Rice University logo
 
Top blue bar image
Just another weblog
 

Archive for the ‘Uncategorized’ Category


COMP527 Weekly Report (Dec. 2, 2013)

December 2nd, 2013 by Chao

 

Comp527 Final Project Weekly Report (Dec. 2, 2013)

 

Detection & Sanitization of XSS

 

Jun Zheng (jz33) Chao Zhang (cz15)

 

Rice University

 

Overview

Until now, we use Django framework to build up test Web pages, verifying Django auto-escaping in different HTML attributes.

 

A Web framework can address XSS using sanitization if it correctly address three things.

 

1. Context expressiveness

Untrusted data needs to be sanitized differently based on its context in HTML document[1]. For example, sometimes we want to keep some of the user input HTML tag, such as <b>, so user could change the font. But some advanced tags, such as <script> and <object> are definitely needed to be removed during sanitization process. So our question is: Does Django framework sanitizer treat different context in different way?

 

2. Auto-sanitization & context-sensitivity

Shifting XSS sanitization work from Web developer to framework might be a good way to prevent XSS attack, but auto-sanitization can not always being trusted. One sanitizer that may be safe for use in one context may not be safe for use in another context. The sanitizer need to be context sensitive.

 

3. Security of client-side code evaluation

Sanitization performed on the server side is not enough because client side code can read values from DOM, we also need to verify the client side code.

 

For example, see the piece of code below[1]:

 

function foo(untrustedData) {

document.write(“<input onclick = ‘foo(” + untrustedData + “)’>”);

}

 

As we know, the browser can dynamically evaluate code, the this piece of code will pump through JavaScript string to HTML. In this time, statically checking traversal chain on the server side is definitely not enough.

 

Further Work

Using whitelist approach to verify Django sanitizers and compare them.

 

Reference

[1] A Systematic Analysis of XSS Sanitization in Web Application Frameworks, Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song

Final Project Report (Nov.18, 2013)

November 18th, 2013 by Chao

 

Comp527 Final Project Weekly Report (Nov. 18, 2013)

 

Detection & Sanitization of XSS

 

Jun Zheng (jz33) Chao Zhang (cz15)

 

Rice University

 

Overview

For now, out group focus on analyzing the Django  MVC framework[1], building view and HTML test case to observe behaviors of Django XSS sanitization, which makes html tags disabled.

 

Sanitization Target

1. Random string from view or programmer:

These inputs are always trusted by server, so Django XSS sanitization will not do any escaping step.

 

Example:

In view.py, we write a string contains script and return it back to HTTP, then run the Django server, a alert box will show up in the browser.

 

2. Random string from user:

It seems that these inputs will never be trusted by server, all the inputs come from users are treated as dangerous scripts or something.

 

Example:

In html file, we submit a form to server and wait the returned query string. Next, in view.py, we add a function serverTest to handle the request and output the query. Then run the server, text some script like “<script>alert(‘hi’)</script>”, the sanitization mechanism

will escaping the input to “%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E”.

 

Escaping Dictionary

Below is the escaping list after some test.

 

before escaping : after escaping

‘~’ :  ‘%7E’+’ v’,

‘`’ : ‘%60’,

‘!’ :  ‘%21’,

‘@’ :  ‘%40’,

‘#’ :  ‘%23’,

‘$’ : ‘%24’,

‘%’ : ‘%25’,

‘^’ : ‘%5E’,

‘&’ :  ‘%26’,

‘*’ :  ‘ u’,

‘(‘ :  ‘%28’,

‘)’ :  ‘%29’,

‘_’ :  ‘ u’,

‘-‘ :  ‘ u’,

‘+’ :  ‘%2B’,

‘=’ :  ‘%3D’,

‘{‘ :  ‘%7B’,

‘[‘ :  ‘%5B’,

‘}’ :  ‘%7D’,

‘]’ :  ‘%5D’,

‘|’ :  ‘%7C’,

‘\\’ :  ‘%5C’,

‘:’ :  ‘%3A’,

‘;’ :  ‘%3B’,

‘”‘ :  ‘%22’+’ v’,

‘\” :  ‘%27’,

‘<‘ :  ‘%3C’+’ v’,

‘,’ :  ‘%2C’,

‘>’ :  ‘%3E’+’ v’,

‘.’ :  ‘ u’,

‘?’ :  ‘%3F’,

‘/’ :  ‘%2F’,

‘ ‘ :  ‘+’,

 

Further Work

Next step, we will continue looking at whether there is any XSS situation that Django Sanitization is missing, and how could Django protect tags like <b>.

 

Reference:

[1] http://owasp-esapi-python-swingset.appspot.com/xss/no_escaping

Final Project Milestone – Detection & Sanitization of XSS

November 4th, 2013 by Chao

 

Comp527 Final Project Milestone Details (Nov. 3, 2013)

 

Detection & Sanitization of XSS

 

Jun Zheng (jz33) Chao Zhang (cz15)

 

Rice University

 

10/16/2013

Final project proposal has been posted on blog, we want to deeply look at the Cross-site Scripting (XSS), which allows attacker injects malicious client side scripts to other users. In this project, we focus on Django framework, in which XSS is protected by “Auto-sanitization”.

 

Also, we posted the strategy of our final project.

1) Doing research on analysis of XSS attacks based on two papers from Weinberger[1][2].

2) Our team will focus on Django’s “Auto-sanitization” mechanism, looking deeply with the implementation and limitations.

3) We choose to design and implement assistant programs or plug-ins to detect possible XSS attack codes.

 

10/26/2013

Until October 26th, our group focus on definition of XSS attacks, why XSS defense is so significant and what kinds of challenges of XSS sanitization exist in real world industry.

 

Problem from XSS attack:

Malicious programmer may inject client-side script to Web pages which is viewed by other users.

 

Responsibility of XSS defense (XSS sanitization):

Remove dangerous contents from untrusted data.

 

Current challenge of XSS sanitization:

1) Context Sensitivity

2) Nested Contexts

3) Browser Transductions

4) Dynamic Code Evaluation

5) Character-set Issues

6) Other challenges such as MIME-based XSS, Universal XSS and Mashup Confinement, which is not considered in this final project.

 

11/2/2013

Django framework & Django’s “Auto-sanitization” mechanism (implementation).

 

Future Works:

1) Continue working on Django’s “Auto-sanitization” mechanism.

2) Design and implement plug-ins to detect possible XSS attack codes.

 

References:

[1] Weinberger, J., et al., “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Springer-Verlag Berlin Heidelberg 2011

[2] Weinberger, J., et al., “An Empirical Analysis of XSS Sanitization in Web Application Frameworks”, Technical Report No. UCB/EECS-2011-11