Comp527 Final Project Weekly Report (Dec. 2, 2013)
Detection & Sanitization of XSS
Jun Zheng (jz33) Chao Zhang (cz15)
Rice University
Overview
Until now, we use Django framework to build up test Web pages, verifying Django auto-escaping in different HTML attributes.
A Web framework can address XSS using sanitization if it correctly address three things.
1. Context expressiveness
Untrusted data needs to be sanitized differently based on its context in HTML document[1]. For example, sometimes we want to keep some of the user input HTML tag, such as <b>, so user could change the font. But some advanced tags, such as <script> and <object> are definitely needed to be removed during sanitization process. So our question is: Does Django framework sanitizer treat different context in different way?
2. Auto-sanitization & context-sensitivity
Shifting XSS sanitization work from Web developer to framework might be a good way to prevent XSS attack, but auto-sanitization can not always being trusted. One sanitizer that may be safe for use in one context may not be safe for use in another context. The sanitizer need to be context sensitive.
3. Security of client-side code evaluation
Sanitization performed on the server side is not enough because client side code can read values from DOM, we also need to verify the client side code.
For example, see the piece of code below[1]:
function foo(untrustedData) {
document.write(“<input onclick = ‘foo(” + untrustedData + “)’>”);
}
As we know, the browser can dynamically evaluate code, the this piece of code will pump through JavaScript string to HTML. In this time, statically checking traversal chain on the server side is definitely not enough.
Further Work
Using whitelist approach to verify Django sanitizers and compare them.
Reference
[1] A Systematic Analysis of XSS Sanitization in Web Application Frameworks, Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song