571--580. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Elias Athanasopoulos, Vasilis Pappas, Antonis Krithinakis, Spyros Ligouras, Evangelos P. Markatos, and Thomas Karagiannis. 2010. xjs: Practical xss prevention for web application development. In Proceedings of the 2010 USENIX Conference on Web Application Development (WebApps’10). USENIX Association, Berkeley, CA, 13--13. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Elias Athanasopoulos, Vasilis Pappas, and Evangelos Markatos. 2009. Code-injection attacks in browsers supporting policies. In Proceedings of the 2nd Workshop on Web 2.0 Security & Privacy (W2SP).Google ScholarGoogle Scholar
  5. Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure content sniffing for web browsers, or how to stop articles from reviewing themselves. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, 360--371. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Daniel Bates, Adam Barth, and Collin Jackson. 2010. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th International Conference on World Wide Web (WWW’10). ACM, New York, NY, 91--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Jim Beechey. 2010. Application Whitelisting: Panacea or Propaganda. http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599. (2010).Google ScholarGoogle Scholar
  8. Cor-Paul Bezemer, Ali Mesbah, and Arie van Deursen. 2009. Automated security testing of web widget interactions. In Proceedings of the the 7th Joint Meeting of the European Software Engineering Conference and the ACM Symposium on The Foundations of Software Engineering (ESEC/FSE’09). ACM, New York, NY, 81--90. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-guard: Precise dynamic prevention of cross-site scripting attacks. In DIMVA’08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, Berlin, 23--43. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Hristo Bojinov, Elie Bursztein, and Dan Boneh. 2009. XCS: Cross channel scripting and its impact on web applications. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 420--431. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: A web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 748--759. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Dorothy Elizabeth Robling Denning. 1987. An intrusion detection model. 13, 2 (Feb. 1987), 222--232. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing information flow in JavaScript-based browser extensions. In Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC’09). IEEE Computer Society, Washington, DC, 382--391. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Adam Doupé, Weidong Cui, Mariusz H. Jakubowski, Marcus Peinado, Christopher Kruegel, and Giovanni Vigna. 2013. deDacota: Toward preventing server-side XSS via automatic code and data separation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer &##38; Communications Security (CCS’13). ACM, New York, NY, 1205--1216. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Mattia Fazzini, Prateek Saxena, and Alessandro Orso. 2015. AutoCSP: Automatically retrofitting CSP to web applications. In Proceedings of the 37th IEEE and ACM SIGSOFT International Conference on Software Engineering (ICSE’15). ACM, New York, NY. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Andy Georges, Dries Buytaert, and Lieven Eeckhout. 2007. Adding rigorous statistics to the java benchmarker’s toolbox. In Companion to the 22nd ACM SIGPLAN Conference on Object-Oriented Programming Systems and Applications Companion (OOPSLA’07). ACM, New York, NY, 793--794. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Matthew Van Gundy and Hao Chen. 2009. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.Google ScholarGoogle Scholar
  18. Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2012. Scriptless attacks: Stealing the pie without touching the sill. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 760--771. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Lon Ingram and Michael Walfish. 2012. TreeHouse: JavaScript sandboxes to helpweb developers help themselves. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference (USENIX ATC’12). USENIX Association, Berkeley, CA, 13--13. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th International Conference on World Wide Web (WWW’07). ACM, New York, NY, 601--610. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Xing Jin, Xuchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. 2014. Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 66--77. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Martin Johns and Christian Beyerlein. 2007. Smask: Preventing injection attacks in web applications by approximating automatic data/code separation. In Proceedings of the 2007 ACM Symposium on Applied Computing (SAC’07). ACM, New York, NY, 284--291. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Martin Johns, Björn Engelmann, and Joachim Posegga. 2008. XSSDS: Server-side detection of cross-site scripting attacks. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC’08). IEEE Computer Society, Washington, DC, 335--344. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. David Johnson, Alexei White, and Andre Charland. 2007. Enterprise AJAX: Strategies for Building High Performance Web Applications. Prentice Hall PTR, Upper Saddle River, NJ. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Sammy Kamkar. 2005. Technical Explanation of The MySpace Worm. (2005). http://namb.la/popular/tech.html.Google ScholarGoogle Scholar
  26. Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. 2011. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6th February - 9th February 2011.Google ScholarGoogle Scholar
  27. Angelos D. Keromytis. 2009. Randomized instruction sets and runtime environments: Past research and future directions. IEEE Security and Privacy 7, 1 (Jan. 2009), 18--25. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Sebastian Lekies, Ben Stock, and Martin Johns. 2014. A tale of the weaknesses of current client-side xss filtering. Presented at Black Hat Europe 2014.Google ScholarGoogle Scholar
  29. Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (SP’09). IEEE Computer Society, Washington, DC, 331--346. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Mozilla Developer Network (MDN). 2015. JavaScript Reference and Global Objects. (2015). https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference.Google ScholarGoogle Scholar
  31. Ali Mesbah and Mukul R. Prasad. 2011. Automated cross-browser compatibility testing. In Proceedings of the 33rd International Conference on Software Engineering (ICSE’11). New York, NY, 561--570. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Ali Mesbah and Arie van Deursen. 2009. Invariant-based automatic testing of AJAX user interfaces. In Proceedings of the 31st International Conference on Software Engineering (ICSE’09). IEEE Computer Society, Washington, DC, 210--220. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Ali Mesbah, Arie van Deursen, and Stefan Lenselink. 2012. Crawling Ajax-based web applications through dynamic analysis of user interface state changes. ACM Transactions on the Web (TWEB) 6, 1 (2012), 3:1--3:30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Leo A. Meyerovich and Benjamin Livshits. 2010. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP’10). IEEE Computer Society, Washington, DC, 481--496. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Johns Hopkins University, Baltimore, Maryland, USA.Google ScholarGoogle Scholar
  36. Abbas Naderi, Mandana Bagheri, and Shahin Ramezany. 2014. Taintless: Defeating taint-powered protection tachniques. Presented at Black Hat usa 2014.Google ScholarGoogle Scholar
  37. Yacin Nadji, Prateek Saxena, and Dawn Song. 2006. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC'06). IEEE Computer Society, Washington, DC, 463--472.Google ScholarGoogle Scholar
  38. Susanta Nanda, Lap-Chung Lam, and Tzi-cker Chiueh. 2007. Dynamic multi-process information flow tracking for web application security. In Proceedings of the 2007 ACM/IFIP/USENIX International Conference on Middleware Companion (MC’07). ACM, New York, NY, Article 19, 20 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012). 736--747. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Terri Oda, Glenn Wurster, P. C. van Oorschot, and Anil Somayaji. 2008. Soma: Mutual approval for included content in web pages. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, NY, 89--98. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Carlos Pacheco, Shuvendu K. Lahiri, Michael D. Ernst, and Thomas Ball. 2007. Feedback-directed random test generation. In Proceedings of the 29th International Conference on Software Engineering (ICSE’07). IEEE Computer Society, Washington, DC, 75--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Ioannis Papagiannis, Matteo Migliavacca, and Peter Pietzuch. 2011. PHP aspis: Using partial taint tracking to protect against injection attacks. In Proceedings of the 2nd USENIX Conference on Web Application Development (WebApps’11). USENIX Association, Berkeley, CA, 2--2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Phu H. Phung, David Sands, and Andrey Chudnov. 2009. Lightweight self-protecting JavaScript. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS’09). ACM, New York, NY, 47--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Tadeusz Pietraszek and Chris Vanden Berghe. 2006. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection (RAID’05). Springer-Verlag, Berlin, 124--145. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. 2007. BrowserShield: Vulnerability-driven filtering of dynamic html. ACM Trans. Web 1, Article 11, issue 3 (September 2007). Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Leonard Richardson and Sam Ruby. 2007. Restful Web Services (first ed.). O’Reilly. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Danny Roest, Ali Mesbah, and Arie van Deursen. 2010. Regression testing ajax applications: Coping with dynamism. In Proceedings of the 2010 Third International Conference on Software Testing, Verification and Validation (ICST’10). IEEE Computer Society, Washington, DC, 127--136. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Hossein Saiedian and Dan Broyle. 2011. Security vulnerabilities in the same-origin policy: Implications and alternatives. Computer 44, 9 (Sept. 2011), 29--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A symbolic execution framework for JavaScript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP’10). IEEE Computer Society, Washington, DC, 513--528. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. ScriptGard: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 601--614. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Ana Nora Sovarel, David Evans, and Nathanael Paul. 2005. Where’s the FEEB? The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium (SSYM’05). USENIX Association, Berkeley, CA, 10--10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th International Conference on World Wide Web (WWW’10). ACM, New York, NY, 921--930. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise client-side protection against DOM-based cross-site scripting. In 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, 655--670. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. D. Stuttard and M. Pinto. 2011. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. Wiley, New York, NY.Google ScholarGoogle Scholar
  55. Steven Van Acker, Philippe De Ryck, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2011. WebJail: Least-privilege integration of third-party components in web mashups. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC’11). ACM, New York, NY, 307--316. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS). San Diego, CA.Google ScholarGoogle Scholar
  57. David Wagner and Paolo Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM conference on Computer and Communications Security (CCS’02). ACM, New York, NY, 255--264. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Michael Weissbacher, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2015. ZigZag: Automatically hardening web applications against client-side validation vulnerabilities. In 24th USENIX Security Symposium. USENIX Association, Washington, DC, 737--752. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. P. Wurzinger, C. Platzer, C. Ludl, E. Kirda, and C. Kruegel. 2009. Swap: Mitigating xss attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (IWSESS’09). IEEE Computer Society, Washington, DC, 33--39. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’07). ACM, New York, NY, 237--249. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. How to Train Your Browser: Preventing XSS Attacks Using Contextual Script Fingerprints

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 19, Issue 1
        August 2016
        87 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/2957761
        Issue’s Table of Contents

        Copyright © 2016 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 19 July 2016
        • Revised: 1 May 2016
        • Accepted: 1 May 2016
        • Received: 1 September 2015
        Published in tops Volume 19, Issue 1

        Permissions

        Request permissions about this article.

        Request Permissions

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!