Context-sensitive auto-sanitization in web templating languages using type qualifiers

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2011, Pages 587-600

  Samuel, Mike ^a   Saxena, Prateek ^b   Song, Dawn ^a  

^a GOOGLE INC   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Cross site scripting; Type systems

Indexed keywords

CONTEXT-SENSITIVE; CROSS SITE SCRIPTING; DEFENSE TECHNIQUES; EMERGING APPLICATIONS; FORMAL SECURITY; LEGACY APPLICATIONS; OPEN-SOURCE; OTHER APPLICATIONS; TEMPLATING; TYPE QUALIFIERS; TYPE SYSTEMS; WEB APPLICATION;

JAVA PROGRAMMING LANGUAGE; LEGACY SYSTEMS; RETROFITTING; SECURITY OF DATA; USER INTERFACES; WORLD WIDE WEB;

CONTEXT SENSITIVE LANGUAGES;

EID: 80755169453     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2046707.2046775     Document Type: Conference Paper

References (54)

1. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
2. S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. VEX: Vetting browser extensions for security vulnerabilities, 2010.
3. Google autoescape implementation for ctemplate (c code). http://google-ctemplate.googlecode.com/svn/trunk/doc/auto-escape.html.
4. D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th international conference on World wide web, WWW '10, 2010.
5. P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.
6. H. Bojinov, E. Bursztein, and D. Boneh. XCS: Cross channel scripting and its impact on web applications. In CCS, 2009.
7. Google Analytics XSS vulnerability. http://spareclockcycles.org/2011/02/ 03/google-analytics-xss-vulnerability/.
8. Google XSS Flaw in Website Optimizer Scripts explained. http://www.acunetix.com/blog/web-security-zone/articles/google-xss-website- optimizer-scripts/.
9. How I met your girlfriend, DEFCON'10. ohack.us/xss/2010-defcon.ppt.
10. XSS Attack Identified and Patch-Twitter. http://status.twitter.com/post/ 1161435117/xss-attacklinebreak-identified-and-patched.
11. ClearSilver: Template Filters. http://www.clearsilver.net/docs/man- filters.hdf.
12. CodeIgniter/system/libraries/Security.php. https://bitbucket.org/ ellislab/codeigniter/src/8af0fb079f90/system/libraries/Security.php.
13. Ctemplate: Guide to Using Auto Escape. http://google-ctemplate. googlecode.com/svn/trunk/doc/auto-escape.html.
14. django: Built-in template tags and filters. http://docs.djangoproject. com/en/dev/ref/templates/builtins.
15. Google autoescape implementation for gwt (java code). http://code.google.com/p/google-web-toolkit/source/browse/tools/lib/ streamhtmlparser/streamhtmlparser-jsilver-r10/streamhtmlparser-jsilver-r10-1.5. jar.
16. J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, PLDI '02, 2002.
17. B. Gourdin, C. Soman, H. Bojinov, and E. Bursztein. Towards secure embedded web interfaces. In Proceedings of the Usenix Security Symposium, 2011.
18. A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for ajax intrusion detection. In Proceedings of the 18th international conference on World wide web, WWW '09.
19. M. V. Gundy and H. Chen. Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. 16th Annual Network & Distributed System Security Symposium, 2009.
20. Google Web Toolkit: Developer's Guide - SafeHtml. http://code.google.com/ webtoolkit/doc/latest/DevGuideSecuritySafeHtml.html.
21. R. Hansen. XSS cheat sheet. http://ha.ckers.org/xss.html.
22. P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the Usenix Security Symposium, 2011.
23. HTML Purifier: Standards-Compliant HTML Filtering. http://htmlpurifier. org/.
24. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW '04.
25. JiftyManual. http://jifty.org/view/JiftyManual.
26. T. Jim, N. Swamy, and M. Hicks. BEEP: Browser-enforced embedded policies. 16th International World World Web Conference, 2007.
27. N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, 2006.
28. Quasis demo - javascript shell 1.4. http://js-quasis-libraries-and-repl. googlecode.com/svn/trunk/index.html.
29. A. Kieżun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A solver for string constraints. In International Symposium on Software Testing and Analysis, 2009.
30. kses - PHP HTML/XHTML filter. http://sourceforge.net/projects/kses/.
31. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005.
32. B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and recovery from Web application vulnerabilities. Technical report, Stanford University, Sept. 2006.
33. M. Martin and M. S. Lam. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In 17th USENIX Security Symposium, 2008.
34. The Mason Book: Escaping Substitutions. http://www.masonbook.com/book/ chapter-2.mhtml.
35. L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE Symposium on Security and Privacy, May 2010.
36. Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS, 2009.
37. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. 20th IFIP International Information Security Conference, 2005.
38. XSS Prevention Cheat Sheet. http://www.owasp.org/index.php/XSS-(Cross- Site-Scripting)-Prevention-Cheat-Sheet.
39. W. Robertson and G. Vigna. Static Enforcement of Web Application Integrity Through Strong Typing. In Proceedings of the USENIX Security Symposium, Montreal, Canada, August 2009.
40. Ruby on Rails Security Guide. http://guides.rubyonrails.org/security. html.
41. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for JavaScript. Technical Report UCB/EECS-2010-26, EECS Department, University of California, Berkeley, 2010.
42. P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In 17th Annual Network & Distributed System Security Symposium, (NDSS), 2010.
43. P. Saxena, D. Molnar, and B. Livshits. SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the ACM Computer and communications security(CCS), 2011.
44. Smarty Template Engine: escape. http://www.smarty.net/manual/en/language. modifier.escape.php.
45. Google Closure Templates. http://code.google.com/closure/templates/.
46. S. Stamm. Content security policy, 2009.
47. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. 2006.
48. Template: Manual: Filters. http://template-toolkit.org/docs/manual/ Filters.html.
49. Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of the IEEE Symposium on Security and Privacy, 2009.
50. J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In Proceedings of the European Symposium on Research in Computer Security, 2011.
51. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006.
52. W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. USENIX Security Symposium, 2006.
53. Yii Framework: Security. http://www.yiiframework.com/doc/guide/1.1/en/ topics.security.
54. Zend Framework: Zend Filter. http://framework.zend.com/manual/en/zend. filter.set.html.