Modern techniques for the detection and prevention of web2.0 attacks

Abstract

In this dissertation we examine web exploitation from a number of different perspectives. First, we introduce return-to-JavaScript attacks; a new flavor of Cross-Site Scripting (XSS), which is able to escape script whitelisting. Second, we design xJS, a system that can prevent code injections of JavaScript in web applications. xJS is based on the concept of Instruction Set Randomization (ISR) for isolating legitimate JavaScript from malicious injections. We evaluate xJS and show that the overhead it imposes in the server’s and the client’s side is negligible, since xJS is based on the fast XOR operation. Third, we deliver a more fine-grained randomization framework for web applications, RaJa, which can efficiently cope with language mixing. RaJa can successfully extract and randomize the JavaScript source code of real-world applications, which experience heavy code-mixing (i.e. JavaScript is mixed with a server-side programming language, such as PHP). Forth, we present xHunter, a network-level detector, which is able to locate JavaScript fragments in the body of URLs. With the assistance of xHunter we deliver an extensive analysis of the largest to date web-attack repository, XSSed.com. This particular repository hosts about 12,000 incidents of web exploitation. Our analysis identifies that 7% of all examined web attacks do not use any markup elements, such as <script> or <iframe>, for exploiting a web application. All these incidents are hard to be captured by tools that are based on static signatures and regular expressions. We proceed and analyze these attacks with xHunter and we deliver a compact signature set, which is composed by no more than a handful of rules. This rule-set is based on signatures expressed as JavaScript syntax trees and can be used to detect a broad family of injections that target web applications. Finally, we address the problem of data fabrication in data collected by web servers, VoIP providers, on-line stores and ISPs. We present Network Flow Contracts (NFCs), a system, which, in spite of the presence of malicious web servers or untrusted ISPs, enables innocent users to prove that they have not accessed the illegal content in question. NFCs require every network request to be cryptographically signed by the requesting user. We present a prototype implementation as well as a performance evaluation on top of commodity technologies. The results of this research are the followings. First, Instruction Set Randomization can be efficiently applied in web applications with low performance overhead and large attack coverage. Second, web-attack detection at the network level is also possible, although com- putationally expensive to be applied in real-time. Third, cryptographically signed network flows can protect users from data fabrication at the ISP level with low cost.