Efficient Context-sensitive Output Escaping for JavaScript Template Engines

Presented at AppSec USA 2015, Sept. 24, 2015, 2 p.m. (55 minutes)

Despite being known for more than a decade, Cross-Site Scripting (XSS) vulnerabilities are still very prevalent and frequently reported by security researchers. This partially explains why it is constantly ranked among Top 3 of the OWASP Web Application Security Risks since 2007. To defend against XSS, the most recommended approach is to apply output escaping based on the context (e.g., data, attribute, URL) that untrusted data will be placed into. Nevertheless, realizing the context-sensitive escaping approach is a very complex process. For instance, the href attribute of an anchor tag is a compound context made up by a URI and attribute value context, for which secure escaping will involve using html entity encoding, percent-encoding, and a protocol validator to prohibit javascript: protocol. Modern template engines only attempt to mitigate the vulnerabilities with a context-insensitive approach, therefore blindly escaping some special "XSS characters" (e.g., &, <, >, ', ") for all data that will replace the output expressions. Hence, malicious inputs known to be often injected through output expressions are encoded to their equivalent HTML entity representations that will not be rendered as executable scripts. Only a few large Internet corporations can afford to enhance the output expression escaping with a context-sensitive approach, but the solutions are specific to their own development and template frameworks (e.g., Closure). Other web applications, incapable of switching to those frameworks or lacking expert level of security supports, are remain vulnerable. To address various needs of the majority, we propose a new set of solution, of which the components are loosely-coupled and readily available for extensions and standalone uses. - Context Parser. Engineered from scratch, Context Parser is a heavily optimized HTML parser that is completely compliant to the latest HTML 5 standard. For instance, It eliminates unnecessary parsing rules and parsing tree construction. The processing speed is among the most efficient parsers of its type. - Just Sufficient Escaping. We redesign a new set of context-sensitive XSS filters to escape only those characters that can possibly break out from the specific output contexts. Unlike other existing filters, the just sufficient escaping filters accurately avoid unnecessary escaping. Compared to the context insensitive filter, our filters are more secure, up to two times more efficient, and have also solved the age-old problem (such as those extra &lt;) of double/over-encoding. - Template Compiler. Applying context-sensitive escaping manually is error-prone. Therefore, we need an automatic compiler capable of conducting contextual analysis. We build the first compiler for an open and popular template engine (i.e., the Handlebars JavaScript template engine) to facilitate immediate adoption. a) Template Contextual Analysis. A standalone and handy tool is made available to perform automatic contextual analysis on the templates, and detect dangerous uses of output expressions and branching conditions. b) Automatic Context-sensitive Escaping. The compiler analyzes a template and can automatically detect the contexts and insert the corresponding escaping filters. With the precompilation model, the analysis and filter insertion processes are completely offline, and thus require only the efficient escaping during runtime. All it requires from developers is only a few line of code changes to adopt the solution for both server or client-side rendering. The solution is applied to one of the largest public-facing properties of Yahoo. The template compiler takes less than two and a half seconds to scan and process over 880 template files. Hence, it incurs insignificant performance overhead to incorporate the compiler into the regular build process. The template contextual analysis is able to flag output expressions that are placed in dangerous contexts such as script tag and attribute. We also verify that the context-sensitive filters are inserted in appropriate contexts. Most importantly, contexts such as unquoted attribute value and URI, that were unprotected by the context-insensitive approach, are now made invulnerable to XSS with the context-sensitive escaping.

Presenters:

• Nera Wing Chun Liu - Information Security Engineer - Yahoo!
  I am the information security engineer from the Yahoo! and my focus is on the web applications security.
• Albert Yu - Security Engineer, Sr Principal - Yahoo
  I works in the Yahoo Paranoid team, spending most of my time exploring how engineers build things and when stuff breaks. My current focus is to develop solutions that assure application security is kept intact regardless how fast we build and deliver.
• Adonis Fung - Yahoo!
  Adonis Fung (Adon) joined Yahoo as a security paranoid. His recent research interests are in the areas of secure application development and web application scanning. He lectures an advanced undergraduate course - Web Programming and Security, for the Chinese University of Hong Kong. Adon obtained his PhD for web application security research, and was consulted about online banking vulnerabilities by the monetary authority and financial institutes.

Links:

• https://appsecusa2015.sched.com/event/3U34/efficient-context-sensitive-output-escaping-for-javascript-template-engines

Similar Presentations:

• DeepSec 2014 „Do you want to know more?“ / A Tale of an Unbreakable, Context-specific XSS Sanitizer
• Black Hat USA 2015 / Server-Side Template Injection: RCE for the Modern Web App