Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing...
Transcript of Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing...
![Page 1: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/1.jpg)
Towards Client Side HTML Security Policies
Joel Weinberger, Adam Barth, Dawn Song
![Page 2: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/2.jpg)
MySpace
![Page 3: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/3.jpg)
Samy Worm
![Page 4: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/4.jpg)
Content Injection
The insertion of untrusted data, structure, or code into an application
![Page 5: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/5.jpg)
Key Points
• Explicit policies form a compelling, unique point in the content injection protection design space
• The current trade-offs in explicit policy systems make none of the current systems completely viable
• Explicit policies are the way forward, but we need new system designs
![Page 6: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/6.jpg)
Content Injection
<html>
<h1>Forum Post #1</h1>
<div>
This is the content of the post.
</div>
</html>
![Page 7: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/7.jpg)
Content Injection
<html>
<h1>Forum Post #1</h1>
<div>
<script>alert(document.cookie);</script>
</div>
</html>
![Page 8: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/8.jpg)
Policies
<html>
<h1>Forum Post #1</h1>
<div>
<script>alert(document.cookie);</script>
</div>
</html>
Trusted
Untrusted
Trusted Trusted
![Page 9: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/9.jpg)
Web Application Frameworks
Systems for writing web applications
Frameworks provide tools for sanitizing content
Turns out, sanitization is hard Shameless plug for our ESORICS 2011 paper:
A Systematic Analysis of XSS Sanitization in Web Application Frameworks
![Page 10: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/10.jpg)
Implicit Policies
Browser Web Application
Policy
![Page 11: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/11.jpg)
Explicit Policies
Browser
Web Application
Policy
![Page 12: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/12.jpg)
Key Points
Explicit policies form a compelling, unique point in the content injection protection design space
• The current trade-offs in explicit policy systems make none of the current systems completely viable
• Explicit policies are the way forward, but we need new system designs
![Page 13: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/13.jpg)
Explicit Policy Systems
• BEEP
• BLUEPRINT
• Content Security Policy (CSP)
![Page 14: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/14.jpg)
BEEP
• Hashes of allowed scripts
• Performance: good
• Dynamic scripts are very hard to get right
• Only XSS
![Page 15: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/15.jpg)
BLUEPRINT
• Structural description of page, enforced by JavaScript library
• Performance: poor
• Does not trust the browser’s parser
• Very fine grained granularity
![Page 16: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/16.jpg)
Content Security Policy (CSP)
• Specify allowed behaviors of page
• Performance: ?
• Only handles some content injection
• Coarse grained • What is the affect on how applications are written?
![Page 17: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/17.jpg)
Applying CSP to Applications
• How does CSP affect Web applications?
• Apply CSP to Bugzilla and HotCRP
• Measure performance of applications and how the applications were changed
![Page 18: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/18.jpg)
CSP Study
• Developer effort to retrofit applications to be CSP compatible is large
• Template variables cannot be used in scripts
• Need to lookup data through JavaScript
• Template logic no longer affects scripts
![Page 19: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/19.jpg)
CSP Study
Page No Inline JS Async JS
index.cgi 14.8% -3.0%
editsettings.cgi 6.3% 5.1%
enter_bug.cgi 57.6% 44.2%
show_bug.cgi 51.5% 4.0%
Page No Inline JS Async JS
index.php 45.3% 37.2%
search.php 52.9% 50.4%
settings.php 23.3% 16.1%
paper.php 61.1% 58.5%
contacts.php 67.8% 35.5%
Bugzilla
HotCRP
![Page 20: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/20.jpg)
Key Points
Explicit policies form a compelling, unique point in the content injection protection design space
The current trade-offs in explicit policy systems make none of the current systems completely viable
• Explicit policies are the way forward, but we need new system designs
![Page 21: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/21.jpg)
Explicit Policies: The Good and the Bad
• Provide a separation policy from application • Not doing this makes security hard
• Simple or complex: you choose
• Not good at performance and developer usability
![Page 22: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/22.jpg)
Towards the Future
• Policy systems are useful and should be how we approach content injection
• CSP has some great properties, but suffers when applied to current applications
• How can we combine features from these different systems?
![Page 23: Towards Client Side HTML Security Policies€¦ · Web Application Frameworks Systems for writing web applications Frameworks provide tools for sanitizing content Turns out, sanitization](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb33b1db92fe02b6b655024/html5/thumbnails/23.jpg)
Key Points
Explicit policies form a compelling, unique point in the content injection protection design space
The current trade-offs in explicit policy systems make none of the current systems completely viable
Explicit policies are the way forward, but we need new system designs