research-article

Context-sensitive auto-sanitization in web templating languages using type qualifiers

Authors:

Prateek Saxena,

Dawn SongAuthors Info & Claims

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Pages 587 - 600

https://doi.org/10.1145/2046707.2046775

Published: 17 October 2011 Publication History

Abstract

Scripting vulnerabilities, such as cross-site scripting (XSS), plague web applications today. Most research on defense techniques has focused on securing existing legacy applications written in general-purpose languages, such as Java and PHP. However, recent and emerging applications have widely adopted web templating frameworks that have received little attention in research. Web templating frameworks offer an ideal opportunity to ensure safety against scripting attacks by secure construction, but most of today's frameworks fall short of achieving this goal.

We propose a novel and principled type-qualifier based mechanism that can be bolted onto existing web templating frameworks. Our solution permits rich expressiveness in the templating language while achieving backwards compatibility, performance and formal security through a context-sensitive auto-sanitization (CSAS) engine. To demonstrate its practicality, we implement our mechanism in Google Closure Templates, a commercially used open-source templating framework that is used in GMail, Google Docs and other applications. Our approach is fast, precise and retrofits to existing commercially deployed template code without requiring any changes or annotations.

References

[1]

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.

Digital Library

[2]

S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. VEX: Vetting browser extensions for security vulnerabilities, 2010.

[3]

Google autoescape implementation for ctemplate (c code). http://google-ctemplate.googlecode.com/svn/trunk/doc/auto_escape.html.

[4]

D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th international conference on World wide web, WWW '10, 2010.

Digital Library

[5]

P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.

Digital Library

[6]

H. Bojinov, E. Bursztein, and D. Boneh. XCS: Cross channel scripting and its impact on web applications. In CCS, 2009.

Digital Library

[7]

Google Analytics XSS vulnerability. http://spareclockcycles.org/2011/02/03/google-analytics-xss-vulnerabili%ty/ .

[8]

Google XSS Flaw in Website Optimizer Scripts explained. http://www.acunetix.com/blog/web-security-zonełinebreak/articles%/google-xss-website-optimizer-scripts/.

[9]

How I met your girlfriend, DEFCON'10. ohack.us/xss/2010-defcon.ppt.

[10]

XSS Attack Identified and Patch-Twitter. http://statusłinebreak.twitter.com/post/1161435117/xss-attackł%inebreak-identified-and-patched.

[11]

ClearSilver: Template Filters. http://www.clearsilver.net/docs/man_filters.hdf.

[12]

CodeIgniter/system/libraries/Security.php. https://bitbucket.org/ellislab/codeigniter/src/8af0fb079f90/system/libr%aries/Security.php.

[13]

Ctemplate: Guide to Using Auto Escape. http://google-łinebreakctemplate.googlecode.com/svn/trunk/doc/auto_escape.html.

[14]

django: Built-in template tags and filters. http://docs.djangoproject.com/en/dev/ref/templates/builtins.

[15]

Google autoescape implementation for gwt (java code). http://code.google.com/p/google-web-toolkit/source/browse/tools/lib/str%eamhtmlparser/streamhtmlparser-jsilver-r10/streamhtmlparser-jsilver-r10--1.5.ja%r.

[16]

J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, PLDI '02, 2002.

Digital Library

[17]

B. Gourdin, C. Soman, H. Bojinov, and E. Bursztein. Towards secure embedded web interfaces. In Proceedings of the Usenix Security Symposium, 2011.

Digital Library

[18]

A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for ajax intrusion detection. In Proceedings of the 18th international conference on World wide web, WWW '09.

Digital Library

[19]

M. V. Gundy and H. Chen. Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. 16th Annual Network & Distributed System Security Symposium, 2009.

[20]

Google Web Toolkit: Developer's Guide -- SafeHtml. http://code.google.com/webtoolkit/doc/latest/DevGuideSecuritySafeHtml.h%tml.

[21]

R. Hansen. XSS cheat sheet. http://ha.ckers.org/xss.html.

[22]

P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the Usenix Security Symposium, 2011.

Digital Library

[23]

HTML Purifier : Standards-Compliant HTML Filtering. http://htmlpurifier.org/.

[24]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW '04.

Digital Library

[25]

JiftyManual. http://jifty.org/view/JiftyManual.

[26]

T. Jim, N. Swamy, and M. Hicks. BEEP: Browser-enforced embedded policies. 16th International World World Web Conference, 2007.

Digital Library

[27]

N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, 2006.

Digital Library

[28]

Quasis demo - javascript shell 1.4. http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/index.html%.

[29]

A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A solver for string constraints. In International Symposium on Software Testing and Analysis, 2009.

Digital Library

[30]

kses - PHP HTML/XHTML filter. http://sourceforge.net/projects/kses/.

[31]

B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005.

Digital Library

[32]

B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and recovery from Web application vulnerabilities. Technical report, Stanford University, Sept. 2006.

[33]

M. Martin and M. S. Lam. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In 17th USENIX Security Symposium, 2008.

Digital Library

[34]

The Mason Book: Escaping Substitutions. http://www.masonbook.com/book/chapter-2.mhtml.

[35]

L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE Symposium on Security and Privacy, May 2010.

Digital Library

[36]

Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS, 2009.

[37]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. 20th IFIP International Information Security Conference, 2005.

[38]

XSS Prevention Cheat Sheet. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Ch%eat_Sheet.

[39]

W. Robertson and G. Vigna. Static Enforcement of Web Application Integrity Through Strong Typing. In Proceedings of the USENIX Security Symposium, Montreal, Canada, August 2009.

Digital Library

[40]

Ruby on Rails Security Guide. http://guides.rubyonrails.org/security.html.

[41]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for JavaScript. Technical Report UCB/EECS-2010--26, EECS Department, University of California, Berkeley, 2010.

Digital Library

[42]

P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In 17th Annual Network & Distributed System Security Symposium, (NDSS), 2010.

[43]

P. Saxena, D. Molnar, and B. Livshits. SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the ACM Computer and communications security(CCS), 2011.

Digital Library

[44]

Smarty Template Engine: escape. http://www.smarty.net/manual/en/language.modifier.escape.php.

[45]

Google Closure Templates. http://code.google.com/closure/templates/.

[46]

S. Stamm. Content security policy, 2009.

[47]

Z. Su and G. Wassermann. The essence of command injection attacks in web applications. 2006.

[48]

Template::Manual::Filters. http://template-toolkit.org/docs/manual/Filters.html.

[49]

Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of the IEEE Symposium on Security and Privacy, 2009.

Digital Library

[50]

J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In Proceedings of the European Symposium on Research in Computer Security, 2011.

Digital Library

[51]

Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006.

Digital Library

[52]

W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. USENIX Security Symposium, 2006.

Digital Library

[53]

Yii Framework: Security. http://www.yiiframework.com/doc/guide/1.1/en/topics.security.

[54]

Zend Framework: Zend\_Filter. http://framework.zend.com/manual/en/zend.filter.set.html.

Cited By

Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100634
Khodayari SPellegrino G(2023)It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179403(1041-1058)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179403
Almeida LGonzaga MSantos JAbreu RGrundy J(2023)RexStepper: A Reference Debugger for JavaScript Regular ExpressionsProceedings of the 45th International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion58688.2023.00021(41-45)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE-Companion58688.2023.00021
Show More Cited By

Index Terms

Context-sensitive auto-sanitization in web templating languages using type qualifiers
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

An Empirical Study of the Framework Impact on the Security of JavaScript Web Applications
WWW '18: Companion Proceedings of the The Web Conference 2018

\textitBackground: JavaScript frameworks are widely used to create client-side and server-side parts of contemporary web applications. Vulnerabilities like cross-site scripting introduce significant risks in web applications.\\ \textitAim: The goal of ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Static Typing for Ruby on Rails
ASE '09: Proceedings of the 24th IEEE/ACM International Conference on Automated Software Engineering

Ruby on Rails (or just "Rails") is a popular web application framework built on top of Ruby, an object-oriented scripting language. While Ruby’s powerful features such as dynamic typing help make Rails development extremely lightweight, this comes at a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

October 2011

742 pages

ISBN:9781450309486

DOI:10.1145/2046707

General Chair:
Yan Chen
Northwestern University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17 - 21, 2011

Illinois, Chicago, USA

Acceptance Rates

CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

72
Total Citations
View Citations
564
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 02 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100634
Khodayari SPellegrino G(2023)It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179403(1041-1058)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179403
Almeida LGonzaga MSantos JAbreu RGrundy J(2023)RexStepper: A Reference Debugger for JavaScript Regular ExpressionsProceedings of the 45th International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion58688.2023.00021(41-45)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE-Companion58688.2023.00021
Chimuco FSequeiros JLopes CSimões TFreire MInácio P(2023)Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automationInternational Journal of Information Security10.1007/s10207-023-00669-z22:4(833-867)Online publication date: 17-Feb-2023
https://doi.org/10.1007/s10207-023-00669-z
Maurel HVidal SRezk T(2022)Statically identifying XSS using deep learningScience of Computer Programming10.1016/j.scico.2022.102810219(102810)Online publication date: Jul-2022
https://doi.org/10.1016/j.scico.2022.102810
Garn BSebastian Lang DLeithner MRichard Kuhn DKacker RSimos D(2021)Combinatorially XSSing Web Application Firewalls2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)10.1109/ICSTW52544.2021.00026(85-94)Online publication date: Apr-2021
https://doi.org/10.1109/ICSTW52544.2021.00026
Wang PBangert JKern C(2021)If It's Not Secure, It Should Not CompileProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00123(1360-1372)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00123
Wang PGuemundsson BKotowicz K(2021)Adopting Trusted Types in ProductionWeb Frameworks to Prevent DOM-Based Cross-Site Scripting: A Case Study2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00013(60-73)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSPW54576.2021.00013
Steinhauser ATůma P(2020)Database Traffic Interception for Graybox Detection of Stored and Context-sensitive XSSDigital Threats: Research and Practice10.1145/33996681:3(1-23)Online publication date: 4-Aug-2020
https://dl.acm.org/doi/10.1145/3399668
Thome JShar LBianculli DBriand L(2020)An Integrated Approach for Effective Injection Vulnerability Analysis of Web Applications Through Security Slicing and Hybrid Constraint SolvingIEEE Transactions on Software Engineering10.1109/TSE.2018.284434346:2(163-195)Online publication date: 1-Feb-2020
https://doi.org/10.1109/TSE.2018.2844343
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents