Comp527 Final Project Weekly Report (Nov. 18, 2013)

 

Detection & Sanitization of XSS

 

Jun Zheng (jz33) Chao Zhang (cz15)

 

Rice University

 

Overview

For now, out group focus on analyzing the Django  MVC framework[1], building view and HTML test case to observe behaviors of Django XSS sanitization, which makes html tags disabled.

 

Sanitization Target

1. Random string from view or programmer:

These inputs are always trusted by server, so Django XSS sanitization will not do any escaping step.

 

Example:

In view.py, we write a string contains script and return it back to HTTP, then run the Django server, a alert box will show up in the browser.

 

2. Random string from user:

It seems that these inputs will never be trusted by server, all the inputs come from users are treated as dangerous scripts or something.

 

Example:

In html file, we submit a form to server and wait the returned query string. Next, in view.py, we add a function serverTest to handle the request and output the query. Then run the server, text some script like “<script>alert(‘hi’)</script>”, the sanitization mechanism

will escaping the input to “%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E”.

 

Escaping Dictionary

Below is the escaping list after some test.

 

before escaping : after escaping

‘~’ :  ‘%7E’+’ v’,

‘`’ : ‘%60’,

‘!’ :  ‘%21’,

‘@’ :  ‘%40’,

‘#’ :  ‘%23’,

‘$’ : ‘%24’,

‘%’ : ‘%25’,

‘^’ : ‘%5E’,

‘&’ :  ‘%26’,

‘*’ :  ‘ u’,

‘(‘ :  ‘%28’,

‘)’ :  ‘%29’,

‘_’ :  ‘ u’,

‘-‘ :  ‘ u’,

‘+’ :  ‘%2B’,

‘=’ :  ‘%3D’,

‘{‘ :  ‘%7B’,

‘[‘ :  ‘%5B’,

‘}’ :  ‘%7D’,

‘]’ :  ‘%5D’,

‘|’ :  ‘%7C’,

‘\\’ :  ‘%5C’,

‘:’ :  ‘%3A’,

‘;’ :  ‘%3B’,

‘”‘ :  ‘%22’+’ v’,

‘\” :  ‘%27’,

‘<‘ :  ‘%3C’+’ v’,

‘,’ :  ‘%2C’,

‘>’ :  ‘%3E’+’ v’,

‘.’ :  ‘ u’,

‘?’ :  ‘%3F’,

‘/’ :  ‘%2F’,

‘ ‘ :  ‘+’,

 

Further Work

Next step, we will continue looking at whether there is any XSS situation that Django Sanitization is missing, and how could Django protect tags like <b>.

 

Reference:

[1] http://owasp-esapi-python-swingset.appspot.com/xss/no_escaping

 

Comp527 Final Project Milestone Details (Nov. 3, 2013)

 

Detection & Sanitization of XSS

 

Jun Zheng (jz33) Chao Zhang (cz15)

 

Rice University

 

10/16/2013

Final project proposal has been posted on blog, we want to deeply look at the Cross-site Scripting (XSS), which allows attacker injects malicious client side scripts to other users. In this project, we focus on Django framework, in which XSS is protected by “Auto-sanitization”.

 

Also, we posted the strategy of our final project.

1) Doing research on analysis of XSS attacks based on two papers from Weinberger[1][2].

2) Our team will focus on Django’s “Auto-sanitization” mechanism, looking deeply with the implementation and limitations.

3) We choose to design and implement assistant programs or plug-ins to detect possible XSS attack codes.

 

10/26/2013

Until October 26th, our group focus on definition of XSS attacks, why XSS defense is so significant and what kinds of challenges of XSS sanitization exist in real world industry.

 

Problem from XSS attack:

Malicious programmer may inject client-side script to Web pages which is viewed by other users.

 

Responsibility of XSS defense (XSS sanitization):

Remove dangerous contents from untrusted data.

 

Current challenge of XSS sanitization:

1) Context Sensitivity

2) Nested Contexts

3) Browser Transductions

4) Dynamic Code Evaluation

5) Character-set Issues

6) Other challenges such as MIME-based XSS, Universal XSS and Mashup Confinement, which is not considered in this final project.

 

11/2/2013

Django framework & Django’s “Auto-sanitization” mechanism (implementation).

 

Future Works:

1) Continue working on Django’s “Auto-sanitization” mechanism.

2) Design and implement plug-ins to detect possible XSS attack codes.

 

References:

[1] Weinberger, J., et al., “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Springer-Verlag Berlin Heidelberg 2011

[2] Weinberger, J., et al., “An Empirical Analysis of XSS Sanitization in Web Application Frameworks”, Technical Report No. UCB/EECS-2011-11