Efficient Context-sensitive Output Escaping for Javascript Template Engines (original) (raw)
1. Efficient Context-aware Output Escaping for JavaScript Template Engines PRESENTED BY Nera Liu, Adonis Fung, and Albert Yu Paranoids Labs, Yahoo! SEPT 24, 2015
2. How to defend against XSS in Javascript Template Engines using contextual analysis? Background, Related Work & Implementation > Design > Evaluation > Conclusion Problem Statement 2
3. Background, Related Work & Implementation
4. What is Cross Site Scripting (XSS)? Given no proper output filtering:
Hello
A typical attack vector coming through XXX of query string at victim.com/?name=XXX: "'> HTML of victim.com ends up being:Hello "'>
45. Cross-Site Scripting (XSS) & OWASP Top 10■ Ranked No. 3 / OWASP Top 10 WebApp Security Risks ■ Root Cause ● Untrusted inputs executed as scripts under a victim’s origin/domain. ■ Consequences ● Cookie stealing, user privacy leaking. ● Fully control the web content / defacing. Screen-captured from https://www.owasp.org/index.php/Top\_10\_2013-A3-Cross-Site\_Scripting\_(XSS) 5
6. How to defend against XSS? - Filtering at the Front Gate 6Image from Rob, On guard, 2007, flickr.com, License: creative common
7. 7Image from 呉 松本, Pipes! Pipes! Pipes!, 2009, flickr.com, License: creative common It is the internal data flow of your web application… ● with databases ● with APIs ● with browsers ● … all interconnecting with each other, how would you design filtering rules for both APIs and databases? How to defend against XSS? - Systems are getting more complicated
8. 8 Fundamental Limitations - NO universal filtering rule that is flexible yet secure e.g., filtering for ≠
...- Impossible to settle at the front gate on - how data should be further mangled, - and predict how it would be output in the resultant HTML - As a result, subject to XSS attacks and over-filtering issues Input Filtering - Limitations9. ■ Template Engines ● Handlebars, DustJS - Escape & < > " ' ` into & < > " ' ` - {{untrustedData}} is escaped by default. 9 How to defend against XSS? - Output Filtering in Template Engines The industry is shifting from input filtering to output filtering Image from Tom Page, CRW_1978, 2008, flickr.com, License: creative common
10. 10Image from john, Secure, 2009, flickr.com, License: creative common Not Yet!!! Are your web applications safe now?
11. Most Template Engines are still vulnerable! - Blindly escaping Blindly-escaping (&<>"'`) would not stop XSS - {{url}} is an untrusted user input (assumed thereafter) - {{url}}is javascript:alert(1), or - {{url}}is # onclick=alert(1) → Solution: Context-Aware Output Escaping (aka. contextual escaping) A template is typically written like so: {{data}} 11
12. Partial Automatic Contextual Escaping Ember.js1 , Facebook React2 , Google Angular.js3 Automatic Contextual Escaping Google Closure, Google Go Template4 No Contextual Escaping Handlebars, LinkedIn Dust.js (making use of the blindly- escaping filter) Notes: 1 Ember.js does not apply contextual filtering rules in