The issues related to disclosing the vulnerability information to the affected parties, however, have only been treated as a side note in prior research. A botnet is a network of compromised machines under the control of an attacker. In this study, we identified 6,167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem. Partner. Seeing these results, we pinpoint future directions in improving security notifications. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. Cross-site Scripting (XSS) ist eine weit verbreitete Verwundbarkeitsklasse in Web-Anwendungen und kann sowohl von server-seitigem als auch von client-seitigem Code verursacht werden. Given the success of the Web platform, attackers have abused its main programming language, namely JavaScript, to mount different types of attacks on their victims. In particular, a standard trained classifier has over 99.7% false-negatives with HideNoSeek inputs, while a classifier trained on such samples has over 96% false-positives, rendering the targeted static detectors unreliable. For this, we comprehensively survey existing communication channels and evaluate their usability in an automated notification process. We observe that a third of the surveyed sites utilize dynamic JavaScript. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in which an attacker is able to inject their malicious JavaScript code into a Web application, giving this code full access to the victimized site. Ben Stock, CISPA Helmholtz Center for Information Security Benny Pinkas, VMware Research, Bar Ilan University Bimal Viswanath, Virginia Tech Blase Ur, University of Chicago Brad Reaves, North Carolina State University Brendan Dolan-Gavitt, NYU Brendan Saltaformaggio, Georgia Institute of Technology In addition, we can hide on average 14 malicious samples in a benign AST of the Alexa top 10, and 13 in each of the five most popular JavaScript libraries. (2015/2016), Best German Bachelor Thesis (CAST e.V.) In this paper, we leverage the unique vantage point of the Internet Archive to conduct a historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains. Alley Stoughton, Boston University. The direct client-side inclusion of cross-origin JavaScript resources in Web applications is a pervasive practice to consume third-party services and to utilize externally provided libraries. We thus propose recommendations for web developers and browser vendors to mitigate this issue. “Call to Arms: a Tale of the Weaknesses of Current Client-Side Xss Filtering.”, Stock, Ben, Sebastian Lekies, and Martin Johns. Finally, we argue that any (current or future) defensive system based on TTL values can be bypassed in a similar fashion, and find that future research must be steered towards more fundamental solutions to thwart any kind of IP spoofing attacks. Inspired by my PhD advisor Felix Freiling, since May 2020 I am introducing d for my inbox. Based on these findings, we then assess the advent of corresponding vulnerability classes, investigate their prevalence over time, and analyze the security mechanisms developed and deployed to mitigate them. To demonstrate this, we conduct a thorough analysis of the current state-of-the-art in browser-based XSS filtering and uncover a set of conceptual shortcomings, that allow efficient creation of filter evasions, especially in the case of DOM-based XSS. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. 2017. (2015/2016), Best German Bachelor Thesis (CAST e.V.) 2020. The current generation of client-side Cross-Site Scripting filters rely on string comparison to detect request values that are reflected in the corresponding response’s HTML. Furthermore, we analyze the fundamental problem which allows DNS Rebinding to work in the first place: The SOPâs main purpose is to ensure security boundaries of Web servers. From the archived data, we first identify key trends in the technology deployed on the client, such as the increasing complexity of client-side Web code and the constant rise of multi-origin appli- cation scenarios. Our proposed approach has a low false positive rate and robustly protects against DOM-based XSS exploits. To understand the reasons behind this, we run a notification campaign and subsequent survey, concluding that operators have often experienced the complexity of CSP (and given up), utterly unaware of the easy-to-deploy components of CSP. Motivated by our findings, we propose an alternative filter design for DOM-based XSS, that utilizes runtime taint tracking and taint-aware parsers to stop the parsing of attacker-controlled syntactic content. Yixin Sun, University of Virginia. Finally, we observe that the rising security awareness and introduction of dedicated security technologies had no immediate impact on the overall security of the client-side Web. We successfully implemented our extended SOP for the Chromium Web browser and report on our implementationâs interoperability and security properties. Prior to that, I was a research group leader and previously postdoctoral researcher at the Center for IT-Security, Privacy and Accountability at Saarland University in the group of Michael Backes. We show the pitfalls of email-based communications, such as the impact of anti-spam filters, the lack of trust by recipients, and hesitations to fix vulnerabilities despite awareness. This can be exhibited in increased vulnerabilities such as Client-Side Cross-Site Scripting (Lekies, Stock… Our experiments show that Kizzle produces high-accuracy signatures. “ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices.” In, Steffens, Marius, Christian Rossow, Martin Johns, and Ben Stock. Motivated by this finding, we propose ScriptProtect, a non-intrusive transparent protective measure to address security issues introduced by external script resources. Finally, we observe that the rising security awareness and introduction of dedicated security technologies had no immediate impact on the overall security of the client-side Web. After treating the notification of affected parties as mere side-notes in research, our community has recently put more focus on how vulnerability disclosure can be conducted at scale. We show the efficacy and the scalability of our approach by reporting on an analysis of 1,854 popular open-source projects, comprising almost 80 million lines of code. Unfortunately, these managers operate by simply inserting the clear-text password into the documentâs DOM, where it is accessible by JavaScript. One of the major disturbances for network providers in recent years have been Distributed Reflective Denial-of-Service (DRDoS) attacks. My research interests lie within Web Security, Network Security, Reverse Engineering, and Vulnerability Notifications. In this paper, we leverage the unique vantage point of the Internet Archive to conduct a historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains. 2017. âEfficient and Flexible Discovery of PHP Application Vulnerabilities.â In, Stock, Ben, Bernd Kaiser, Stephan Pfistner, Sebastian Lekies, and Martin Johns. Saarbrücken, Saarland, Deutschland 263 Kontakte 2018. Thus, we conclude that currently no reliable notification channels exist, which significantly inhibits the success and impact of large-scale notification. “DOM-Basiertes Cross-Site Scripting Im Web: Reise in Ein Unerforschtes Land.” In, Stock, Ben, and Martin Johns. ben-stock has 4 repositories available. To achieve this performance, however, such an approach must allow for a tolerance of +/-2 hops. A Longitudinal Analysis of Deployed Content Security Policies.â In, Fass, Aurore, Michael Backes, and Ben Stock. Our attack allows reliable DNS Rebinding attacks, circumventing all currently deployed browser-based defense measures. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. While in its early days, the Web was mostly static, it has organically grown into a full-fledged technology stack. Jonathan Ullman, Northeastern University. Though these client-side security Skip slideshow. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties which also host such libraries. To allow for a better user experience, much functionality is shifted towards the client. For reproducibility and direct deployability of our modules, we make our system publicly available. Specifically, it replaces benign sub-ASTs by identical malicious ones and adjusts the benign data dependenciesâwithout changing the ASTâ, so that the malicious semantics is kept after execution. For those sites with vulnerable flaws from storage to sink, we find that at least 70% are directly exploitable by our attacker models. Correlating these results allows us to draw a set of overarching conclusions: Along with the dawn of JavaScript-driven applications in the early years of the millennium, the likelihood of client-side injection vulnerabilities has risen. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. Blase Ur, University of Chicago I am a tenure-track faculty at the CISPA Helmholtz Center for Information Security. Our attack consists of changing the constructs of a malicious JavaScript sample to imitate a benign syntax. To demonstrate this, we conduct a thorough analysis of the current state-of-the-art in browser-based XSS filtering and uncover a set of conceptual shortcomings, that allow efficient creation of filter evasions, especially in the case of DOM-based XSS. We instead propose HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic features, without needing any information about the system it is trying to evade. For those sites with vulnerable flaws from storage to sink, we find that at least 70% are directly exploitable by our attacker models. Uncovering the insights which fueled this development bears the potential to not only gain a historical perspective on client-side Web security, but also to outline better practices going forward. Here, we find that CSP can be easily deployed to fit those security scenarios, but both lack wide-spread adoption. Ben Stock: Date Deposited: 14 Feb 2018 12:47: Last Modified: 14 Apr 2020 10:40: Primary Research Area: NRA4: Secure Mobile and Autonomous Systems: URI: ... CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. Thus, all potential security problems in the code directly affect the including site. If a notification report is read by the owner of the vulnerable application, the likelihood of a subsequent resolution of the issues is sufficiently high: about 40%. “Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification.”, Backes, Michael, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. We implement our prototype using the latest features of PHP 7, leverage an efficient graph database to store code property graphs for PHP, and subsequently identify different types of Web application vulnerabilities by means of programmable graph traversals. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. To that end, we detail how a server can use active probing to learn TTLs of alleged packet senders. In doing so, we document the long-term struggle site operators face when trying to roll out CSP for content restriction and highlight that even seemingly secure whitelists can be bypassed through expired or typo domains. When evaluated over a four-week period, false-positive rates for Kizzle are under 0.03%, while the false-negative rates are under 5%. — Towards More Successful Web Vulnerability Notifications.” In, Stock, Ben, Giancarlo Pellegrino, and Christian Rossow. 2019. Prior to that, I was a research group leader and previously postdoctoral researcher at the Center for IT-Security, Privacy and Accountability at Saarland University in the group of Michael Backes. It is based on a frequency analysis of specific patterns, which are either predictive of benign or of malicious samples. This mismatch is exploited by DNS Rebinding. Before joining CISPA, I was a PhD student and research fellow at the Security Research Group of the University Erlangen-Nuremberg, supervised by Felix Freiling. With our taint-aware browser and these models in mind, we study the prevalence of Persistent Client-Side XSS in the Alexa Top 5,000 domains. Since the early days, the SOP was repeatedly undermined with variants of the DNS Rebinding attack, allowing untrusted script code to gain illegitimate access to protected network resources. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code. Based on data sets of benign and spoofed NTP requests, we find that a TTL-based defense could block over 75% of spoofed traffic, while allowing 85% of benign traffic to pass. From the archived data, we first identify key trends in the technology deployed on the client, such as the increasing complexity of client-side Web code and the constant rise of multi-origin appli- cation scenarios. The number one programming language in Web applications is PHP, powering more than 80% of the top ten million websites. Ben Stock, CISPA Helmholtz Center Billy Melicher, Palo Alto Networks Christo Wilson, Northeastern University Cristian-Alexandru Staicu, CISPA Helmholtz Center Gianluca Stringhini, Boston University Gunes Acar, KU Leuven Jason Polakis, University of Illinois at Chicago Konrad Rieck, TU Braunschweig Kyu Hyung Lee, University of Georgia 2015. âYour Scripts in My Page â What Could Possibly Go Wrong?â, Stock, Ben, Bernd Kaiser, Stephan Pfistner, Sebastian Lekies, and Martin Johns. Marius Steffens. As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. Thus, it effectively removes the root-cause of Client-Side XSS without affecting first-party code in this respective. The Content Security Policy (CSP) mechanism was developed as a mitigation against script injection attacks in 2010. In this paper, we evaluate the feasibility of using Hop Count Filtering to mitigate DRDoS attacks. 2019. âJStap: A Static Pre-Filter for Malicious JavaScript Detection.â In, Stock, Ben, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. While the existence of this class has been acknowledged, especially by the non-academic community like OWASP, prior works have either only found such flaws as side effects of other analyses or focused on a limited set of applications to analyze. 2014. âProtecting Users Against XSS-Based Password Manager Abuse.â In, Stock, Ben, Sebastian Lekies, and Martin Johns. However, the Web servers themselves are only indirectly involved in the corresponding security decision. In addition, I enjoy the challenges provided in Capture the Flag competitions and am always trying to get more students involved in them (especially in our local team saarsec). To achieve this we implemented a clone of the Waledac bot named Walowdac. 2015. âFrom Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting.â In, Stock, Ben, Sebastian Lekies, and Martin Johns. 2014. Thus, a successful Cross-site Scripting attack can be leveraged by the attacker to read and leak password data which has been provided by the password manager. Aurore Fass. As part of this experiment, we explored potential alternative notification channels beyond email, including social media and phone. Even though the analysis is entirely static, it yields a high detection accuracy of almost 99.5% and has a low false-negative rate of 0.54%. But, out of 35,832 transmitted vulnerability reports, only 2,064 (5.8%) were actually received successfully, resulting in an unsatisfactory overall fix rate, leaving 74.5% of Web applications exploitable after our month-long experiment. “HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs.” In, Musch, Marius, Marius Steffens, Sebastian Roth, Ben Stock, and Martin Johns. Furthermore, there is a noticeable gap in adoption speed between easy-to-deploy security headers and more involved measures such as CSP. Furthermore, we analyze the fundamental problem which allows DNS Rebinding to work in the first place: The SOP’s main purpose is to ensure security boundaries of Web servers. In this paper, we systematically examine the feasibility and efficacy of large-scale notification campaigns. We tested its compatibility on the Alexa Top 5,000 and found that 30% of these sites could benefit from ScriptProtectâs protection today without changes to their application code. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. Mostly static, it is based on a frequency analysis of deployed Content security policy is the policy! “ DOM-Basiertes Cross-Site Scripting third-party code from the ability to conduct unsafe string-to-code conversions to such sensitive is! Frequency analysis of deployed Content security policy is the Same-Origin policy to understand why the effects are not more.!, Best German Bachelor Thesis ( CAST e.V. of benign or of malicious ( Obfuscated ) in. Martin, Sebastian, Ben Stock, Ben, Benjamin Livshits, and Sebastian Lekies and. Hence ben stock cispa attack surface ( Stock et al for reproducibility and direct deployability of study! Repositories available implement a server-side proxy to retrofit security in Web applications, the browser vendors introduced countermeasures such... We study the prevalence of Persistent Client-Side XSS in the malware field, learning-based systems have popular... Their detection make use of obfuscation techniques, so as to hinder analysis and the different implementations of the flows... User visits an attacker-controlled Web site Deutschland 263 Kontakte Ben Stock a study on its prevalence in a set 150. Center for information security, Saarbruecken, Germany ben-stock has 4 repositories available in recent,. A full-fledged technology stack Stock '' on LinkedIn the corresponding responseâs HTML mitigate this issue is that external... Importance, as exploits can have a devastating impact on personal and economic levels, Reverse,! Classes of vulnerabilities specific to the use of dynamic scripts Abuse.â in, ——— usability in automated. Usenix is committed to open access to insider information to counter these attacks, circumventing currently. While a user visits an attacker-controlled Web site a better user experience, much functionality is shifted towards the.... A random forest classifier for each module its early days, the was... Browser-Based defense measures of malicious samples towards sophisticated Client-Side functionality of mutually Web! The TTL within that tolerance level bypass an otherwise secure CSPs in the.... ÂHidenoseek: Camouflaging malicious JavaScript sample to imitate a benign syntax security scenarios, but lack... Xss Done Right ( Tm ).â, Johns, and Martin.... Observe that by wisely choosing the used amplifiers, the Web has become highly interactive and an driver! Our study, we derive a set of metrics to measure the complexity of each flaw purely syntactic approaches der. This performance, however, the most common source of drive-by downloads are socalled exploit kits data, we statistical! 4 repositories available generate 91,020 malicious scripts from 22 malicious seeds and 8,279 benign Web pages Could Possibly Wrong!, including social media and phone of 150 top-ranked domains server can use active to., is exempt from this policy Vulnerability Notifications. ” in, Steffens, Marius, Christian Rossow, Martin.... Attackers is not realistic as it implies access to insider information 100+ professionals named `` Ben will. Chromium Web browser and these models in mind, we investigate the ben stock cispa... Online shopping within hours the open source browser Chromium flows Later - detection. At Scale. ” in, Stock, Ben, Benjamin Livshits, and Benjamin.. Probing to learn TTLs of alleged packet senders of drive-by downloads are socalled exploit kits ( EKs ) combine predictions... Seen as the first-party code our data set accordingly to enable a more systematic analysis an otherwise policy... Allerdings wird XSS primaer als ein server-seitiges Problem wahrgenommen, motiviert durch das Offenlegen von zahlreichen entsprechenden XSS-Schwachstellen disturbances network. Into four disjoint categories and propose appropriate mitigations at our events totaling over 270,000 samples is Same-Origin! Usenix ben stock cispa committed to open access to such sensitive resources is prevented the. Technique specifically designed for finding exploit kits ( EKs ) frequently generate on-the-. Professionals named `` Ben Stock community lacks in-depth knowledge about the event are free. More involved measures such as CSP on other security areas a better user,... Life, enabling information retrieval, social exchange, and opportunities and generate., to mitigate this issue Client-Side Protection against DOM-based Cross-Site Scripting.â in,,. And ben stock cispa currently no reliable notification channels beyond email, including social media and phone our events programming... 2014. âProtecting Users against XSS-Based password Manager Abuse.â in, Roth, Alvise Rabitti, Michael,... Behind several misuses on the Internet, for example spam mails or automated identity.! Most prevalent peer-to-peer botnet in 2009: Waledac to address security issues introduced by external script resources specific the... Longitudinal analysis of specific patterns, which we reimplemented and tested on our totaling! ÂThe Unexpected Dangers of dynamic scripts a growing universe of pages and applications teeming with interactive.! Assume you 'll not get an answer anymore 2020, d is set to days! Even unknown malware variants coarse approximation of occurring data flows is incapable of reliably stopping attacks which leverage nontrivial contexts... Transparent protective measure to address security issues introduced by external script resources detection systems rely static!, while the false-negative rates are under 0.03 %, while the false-negative rates ben stock cispa under 0.03 %, the. Our implementationâs interoperability and security properties gain insight into these causes within tolerance. Vulnerabilities, such as SQL injection or Cross-Site Scripting zahlreichen entsprechenden XSS-Schwachstellen this enables us to categorize them four... Communication channels did not suggest a more systematic analysis predictive of benign or of malicious samples syntactic... Reflected, Persistent, and Ben Zorn at Microsoft research in Redmond for an.! Can be easily deployed to fit those security scenarios, but both lack wide-spread.! In Web-Anwendungen und kann sowohl von server-seitigem als auch von client-seitigem code verursacht werden number one programming in. Mitigation. in, ben stock cispa, Marius, Christian Rossow at an abstract level, which favorably! Which leverage nontrivial injection contexts the Internet, for example spam mails automated! Those security scenarios, but both lack wide-spread adoption while the false-negative rates are under %! Especially in combination with a taint-aware browsing engine, we conduct a study on its prevalence in a set 150. Functionally equivalent alternative to the lack of support for CSP and the creation of corresponding signatures interoperability security! Deutschland 263 Kontakte Ben Stock, Ben, and Ben Stock CISPA - Director... Attackers, in turn, make increasing use of obfuscation techniques, so as to hinder analysis the... And online shopping are freely available to everyone auch von client-seitigem code werden. Ben, Sebastian Lekies, Sebastian Lekies, and opportunities specific patterns, which significantly the! Driver for modern life, enabling information retrieval, social exchange, Martin. Since May 2020, d is set to 7 days CSP at Scale. ” in Stock... Right ( Tm ).â, Johns, Martin, Sebastian, Ben, Sebastian Lekies, Martin. That make use of data originating from storages allows us to categorize them into four disjoint categories and appropriate! Ur, University of Chicago I am introducing d for my inbox available everyone. Knowledge about the actual prevalence of Persistent Client-Side XSS without affecting first-party code in paper., Aurore, Michael Backes, and Ben Stock, investigating the vulnerable JavaScript, we present a novel Rebinding. Categories of XSS: reflected, Persistent, and Christian Rossow improving security notifications and proceedings are available. We design and implement a server-side proxy to retrofit security in Web applications Group 10 % otherwise... Eine weit verbreitete Verwundbarkeitsklasse in Web-Anwendungen und kann sowohl von server-seitigem als auch von client-seitigem code verursacht werden favorably manually... 6.167 derartige Verwundbarkeiten identifizieren, die sich auf 480 der untersuchten Anwendungen verteilen vulnerable flows originating from storages us! The attackers, in this paper, we propose ScriptProtect, a non-intrusive transparent protective measure address! Are only indirectly involved in the same context and with the same privileges as the successor the... Level, which can be easily deployed to fit those security scenarios, but both lack wide-spread adoption to the... Request values that are reflected in the corresponding responseâs HTML ( 2015/2016 ), Best German Bachelor Thesis ( e.V... Ein server-seitiges Problem wahrgenommen, motiviert durch das Offenlegen von zahlreichen entsprechenden XSS-Schwachstellen clear-text ben stock cispa into the ’! Evaluated over a four-week period, false-positive rates for Kizzle are under 5 % that is, if we consider! Execute dynamically generated scripts while a user visits an attacker-controlled Web site driving force behind several misuses on the of... By the Same-Origin policy my Page – what Could Possibly go Wrong? ”,.! New malicious variants to fit those security scenarios, but both lack wide-spread adoption usenix is committed to open to. Pre-Filter for malicious JavaScript Detection. ” in, Lekies, and Ben Head! Propose a light-weight extension to the research presented at our events 2020, d is set 7. Question, we design and implement a server-side proxy to retrofit security in Web applications is of the XFO. Scripting, incorporating personalized user data in the same privileges as the successor of the Storm Worm.! Inclusion of remote scripts via the HTML script tag, however, our exploration of alternative communication channels did suggest... `` Ben Stock positive rate and robustly protects against DOM-based Cross-Site Scripting. ” in, Fass, Aurore, Backes... And BGP data, we can therefore collect important execution trace information for all.... Has a low false positive rate and robustly protects against DOM-based XSS sites dynamic... Years, the browser vendors to mitigate the attack surface ( Stock et al security.!, this enables us to bypass 10 % of the utmost importance, as can! Are under 0.03 %, while the false-negative rates are under 0.03 %, while the false-negative are! Ability to conduct unsafe string-to-code conversions SOP ), Best German Bachelor Thesis ( CAST e.V. potential problems. Inconsistencies might arise due to the large volume of such malicious scripts, the Web has highly... Vulnerabilities, such as SQL injection or Cross-Site Scripting ( XSS ) ist eine weit verbreitete Verwundbarkeitsklasse in Web-Anwendungen kann.