ETRI Journal

Electronics and Telecommunications Research Institute (한국전자통신연구원)
권호 표지
DOI QR코드

DOI QR Code

Taint Inference for Cross-Site Scripting in Context of URL Rewriting and HTML Sanitization

  • Pan, Jinkun (College of Computer, National University of Defense Technology) ;
  • Mao, Xiaoguang (College of Computer, National University of Defense Technology) ;
  • Li, Weishi (College of Computer, National University of Defense Technology)
  • Received : 2015.06.24
  • Accepted : 2015.12.09
  • Published : 2016.04.01
Download PDF
⟨ Previous Next ⟩

Abstract

Currently, web applications are gaining in prevalence. In a web application, an input may not be appropriately validated, making the web application susceptible to cross-site scripting (XSS), which poses serious security problems for Internet users and websites to whom such trusted web pages belong. A taint inference is a type of information flow analysis technique that is useful in detecting XSS on the client side. However, in existing techniques, two current practical issues have yet to be handled properly. One is URL rewriting, which transforms a standard URL into a clearer and more manageable form. Another is HTML sanitization, which filters an input against blacklists or whitelists of HTML tags or attributes. In this paper, we make an analogy between the taint inference problem and the molecule sequence alignment problem in bioinformatics, and transfer two techniques related to the latter over to the former to solve the aforementioned yet-to-be-handled-properly practical issues. In particular, in our method, URL rewriting is addressed using local sequence alignment and HTML sanitization is modeled by introducing a removal gap penalty. Empirical results demonstrate the effectiveness and efficiency of our method.

Keywords

References

  1. OWASP, The Ten Most Critical web Application Security Risks, OWASP, 2013. Accessed Jan. 15, 2016. http://www.owasp.org/index.php/Top_10_2013-Top_10
  2. B. Martin et al., 2011 CWE/SANS Top 25 Most Dangerous Software Errors, The MITRE Corporation, 2011. Accessed Jan. 15, 2016. http://cwe.mitre.org/top25/
  3. S. Chen et al., "Defeating Memory Corruption Attacks via Pointer Taintedness Detection," Int. Conf. Dependable Syst. Netw., Yokohama, Japan, June 28-July 1, 2005, pp. 378-387.
  4. G.E. Suh et al., "Secure Program Execution via Dynamic Information Flow Tracking," ACM SIGPLAN Notices, vol. 39, no. 11, Nov. 2004, pp. 85-96. https://doi.org/10.1145/1037187.1024404
  5. W.G. Halfond et al., "Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks," ACM SIGSOFT Int. Symp. Found. Softw. Eng., Portland, OR, USA, Nov. 5-11, 2006, pp. 175-185.
  6. L.C. Lam and T.-C. Chiueh, "A General Dynamic Information Flow Tracking Framework for Security Applications," Annual Comput. Security Appl. Conf., Miami, FL, USA, Dec. 11-15, 2006, pp. 463-472.
  7. W. Xu, S. Bartkar, and R. Sekar, "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks," Conf. Usenix Security, Vancouver, Canada, July 31-Aug. 3, 2006, pp. 121-136.
  8. D. Ross, IE 8 XSS Filter Architecture/Implementation, Microsoft Security Research and Defense Blog, 2008. Accessed Jan. 15, 2016. http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xssfilter-architecture-implementation.aspx
  9. D. Bates, A. Barth, and C. Jackson, "Regular Expressions Considered Harmful in Client-Side XSS Filters," Int. Conf. World Wide Web, Raleigh, NC, USA, Apr. 26-30, 2010, pp. 91-100.
  10. M. Johns, B. Engelmann, and J. Posegga, "Xssds: Server-Side Detection of Cross-Site Scripting Attacks," Annu. Comput. Security Appl. Conf., Anaheim, CA, USA, Dec. 8-12, 2008, pp. 335-344.
  11. R. Pelizzi and R. Sekar, "Protection, Usability, and Improvements in Reflected XSS Filters," ACM Symp. Inf. Comput. Commun. Security, Seoul, Rep. of Korea, May 2-4, 2012, pp. 5-15.
  12. D. Gussfield, Algorithms on Strings, Trees, and Sequences: Computer Science and Computional Biology, Cambrigde, UK: The Press Syndicate of the University of Cambridge, 1997, pp. 215-245.
  13. F. Duchene et al., "LigRE: Reverse-Engineering of Control and Data Flow Models for Black-Box XSS Detection," Work. Conf. Reverse Eng., Koblenz, Germany, Oct. 14-17, 2013, pp. 252-261.
  14. F. Duchene et al., "KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection," ACM Conf. Data Appl. Security Privacy, San Antonio, TX, USA, Mar. 3-5, 2014, pp. 37-48.
  15. T.F. Smith and M.S. Waterman, "Identification of Common Molecular Subsequences," J. Molecular Biology, vol. 147, no. 1, Mar. 1981, pp. 195-197. https://doi.org/10.1016/0022-2836(81)90087-5
  16. O. Gotoh, "An Improved Algorithm for Matching Biological Sequences," J. Molecular Biology, vol. 162, no. 3, Dec. 1982, pp. 705-708. https://doi.org/10.1016/0022-2836(82)90398-9
  17. R. Hansen. XSS Filter Evasion Cheat Sheet, OWASP, 2016. Accessed Jan. 15, 2016. http://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  18. F. Wilcoxon, "Individual Comparisons by Ranking Methods," Biometrics Bulletin, vol. 1, no. 6, Dec. 1945, pp. 80-83. https://doi.org/10.2307/3001968
  19. A. Vargha and H.D. Delaney, "A Critique and Improvement of the CL Common Language Effect Size Statistics of McGraw and Wong," J. Educational Behavioral Stat., vol. 25, no. 2, June 2000, pp. 101-132. https://doi.org/10.3102/10769986025002101
  20. A. Arcuri and L. Briand, "A Practical Guide for Using Statistical Tests to Assess Randomized Algorithms in Software Engineering," Int. Conf. Softw. Eng., Waikiki, HI, USA, May 21-18, 2011, pp. 1-10.
  21. Y. Lei et al., "Effective Fault Localization Approach Using Feedback," IEICE Trans. Inf. Syst., vol. 95D, no. 9, Sept. 2012, pp. 2247-2257.
  22. X. Mao et al., "Slice-Based Statistical Fault Localization," J. Syst. Softw., vol. 89, Mar. 2014, pp. 51-62. https://doi.org/10.1016/j.jss.2013.08.031
  23. P. Bisht and V. Venkatakrishnan, "XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks," Detection Intrusions Malware, Vulnerability Assessment, Paris, France, July 10-11, 2008, pp. 23-43.
  24. M.T. Louw and V. Venkatakrishnan, "Blueprint: Robust Prevention of Cross-Site Scripting Attacks for Existing Browsers," IEEE Symp. Security Privacy, Oakland, CA, USA, May 17-20, 2009, pp. 331-346.
  25. R. Sekar, "An Efficient Black-Box Technique for Defeating Web Application Attacks," Annual Netw. Distrib. Syst. Security Symp., San Diego, CA, USA, Feb. 8-11, 2009, pp. 21-37.
  26. G. Maone, NoScript-JavaScript/Java/Flash blocker for a safer Firefox experience, InformAction, 2012. Accessed Jan. 15, 2016. https://noscript.net/
  27. P. Vogt et al., "Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis," Annual Netw. Distrib. Syst. Security Symp., San Diego, CA, USA, Feb. 28-Mar. 2, 2007, pp. 37-48.
  28. T. Jim, N. Swamy, and M. Hicks, "Defeating Script Injection Attacks with Browser-Enforced Embedded Policies," Int. Conf. World Wide Web, Banff, Canada, May 8-12, 2007, pp. 601-610.
  29. M. Van Gundy and H. Chen, "Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks," Annual Netw. Distrib. Syst. Security Symp., San Diego, CA, USA, Feb. 8-11, 2009, pp. 38-55.
  30. Y. Nadji et al., "Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense," Annual Netw. Distrib. Syst. Security Symp., San Diego, CA, USA, Feb. 8-11, 2009, pp. 1-20.
  31. S. Stamm, B. Sterne, and G. Markham, "Reining in the Web with Content Security Policy," Int. Conf. World Wide Web, Raleigh, NC, USA, Apr. 26-30, 2010, pp. 921-930.