SlideShare a Scribd company logo

deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

Download as PPTX, PDF
Adam Doupe
Adam Doupe

Talk I gave at the ACM Conference on Computer and Communications Security (CCS) 2013 on the paper "deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation" which describes an approach to solving Cross-Site Scripting (XSS) vulnerabilities via applying the security principles of Code and Data separation. The paper is located here: http://cs.ucsb.edu/~adoupe/static/dedacota-ccs2013.pdf

Technology
1 of 83
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation Adam Doupé, Weidong Cui€, Mariusz H. Jakubowski€, Marcus Peinado€, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara €Microsoft Research CCS 2013 – 11/7/13
XSS Vulnerabilities Still Exist Today Doupé - 11/7/13
Doupé - 11/7/13
Courtesy of Ashar Javed Doupé - 11/7/13
Test.aspx <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
http://example.com/Test.aspx?name=adam <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13 Ask Test.dll for output
http://example.com/Test.aspx?name=adam Ask Test.dll for output <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/7/13
http://example.com/Test.aspx?name=adam Ask Test.dll for output <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/7/13
http://example.com/Test.aspx?name=adam <html> <body> <p>Hello adam</p> </body> </html> Ask Test.dll for output Doupé - 11/7/13
http://example.com/Test.aspx?name=adam <html> <body> <p>Hello adam</p> </body> </html> Ask Test.dll for output Doupé - 11/7/13
Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <%= this.Name %> </script></p> </body> </html> Doupé - 11/7/13
Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <script>alert("xss"); </script></p> </body> </html> Doupé - 11/7/13
Test.aspx http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <p>Hello <script>alert("xss"); </script></p> </body> </html> Doupé - 11/7/13
XSS – Impact • Steal cookies • Perform actions as user • Exploit user’s browser • Fake login form Doupé - 11/7/13
Fixing XSS – Sanitization <html> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> </html> Doupé - 11/7/13
Fixing XSS – Sanitization <html> <script>alert("xss");</script> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> &lt;script&gt;alert("xss"); </html> &lt;/script&gt; Doupé - 11/7/13
XSS as Input Validation Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Many Different Contexts Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009, CCS 2013 Doupé - 11/7/13
XSS as Input Validation Problem Find All Paths Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 We want to fundamentally Different Context solve XSS vulnerabilities Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009, CCS 2013 Doupé - 11/7/13
Another Example <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
Another Example Developer indented for this code to be executed on the browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13
Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> </html> Doupé - 11/7/13
The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser Doupé - 11/7/13
The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> The <script> browser can’t tell the alert("welcome to example.com!"); difference! </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser Doupé - 11/7/13
The Fundamental Solution Data <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
The Fundamental Solution Data To fundamentally solve XSS <html> <body> vulnerabilities, we must apply the Code <script> alert("welcome to example.com!"); alert("welcome to example.com!"); basic security principles of Code </script> <p>Hello <%= this.Name %> and Data separation! </p> </body> </html> Doupé - 11/7/13
Content Security Policy (CSP) • Mechanism for the website to communicate a policy to the browser about what JavaScript to execute • The browser then enforces this policy • Supported by many modern browsers (68% of users use one of these browsers – – – – – – – Firefox Chrome IE (10) Safari Opera iOS Android Doupé - 11/7/13
Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
Code and Data Separation • Code and Data separation from start – No legacy applications • Manually rewrite application – Difficult and error-prone (HotSec 2011) deDacota: Automatically separate code and data of a web application Doupé - 11/7/13
Threat Model • Benign web application – The developer has not obfuscated the web application • Server-side XSS – Our approach will only address traditional XSS, in other words, XSS where the resulting bug is in the server-side code • Inline JavaScript – For the deDacota prototype, we focused only on inline JavaScript – We ignore JavaScript in HTML attributes and CSS Doupé - 11/7/13
DESIGN Doupé - 11/7/13
deDacota Process Approximate HTML Output Extract Inline JavaScript Doupé - 11/7/13 Rewrite Web Application
deDacota Process The goal is to rewrite the web application so that it is Approximate Extract Inline Rewrite Web semantically equivalent yet HTML Output JavaScript Application separates the code and data. Doupé - 11/7/13
Approximate HTML Output <%@ Page Language="C#" CodeBehind="CodeBehind.cs" Inherits="Test" %> <html> <body> <p>Hello <%= this.Name %></p> <%= Scripts() %> </body> </html> Doupé - 11/7/13
Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } The goal here is to create a graph that approximates the HTML content of the web page. We use static analysis techniques to construct the graph. Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we need to analyze the control flow of the application, which means following the control flow into the Scripts() method. Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we encounter string concatenation, which our analysis is able to handle. Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output Now that we have constructed the approximation graph, we must determine what is being output by each node in the graph. Here we use data-flow analysis and points-to analysis. "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
In this case, Approximate HTML Output Request.QueryString["name"] is statically undecidable because it comes from user input. In the approximation graph we represent this as a * which means the output at this node could be anything. "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" ');</script> Doupé - 11/7/13
<html><body><p> * <script>alert(' 2013 ');</script> </p></body></html> Doupé - 11/7/13
<html><body><p> * This approximation graph contains a static approximation of <script>alert(' the HTML content of the web page. Any path 2013 through this graph is one possible output of the ');</script> page. </p></body></html> Doupé - 11/7/13
In this example approximation graph from a real-world application, the branch in the graph comes from a conditional branch in the control-flow of the application. Doupé - 11/7/13
Statically undecidable content, represented here as a *, can come from two different areas: 1. Statically undecidable according to the static analysis. 2. To make our analysis conservative, we treat all loops as outputting a *, because we cannot statically determine how many times a loop will execute. Doupé - 11/7/13
Extract Inline JavaScript Doupé - 11/7/13
In the second step, we simply extract the inline JavaScript (aka the developer intended code) from the approximation graph. Doupé - 11/7/13
Rewrite Web Application <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 alert("welcome to example.com!");
Rewrite Web Application Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
Rewrite Web Application At this Data point, if the inline JavaScript code is static, we have <html> protected the application. No <body> Code <script src="0cc111eb135.js"> attacked data inalert("welcome to example.com!"); the Data </script> <p>Hello <%= this.Name %> </p>segment will ever be interpreted </body> as Code. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
Rewrite Web Application Unfortunately, developers Data sometimes dynamically generate <html> the Code of an application. If this <body> Code <script src="0cc111eb135.js"> happens with untrusted Data, </script> alert("welcome to example.com!"); <p>Hello <%= this.Name %> there can still be a XSS </p> </body> vulnerability. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
Dynamic Inline JavaScript <html> <script> var username = "<%= Username %>"; </script> </html> Doupé - 11/7/13
Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; Here, the developer has chosen to dynamically generate the Code from untrusted data. Doupé - 11/7/13
Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; var username = "*"; Doupé - 11/7/13
We developed a technique to safely Dynamic Inline JavaScript transform cases of dynamic inline Data JavaScript. If the statically undecidable <html> content is used in a known Code JavaScript <script> var username = "<%= Username %>"; var username = "<%= Username %>"; </script> context (JavaScript string or comment), </html> we can safely rewrite thevar username = "*"; application. We call these cases “safe dynamic inline JavaScript.” Doupé - 11/7/13
EVALUATION Doupé - 11/7/13
Applications Application Lines of Code Known Vulnerability BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 35,674 29,512 6,994 12,155 11,993 21,261 CVE-2010-3266 CVE-2008-6476 CVE-2009-0814 CVE-2008-3483 2 Intentional N/A Doupé - 11/7/13
Evaluation • Security – Crafted exploits for applications with known vulnerabilities – Transformed applications, along with CSP, blocked the exploits • Functional correctness – ChronoZoom had 160 JavaScript tests and all passed after the transformation – Manually browsed the application and source code looking for missing inline JavaScript Doupé - 11/7/13
100% 90% 80% 70% 60% Unsafe Dynamic 50% Safe Dynamic Static 40% 30% 20% 10% 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
100% 90% 80% 70% 60% 50% Here we are going to look at what percentage of the inline JavaScript in each application is either: static, safe dynamic, or unsafe dynamic. Unsafe Dynamic Safe Dynamic 40% 30% 20% 10% Static 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
100% 90% 80% 70% 60% 6 50% 40% 41 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 27 5 Unsafe Dynamic Safe Dynamic Static 30% 20% 4 In these safe dynamic situations, we are able to safely 0% transform the dynamic inline JavaScript code. BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 10% Doupé - 11/7/13
100% 90% 2 3 4 1 1 80% 4 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
100% 90% 2 3 4 80% 1 1 4 4 70% 60% 50% 10 6 5 Unsafe Dynamic Safe Dynamic 41 In 10 40% cases of unsafe dynamic inline JavaScript, we alert the Static 27 developer that the transformation could potentially contain 30% an XSS vulnerability. After the developer confirms the 20% absence of an XSS vulnerability in the unsafe dynamic 4 10% inline JavaScript, then the application is guaranteed free of 0% BugTracker.NET BlogEngine.NET BlogSA.NET vulnerabilities. XSS ScrewTurn Wiki WebGoat.NET ChronoZoom Doupé - 11/7/13
Limitations • Might miss inline JavaScript – Loops – Dynamic code execution • Does not handle HTML attributes and CSS Doupé - 11/7/13
Summary • Code and Data separation necessary to prevent XSS • deDacota can automatically separate Code and Data of web application • deDacota works in practice Doupé - 11/7/13
Adam Doupé Email: Twitter: adoupe@cs.ucsb.edu @adamdoupe DEDACOTA: TOWARD PREVENTING SERVER-SIDE XSS VIA AUTOMATIC CODE AND DATA SEPARATION Doupé - 11/7/13

Recommended

Web-Performance
Web-PerformanceWeb-Performance
Web-PerformanceWalter Ebert
 
Turbogears Presentation
Turbogears PresentationTurbogears Presentation
Turbogears Presentationdidip
 
How do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML TricksHow do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML TricksCompare Infobase Limited
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyChristian Thilmany
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIsJoseph Scott
 
Flask patterns
Flask patternsFlask patterns
Flask patternsit-people
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Edureka!
 

Recommended

Web-Performance
Web-PerformanceWeb-Performance
Web-PerformanceWalter Ebert
 
Turbogears Presentation
Turbogears PresentationTurbogears Presentation
Turbogears Presentationdidip
 
How do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML TricksHow do speed up web pages? CSS & HTML Tricks
How do speed up web pages? CSS & HTML TricksCompare Infobase Limited
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyChristian Thilmany
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIsJoseph Scott
 
Flask patterns
Flask patternsFlask patterns
Flask patternsit-people
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Edureka!
 
Flask – Python
Flask – PythonFlask – Python
Flask – PythonMax Claus Nunes
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax ApplicationsJulien Lecomte
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWebDave Bouwman
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture IntroductionHaiqi Chen
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
LvivPy - Flask in details
LvivPy - Flask in detailsLvivPy - Flask in details
LvivPy - Flask in detailsMax Klymyshyn
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Androidsullis
 
JSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederJSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederChristoph Pickl
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli AroJavier Toledo
 
Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyAlessandro Cucci
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Libraryjeresig
 
Quick flask an intro to flask
Quick flask an intro to flaskQuick flask an intro to flask
Quick flask an intro to flaskjuzten
 
OSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialOSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialYi-Ting Cheng
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for youSimon Willison
 
GAEO
GAEOGAEO
GAEOguest1d183d
 
Pragmatics of Declarative Ajax
Pragmatics of Declarative AjaxPragmatics of Declarative Ajax
Pragmatics of Declarative Ajaxdavejohnson
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moondavejohnson
 
Ditching jQuery Madison
Ditching jQuery MadisonDitching jQuery Madison
Ditching jQuery MadisonHao Luo
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using DjangoNathan Eror
 
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LABHTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LABpriya Nithya
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
Testable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascriptTestable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascriptTimothy Oxley
 

More Related Content

What's hot

High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax ApplicationsJulien Lecomte
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWebDave Bouwman
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture IntroductionHaiqi Chen
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
LvivPy - Flask in details
LvivPy - Flask in detailsLvivPy - Flask in details
LvivPy - Flask in detailsMax Klymyshyn
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Androidsullis
 
JSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederJSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederChristoph Pickl
 
Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyAlessandro Cucci
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Libraryjeresig
 
Quick flask an intro to flask
Quick flask an intro to flaskQuick flask an intro to flask
Quick flask an intro to flaskjuzten
 
OSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialOSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialYi-Ting Cheng
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for youSimon Willison
 
Pragmatics of Declarative Ajax
Pragmatics of Declarative AjaxPragmatics of Declarative Ajax
Pragmatics of Declarative Ajaxdavejohnson
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moondavejohnson
 
Ditching jQuery Madison
Ditching jQuery MadisonDitching jQuery Madison
Ditching jQuery MadisonHao Luo
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using DjangoNathan Eror
 
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LABHTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LABpriya Nithya
 

What's hot (20)

Flask – Python
Flask – PythonFlask – Python
Flask – Python
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture Introduction
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
 
LvivPy - Flask in details
LvivPy - Flask in detailsLvivPy - Flask in details
LvivPy - Flask in details
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
 
JSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederJSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael Greifeneder
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli Aro
 
Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemy
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Library
 
Quick flask an intro to flask
Quick flask an intro to flaskQuick flask an intro to flask
Quick flask an intro to flask
 
OSDC 2009 Rails Turtorial
OSDC 2009 Rails TurtorialOSDC 2009 Rails Turtorial
OSDC 2009 Rails Turtorial
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for you
 
GAEO
GAEOGAEO
GAEO
 
Pragmatics of Declarative Ajax
Pragmatics of Declarative AjaxPragmatics of Declarative Ajax
Pragmatics of Declarative Ajax
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
 
Ditching jQuery Madison
Ditching jQuery MadisonDitching jQuery Madison
Ditching jQuery Madison
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
 
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LABHTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
HTTP REQUEST RESPONSE OBJECT - WEB APPLICATION USING C# LAB
 

Similar to deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
Testable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascriptTestable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascriptTimothy Oxley
 
All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...Caelum
 
A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08Abdul Qabiz
 
Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)Joao Lucas Santana
 
Google App Engine with Gaelyk
Google App Engine with GaelykGoogle App Engine with Gaelyk
Google App Engine with GaelykChoong Ping Teo
 
Spca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_librariesSpca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_librariesNCCOMMS
 
The A to Z of developing for the web
The A to Z of developing for the webThe A to Z of developing for the web
The A to Z of developing for the webMatt Wood
 
Use Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile AppsUse Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile AppsNathan Smith
 
Progressive Web Apps. What, why and how
Progressive Web Apps. What, why and howProgressive Web Apps. What, why and how
Progressive Web Apps. What, why and howRiza Fahmi
 
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)Tech in Asia ID
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Web Directions
 
Implementation of GUI Framework part3
Implementation of GUI Framework part3Implementation of GUI Framework part3
Implementation of GUI Framework part3masahiroookubo
 
Web applications with Catalyst
Web applications with CatalystWeb applications with Catalyst
Web applications with Catalystsvilen.ivanov
 
Adriano Di Luzio - Davvy - PyconSEI Talk
Adriano Di Luzio - Davvy - PyconSEI TalkAdriano Di Luzio - Davvy - PyconSEI Talk
Adriano Di Luzio - Davvy - PyconSEI Talkaldur999
 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web DesignChristopher Schmitt
 

Similar to deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation (20)

Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Testable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascriptTestable client side_mvc_apps_in_javascript
Testable client side_mvc_apps_in_javascript
 
Java script
Java scriptJava script
Java script
 
Svelte JS introduction
Svelte JS introductionSvelte JS introduction
Svelte JS introduction
 
All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...
 
A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08
 
Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)Desenvolvimento web com Ruby on Rails (parte 2)
Desenvolvimento web com Ruby on Rails (parte 2)
 
Google App Engine with Gaelyk
Google App Engine with GaelykGoogle App Engine with Gaelyk
Google App Engine with Gaelyk
 
Spca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_librariesSpca2014 hillier 3rd party_javascript_libraries
Spca2014 hillier 3rd party_javascript_libraries
 
The A to Z of developing for the web
The A to Z of developing for the webThe A to Z of developing for the web
The A to Z of developing for the web
 
Use Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile AppsUse Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile Apps
 
Mojolicious
MojoliciousMojolicious
Mojolicious
 
Progressive Web Apps. What, why and how
Progressive Web Apps. What, why and howProgressive Web Apps. What, why and how
Progressive Web Apps. What, why and how
 
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
"Progressive Web Apps" by Riza Fahmi (Hacktiv8)
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5
 
Implementation of GUI Framework part3
Implementation of GUI Framework part3Implementation of GUI Framework part3
Implementation of GUI Framework part3
 
Nodejs.meetup
Nodejs.meetupNodejs.meetup
Nodejs.meetup
 
Web applications with Catalyst
Web applications with CatalystWeb applications with Catalyst
Web applications with Catalyst
 
Adriano Di Luzio - Davvy - PyconSEI Talk
Adriano Di Luzio - Davvy - PyconSEI TalkAdriano Di Luzio - Davvy - PyconSEI Talk
Adriano Di Luzio - Davvy - PyconSEI Talk
 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 

deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

  • 1. deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation Adam Doupé, Weidong Cui€, Mariusz H. Jakubowski€, Marcus Peinado€, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara €Microsoft Research CCS 2013 – 11/7/13
  • 2. XSS Vulnerabilities Still Exist Today Doupé - 11/7/13
  • 4. Courtesy of Ashar Javed Doupé - 11/7/13
  • 5. Test.aspx <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
  • 6. http://example.com/Test.aspx?name=adam <html> <body> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13 Ask Test.dll for output
  • 14. XSS – Impact • Steal cookies • Perform actions as user • Exploit user’s browser • Fake login form Doupé - 11/7/13
  • 15. Fixing XSS – Sanitization <html> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> </html> Doupé - 11/7/13
  • 16. Fixing XSS – Sanitization <html> <script>alert("xss");</script> <body> <p>Hello <%= HtmlEncode(this.Name) %> </p> </body> &lt;script&gt;alert("xss"); </html> &lt;/script&gt; Doupé - 11/7/13
  • 17. XSS as Input Validation Doupé - 11/7/13
  • 18. XSS as Input Validation Problem Find All Paths Many Different Contexts Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009 Doupé - 11/7/13
  • 19. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
  • 20. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009 Doupé - 11/7/13
  • 21. XSS as Input Validation Problem Find All Paths Different Context Is Sanitization Correct? Parsing Quirks Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 Oakland 2008, USENIX 2011 Oakland 2009, CCS 2013 Doupé - 11/7/13
  • 22. XSS as Input Validation Problem Find All Paths Research WWW 2004, USENIX 2005, Oakland 2006 CCS 2011, CCS 2011 We want to fundamentally Different Context solve XSS vulnerabilities Is Sanitization Correct? Oakland 2008, USENIX 2011 Parsing Quirks Oakland 2009, CCS 2013 Doupé - 11/7/13
  • 23. Another Example <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
  • 24. Another Example Developer indented for this code to be executed on the browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %></p> </body> </html> Doupé - 11/7/13
  • 25. Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13
  • 26. Another Example http://example.com/Test.aspx?name=<script>alert("xss");</script> <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> </html> Doupé - 11/7/13
  • 27. The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser Doupé - 11/7/13
  • 28. The Fundamental Problem Developer indented for this code to be executed on the http://example.com/Test.aspx?name=<script>alert("xss");</script> browser <html> <body> The <script> browser can’t tell the alert("welcome to example.com!"); difference! </script> <p>Hello <script>alert("xss");</script> </p> </body> Developer did not intend for this code to be executed on </html> the browser Doupé - 11/7/13
  • 29. The Fundamental Solution Data <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
  • 30. The Fundamental Solution Data To fundamentally solve XSS <html> <body> vulnerabilities, we must apply the Code <script> alert("welcome to example.com!"); alert("welcome to example.com!"); basic security principles of Code </script> <p>Hello <%= this.Name %> and Data separation! </p> </body> </html> Doupé - 11/7/13
  • 31. Content Security Policy (CSP) • Mechanism for the website to communicate a policy to the browser about what JavaScript to execute • The browser then enforces this policy • Supported by many modern browsers (68% of users use one of these browsers – – – – – – – Firefox Chrome IE (10) Safari Opera iOS Android Doupé - 11/7/13
  • 32. Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
  • 33. Content Security Policy Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
  • 34. Code and Data Separation • Code and Data separation from start – No legacy applications • Manually rewrite application – Difficult and error-prone (HotSec 2011) deDacota: Automatically separate code and data of a web application Doupé - 11/7/13
  • 35. Threat Model • Benign web application – The developer has not obfuscated the web application • Server-side XSS – Our approach will only address traditional XSS, in other words, XSS where the resulting bug is in the server-side code • Inline JavaScript – For the deDacota prototype, we focused only on inline JavaScript – We ignore JavaScript in HTML attributes and CSS Doupé - 11/7/13
  • 37. deDacota Process Approximate HTML Output Extract Inline JavaScript Doupé - 11/7/13 Rewrite Web Application
  • 38. deDacota Process The goal is to rewrite the web application so that it is Approximate Extract Inline Rewrite Web semantically equivalent yet HTML Output JavaScript Application separates the code and data. Doupé - 11/7/13
  • 39. Approximate HTML Output <%@ Page Language="C#" CodeBehind="CodeBehind.cs" Inherits="Test" %> <html> <body> <p>Hello <%= this.Name %></p> <%= Scripts() %> </body> </html> Doupé - 11/7/13
  • 40. Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
  • 41. Approximate HTML Output class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } The goal here is to create a graph that approximates the HTML content of the web page. We use static analysis techniques to construct the graph. Doupé - 11/7/13
  • 42. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
  • 43. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
  • 44. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
  • 45. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we need to analyze the control flow of the application, which means following the control flow into the Scripts() method. Doupé - 11/7/13
  • 46. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Doupé - 11/7/13
  • 47. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); writer.write(Scripts()); writer.write("</p></body></html>"); } protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } Here we encounter string concatenation, which our analysis is able to handle. Doupé - 11/7/13
  • 48. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 49. Approximate HTML Output Now that we have constructed the approximation graph, we must determine what is being output by each node in the graph. Here we use data-flow analysis and points-to analysis. "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 50. Approximate HTML Output "<html><body><p>" class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 51. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 52. In this case, Approximate HTML Output Request.QueryString["name"] is statically undecidable because it comes from user input. In the approximation graph we represent this as a * which means the output at this node could be anything. "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 53. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 54. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 55. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" Doupé - 11/7/13
  • 56. Approximate HTML Output "<html><body><p>" <html><body><p> class test_aspx : System.Web.UI.Page { public test_aspx () { this.Name = Request.QueryString["name"]; this.Year = "2013"; * this.Name } protected void Render(HtmlTextWriter writer) { writer.write("<html><body><p>"); writer.write(this.Name); "<script>alert('" <script>alert(' writer.write(Scripts()); writer.write("</p></body></html>"); } this.Year 2013 protected string Scripts() { return "<script>alert('" + this.Year + "');</script>"; } } "');</script>" ');</script> Doupé - 11/7/13
  • 58. <html><body><p> * This approximation graph contains a static approximation of <script>alert(' the HTML content of the web page. Any path 2013 through this graph is one possible output of the ');</script> page. </p></body></html> Doupé - 11/7/13
  • 59. In this example approximation graph from a real-world application, the branch in the graph comes from a conditional branch in the control-flow of the application. Doupé - 11/7/13
  • 60. Statically undecidable content, represented here as a *, can come from two different areas: 1. Statically undecidable according to the static analysis. 2. To make our analysis conservative, we treat all loops as outputting a *, because we cannot statically determine how many times a loop will execute. Doupé - 11/7/13
  • 62. In the second step, we simply extract the inline JavaScript (aka the developer intended code) from the approximation graph. Doupé - 11/7/13
  • 63. Rewrite Web Application <html> <body> <script> alert("welcome to example.com!"); </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 alert("welcome to example.com!");
  • 64. Rewrite Web Application Data Content-Security-Policy: script-src http://example.com/0cc111eb135.js <html> <body> <script src="0cc111eb135.js"> </script> <p>Hello <%= this.Name %> </p> </body> </html> Doupé - 11/7/13 Code alert("welcome to example.com!");
  • 65. Rewrite Web Application At this Data point, if the inline JavaScript code is static, we have <html> protected the application. No <body> Code <script src="0cc111eb135.js"> attacked data inalert("welcome to example.com!"); the Data </script> <p>Hello <%= this.Name %> </p>segment will ever be interpreted </body> as Code. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
  • 66. Rewrite Web Application Unfortunately, developers Data sometimes dynamically generate <html> the Code of an application. If this <body> Code <script src="0cc111eb135.js"> happens with untrusted Data, </script> alert("welcome to example.com!"); <p>Hello <%= this.Name %> there can still be a XSS </p> </body> vulnerability. </html> Content-Security-Policy: script-src http://example.com/0cc111eb135.js Doupé - 11/7/13
  • 67. Dynamic Inline JavaScript <html> <script> var username = "<%= Username %>"; </script> </html> Doupé - 11/7/13
  • 68. Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; Here, the developer has chosen to dynamically generate the Code from untrusted data. Doupé - 11/7/13
  • 69. Dynamic Inline JavaScript Data <html> <script> var username = "<%= Username %>"; </script> </html> Code var username = "<%= Username %>"; var username = "*"; Doupé - 11/7/13
  • 70. We developed a technique to safely Dynamic Inline JavaScript transform cases of dynamic inline Data JavaScript. If the statically undecidable <html> content is used in a known Code JavaScript <script> var username = "<%= Username %>"; var username = "<%= Username %>"; </script> context (JavaScript string or comment), </html> we can safely rewrite thevar username = "*"; application. We call these cases “safe dynamic inline JavaScript.” Doupé - 11/7/13
  • 72. Applications Application Lines of Code Known Vulnerability BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 35,674 29,512 6,994 12,155 11,993 21,261 CVE-2010-3266 CVE-2008-6476 CVE-2009-0814 CVE-2008-3483 2 Intentional N/A Doupé - 11/7/13
  • 73. Evaluation • Security – Crafted exploits for applications with known vulnerabilities – Transformed applications, along with CSP, blocked the exploits • Functional correctness – ChronoZoom had 160 JavaScript tests and all passed after the transformation – Manually browsed the application and source code looking for missing inline JavaScript Doupé - 11/7/13
  • 74. 100% 90% 80% 70% 60% Unsafe Dynamic 50% Safe Dynamic Static 40% 30% 20% 10% 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
  • 75. 100% 90% 80% 70% 60% 50% Here we are going to look at what percentage of the inline JavaScript in each application is either: static, safe dynamic, or unsafe dynamic. Unsafe Dynamic Safe Dynamic 40% 30% 20% 10% Static 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 WebGoat.NET ChronoZoom
  • 76. 100% 90% 80% 70% 60% 6 50% 40% 41 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
  • 77. 100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 5 20% 4 0% BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki Doupé - 11/7/13 Safe Dynamic Static 27 30% 10% Unsafe Dynamic WebGoat.NET ChronoZoom
  • 78. 100% 90% 3 1 80% 4 70% 60% 50% 40% 41 10 6 10 27 5 Unsafe Dynamic Safe Dynamic Static 30% 20% 4 In these safe dynamic situations, we are able to safely 0% transform the dynamic inline JavaScript code. BugTracker.NET BlogEngine.NET BlogSA.NET ScrewTurn Wiki WebGoat.NET ChronoZoom 10% Doupé - 11/7/13
  • 80. 100% 90% 2 3 4 80% 1 1 4 4 70% 60% 50% 10 6 5 Unsafe Dynamic Safe Dynamic 41 In 10 40% cases of unsafe dynamic inline JavaScript, we alert the Static 27 developer that the transformation could potentially contain 30% an XSS vulnerability. After the developer confirms the 20% absence of an XSS vulnerability in the unsafe dynamic 4 10% inline JavaScript, then the application is guaranteed free of 0% BugTracker.NET BlogEngine.NET BlogSA.NET vulnerabilities. XSS ScrewTurn Wiki WebGoat.NET ChronoZoom Doupé - 11/7/13
  • 81. Limitations • Might miss inline JavaScript – Loops – Dynamic code execution • Does not handle HTML attributes and CSS Doupé - 11/7/13
  • 82. Summary • Code and Data separation necessary to prevent XSS • deDacota can automatically separate Code and Data of web application • deDacota works in practice Doupé - 11/7/13
  • 83. Adam Doupé Email: Twitter: adoupe@cs.ucsb.edu @adamdoupe DEDACOTA: TOWARD PREVENTING SERVER-SIDE XSS VIA AUTOMATIC CODE AND DATA SEPARATION Doupé - 11/7/13

Editor's Notes

  1. ----- Meeting Notes (11/7/13 11:22) -----3
  2. We want to fundamentally solve XSS vulnerabilities.
  3. We want to fundamentally solve XSS vulnerabilities.
  4. ----- Meeting Notes (11/7/13 11:22) -----8:30
  5. ----- Meeting Notes (11/7/13 11:22) -----8:30
  6. Server-side: Traditional XSS attacks. Result of server-side code.
  7. ----- Meeting Notes (11/7/13 11:22) -----12
  8. Branches.Loops.
  9. Branches.Loops.
  10. Just say we extract all the possible inline JavaScript from the approximation graph.
  11. We solved the problem!Hurray!Then talk about dynamic JS.
  12. The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  13. The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  14. The developer is choosing to break the code/data separation model.This is fundamentally a bad thing.However, we developed a technique to handle some of these cases.
  15. Missing inline JavaScript - dynamic code - loops