Security Analysis Regarding Cross-Site Scripting on Internet Explorer [Extended Abstract] Adriana Neagoş Simona Motogna Babeş Bolyai University Babeş Bolyai University Kogalniceanu str. 1 Kogalniceanu str. 1 Cluj-Napoca, Romania Cluj-Napoca, Romania naie1000@scs.ubbcluj.ro motogna@cs.ubbcluj.ro ABSTRACT attacks to software security. Open Web Application Secu- The purpose of this paper is to provide an exact evaluation rity Project (OWASP) [7] is such an initiative, and main- of cross site scripting vulnerabilities on security, as an impor- tains and updates a list of top 10 Security Risks. Cross-Site tant factor of software quality. Since, this kind of risks are Scripting (XSS) is the second as importance, and consid- dependent on the browser, the study takes into consideration ered as having an average exploitability and a high degree three versions of Internet Explorer, and uses an established of occurrence. There are a lot of cases in which automatic scoring system, the Common Vulnerability Scoring System, tools detect this risk in an easy way, but, however, there are to measure their impact. some situations, generated by new technologies and browser characteristics, that make detection more difficult. The purpose of this article is to present an in-depth anal- Categories and Subject Descriptors ysis of detecting cross-site scripting vulnerabilities and their H.4.m [Information Systems Applications]: Miscella- impact on software security factor. The rest of the paper neous; D.2.8 [Software Engineering]: Metrics—Complex- is organized as follows: section 2 presents some of the ex- ity measures, Performance measures isting related work. Section 3 contains an analysis of XSS vulnerabilities and of the security policies proposed by dif- General Terms ferent browsers, while the next section is dedicated to our evaluation of XSS vulnerabilities for Internet Explorer, and Security in the end we draw some conclusions and future directions. Keywords 2. RELATED WORK Cross site scripting, security A lot of research has been carried out in the field of XSS vulnerabilities. Most of them focuses on studying pattern 1. INTRODUCTION attacks, evaluating risks and proposing solutions to prevent Software development focuses on delivering applications them [10], [11], [12]. with minimal resources. Architects and developers want to Security Evaluation and Measurement: Besides the ap- produce and deploy applications, ready to be executed, in proaches carried out at major software companies, such Mi- a short amount of time and only with the strictly neces- crosoft, IBM, Apple a.s.o., there are two important contri- sary resources (people, software components and hardware). butions to assesing security vulnerabilities and proposing Software quality is not always set as an important issue, and metrics to evaluate their impact on software quality: tend to be neglected, especially when working against time • Computer Emergency Center (CERT) at Carnegie Melon or with a limited team. Several studies (NASA, IBM) have University1 with results in risk analysis, based on a tactical lead to an important conclusion: Improving quality reduces andon a systematic approach, and security measurement, development costs. that are integrated in IMAF (Integrated Measurement and Over the recent years web applications tend to replace Analysis Framework) [8]. desktop applications, since such an approach makes them • Common Vulnerability Scoring System (CVSS) [9] that more accessible. In these conditions, software quality factors developed a framework that supports scoring of security vul- are changing their importance, and security becomes an im- nerabilities. portant factor not only in the evaluation of an application, but, more importantly, in assuring a reliable operation of the 3. ANALYSIS OF CROSS SITE SCRIPTING software. In consequence, a lot of research, both in academia VULNERABILITIES and industry, focuses on studying risks, vulnerabilities, and XSS is performed by injection of code (Javascript, Ac- BCI’12, September 16–20, 2012, Novi Sad, Serbia. tiveX, Silverlight, Flash) that is executed by a browser. This Copyright c 2012 by the paper’s authors. Copying permitted only for private and kind of code should be executed under sandboxing mecha- academic purposes. This volume is published and copyrighted by its editors. nism which means that only a set of operations should be Local Proceedings also appeared in ISBN 978-86-7031-200-5, Faculty of Sciences, 1 University of Novi Sad. www.cert.org 125 performed, but it is not enough. Michael Howard said that disables it by setting the X-XSS-Protection in the header to “All input is evil until proven otherwise. That!s rule num- 0 or it can be turned off from the browser security tab. ber one” [13], but in case of XSS not only inputs, but also In March 2011, together with the release of version 4, Fire- outputs must be validated. fox proposed the adoption of a new layer to enforce XSS pro- There are 3 types of XSS: tection called the Content Security Policy. This framework is still not implemented yet on other browsers, but Microsoft • non-persistent or reflected: is performed when there claims that it will be a feature of Internet Explorer 10. is no proper validation of user input through GET or Runtime protection methods should also be taken into POST requests and the response page is returned im- consideration, even if they affect the performance of the mediately and is spread generally by email via mali- application. Web application firewalls(WAF’s) monitor the cious urls. communication flow across the network and therefore they • persistent: happens when the infected code is stored in inspect messages for Javascript and can enforce a set of the database and it is a regular threat to chat software rules in order identify and block XSS attacks that would or application including different posts. User does not not reach no more the backend. Example of such applica- access malicious links, just regular browsing can result tions are Cisco ACE Web Application Firewall [5], NetScaler into being robbed of information. App Firewall [6] or Barracuda Web Application Firewall [3]. Most WAF’s implement the Intercepting Filter pattern or • DOM-based: results from dynamically-computed data, include one or more implementations in their overall archi- which means that the browser is manipulated to render tecture. One can also add filters to an application at deploy- DOM elements controlled by an attacker. ment when implemented as a Web server plug-in or when Programming languages provide in-built functions that activated dynamically within an application configuration perform this kind of filters, but even Microsoft states regard- file. ing their ASP.NET method ValidateRequest that one should Moreover, Microsoft offers an Anti-Cross Site Scripting not rely only on this type of validation because unfortunately Library [1] and OWASP advises programmers to use an API: it is not 100 percent secure. Recent attacks prove this. Not ESAPI (The OWASP Enterprise Security API) [7] which is only ASP.NET functions have security lacks. Parse url is a an open source web application security control library. function in PHP that verifies malformed urls. The function Users should be also educated to avoid XSS exploits. Avoid- works correctly in most cases except if whitespaces are in- ing awkward links, paying attention to redirections or for in- serted. This was the vulnerability exploited on April 2011, stance turning off the HTTP TRACE can prevent the steal- on Facebook, when a malicious video was posted [14] or on ing of cookies. CNN when urls inserted in ad networks were source of this Regardless the variety of prevention methods new exploits attack. Other exploits were done also on The New York continue to attack web applications and it’s our duty to keep Times, on Twiter, e-Bay or on Fox News [15]. on protection against the known or unknown security flaws. 3.1 Security Policies 4. CVSS SCORES FOR XSS VULNERABIL- XSS is the one security field that does not depend on the type of connection: encrypted or unencrypted, but is closely ITIES related to portability and mainly browser compatibility. Be- Our case study consists in computing the CVSS vul- cause it is rendered by different browsers, the display of a nerability scores for some XSS related vulnerabilities web page can by slightly different, and so its gate of ac- reported by Microsoft. CVSS or the Common Vulnerability cess. Same origin policy is called the policy adopted against Scoring System is an open framework that provides a browser-side languages that does not allow “access to most numerical score by taking into consideration base, temporal methods and properties across pages on different sites”. It is or environmental properties of a certain vulnerability. implemented by nearly each browser, but it does not guar- The computatiopn is performed according to the for- antee complete security. In addition, modern browsers im- mula given in [9] and using the calculator available at plemented several security policies that block an attacker http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2. to gain access on a client machine. Firefox and Opera are Each of the three metric groups has its own characteristics known as relatively secure, but in this paper I would like to and contains a set of metrics. Base metric group describes refer to Internet Explorer, which is considered very vulner- the fundamental characteristics of a vulnerability and is able. A simple example is for instance when uploading text composed of the related exploit range, the attack com- files through IE: if HTML content is inserted in the file, it plexity, the needed authentication level and the integrity, doesn’t treat it as plain text, but it interprets it as HTML. availability and confidentiality impact. Temporal are the Internet Explorer 6 introduced HttpOnly cookie attribute metrics influenced by time passing, meaning the availability which intended to protect against retrieving information th- of exploit, the remediation level and the report of confi- rough document.cookie and Internet Explorer 7 made sure dence. Environment has also an impact when computing this information was not available in the response header the score; environmental factors are the collateral damage through XMLHttpObject. “HttpOnly cookies don’t make potential, the target distribution and the confidentiality, you immune from XSS cookie theft, but they raise the bar integrity and availability requirement. considerably” [2] When talking about XSS exploits some of these metrics Starting with Internet Explorer 8, there is introduced a remain constant because of the type of this vulnerability. new very controversial browser filter for XSS. Still, Michael The related exploit range or the access vector is the network, Brooks describes it as vulnerable and users claim that it also because the attack is widely spread over the internet and considers safe pages as potentially dangerous [4]. Google the access complexity is medium. The majority of reports 126 written by Microsoft describe vulnerabilities on Internet Ex- plorer having the standard, default configurations, but it is medium and not low, because the attacker is required to have some social engineering skills in order manipulate and fool custom users to access a certain page or click a spe- cific button or link. In order to be considered successful, the attack has to gain information or control over the client machine and for this at least one instance of authentication is needed. The availability impact metric refers to the ac- cess of the attacker over the resources, meaning bandwidth, processor, disk space and his possibility to get a total shut- down of the affected resource. In case of an XSS exploit, we Figure 1: CVSS scores for XSS vulnerabilities in consider this availability impact to be none; it is impossi- Internet Explorer. ble from what we know until now for someone to access the resources using this type of vulnerability. We have intention- ally skipped the confidentiality and integrity impact because applicable only on IE 8, meaning 52% of the users having they vary depending on the attack and we are focused now Internet Explorer. We reach a lower score 5.5 as the at- on the constant metrics of XSS exploits. tacker could gain only access to information and not remote Moving to the temporal group, we will argue the cho- control and the confidentiality and integrity impact is par- sen values to the metrics based on the vulnerabilities re- tial. HTML Layout Remote Code Execution Vulnerability4 ported by Microsoft on their periodical security bulletins. is a more complex vulnerability, affecting IE 7, 8, 9 (94% We let the exploitability factor set to not defined, because of the market). It is related to the way Internet Explorer officially they say that the exploitation code was not made handles objects in memory and has a complete impact on public: “Microsoft received information about this vulner- integrity and confidentiality. In this special case, the access ability through coordinated vulnerability disclosure.”, “Mi- complexity is increased and the score reaches 7.7. Target crosoft had not received any information to indicate that distribution on Internet Explorer is calculated related to the this vulnerability had been publicly used to attack customers date of the report taking into consideration data provided by when this security bulletin was originally issued”. Moreover, http://www.w3schools.com/browsers/browsers explorer.asp all the vulnerabilities are confirmed and are reported only The table from Figure 1 displays the resulting scores. after an official fix is available. The first important remark is that vulnerability risks re- The damage potential of an XSS vulnerability is according garding HTML Layout Remote Code Execution and URL to OWASP moderate. We are not talking about a physical Validation Vulnerability remain the same in all three re- damage, but there can be significant loss of information. leases of Internet Explorer under study. HTML Layout Re- Last, but not least there are the impact requirement mod- mote Code Execution has a slightly higher risk than URL ifiers. As any browser, Internet Explorer is meant to be se- Validation Vulnerability. cure. Confidentiality, integrity and availability are the three The second observation is that the security policies adopted features users require for safe browsing and financial trans- by Internet Explorer cannot face sophisticated attacks such actions. as HTML Layout Remote Code Execution, in which case a The metrics that change depending on the XSS exploit are CVSS score of 7.7 is quite high. the confidentiality and integrity impact and the percentage The security policies introduced in IE 8 can decrease the of vulnerable systems. In order to see how these metrics vulnerability score of information disclosure through the XSS differ we will consider three vulnerabilities URL Validation Filter. Vulnerability2 , HTML Layout Remote Code Execution Vul- Yet there is no announced vulnerability on Internet Ex- nerability and XSS Filter Information Disclosure Vulnera- plorer 10 which is available in platform preview. bility. URL Validation Vulnerability is a critical vulnera- These results can contribute to the evaluation of the busi- bility reported in February 2010 that appeared from incor- ness impact of XSS vulnerabilities. The browser-dependent rectly validated input. It provided the attacker access to risks must be carefully treated since they allow attackers to the client machine with the same rights as the logged in have end user privileges and to gain control of the applica- user and if the attacker could reach administrative rights, tions. The computed scores confirm the OWASP evaluation, he could install programs, read or change data. In this case, and the position of cross site scripting vulnerabilities on their because remote code could be executed, the confidentiality list [7]. and integrity impact is complete. Regarding the target dis- tribution, which was Internet Explorer, it was reported as a vulnerability on IE 7 and 8 which at that time covered 5. CONCLUSIONS AND FUTURE WORK 72.8% of the market, so medium spread. The score in this The paper gives an overview of XSS vulnerabilities from a case reaches 6.3. On August 2011, another vulnerability was browser point of view. We study the impact of HTML Lay- reported, XSS Filter Information Disclosure Vulnerability3 . out Remote Code Execution, URL Validation Vulnerability It was performed by running malicious Javascript code in and XSS Filter Information Disclosure for three releases of specially constructed web pages. It was reported as impor- Internet Explorer (7,8,9). We have used the CVSS vulnera- tant, because it provided information disclosure and it was bility scoring formula in order to measure the impact of these vulnerabilities on security. The obtained results confirm the 2 OWASP analysis, for exploitability and impact. http://technet.microsoft.com/en-us/security/bulletin/MS10-002 3 4 http://technet.microsoft.com/en-us/security/bulletin/MS11-099 http://technet.microsoft.com/en-us/security/bulletin/MS12-010 127 In our opinion, XSS vulnerabilities should be carefully treated, and eliminated them can improve significantly the security of the application. As future direction of our study, we intend to study other forms of XSS vulnerabilities, that are difficult to detect with dedicated tools, such the ones due to using ActiveX and Silverlight. 6. REFERENCES [1] Security, Anti-Cross Site Scripting Library, http://msdn.microsoft.com/en-us/security/aa973814 [2] Jeff Atwood, Coding horror, Protecting Your Cookies: HttpOnly, August 28, 2008 [3] Barracuda Networks, http://www.barracudanetworks.com/ns/products/web-site- firewall-overview.php [4] Brooks M., Bypassing Internet Explorer’s XSS Filter, Traps Of Gold–Defcon 2011, https://sitewat.ch/files/BypassingInternetExplorer’sXSSFilter.pdf [5] Cisco ACE Web Application Firewall, http://www.cisco.com/en/US/prod/collateral/contnetw/- ps5719/ps9586/data sheet c78-458627.html [6] Citrix NetScaler App Firewall http://www.citrix.com/English/ps2/products/product.asp?- contentID=2312027 [7] Open Web Application Security Project, www.owasp.org [8] Measuring Software Security Assurance, www.cert.org/archive/pdf/2010research-report- measuring.pdf [9] P. Mell, K. Scarfone, S. Romanosky, A Complete Guide to the Common Vulnerability Scoring System Version 2.0, http://www.first.org/cvss/cvss-guide.pdf [10] Klein, A. (2005). DOM Based Cross Site Scripting or XSS of the Third Kind. Web Application Security Consortium Articles, 4. Retrieved from http://www.webappsec.org/projects/articles/071105.shtml [11] Wassermann, G., Static detection of cross-site scripting vulnerabilities, Proc. of ICSE 2008, pg.171-180 [12] Di Lucca, G.A., Fasolino, A.R., Mastoianni, M., Tramontana, P., Identifying cross site scripting vulnerabilities in Web applications, Proc. WSE 2004, pg. 71-80 [13] Howard M., LeBlanc D., Writing Secure Code, Microsoft Press, 2003 [14] Social Hacking, Recent Facebook XSS Atacks Show Incresing Sophistication, April 21, 2011 [15] Lynch D., XSS is fun!, October 20, 2011, http://davidlynch.org/blog/2011/10/xss-is-fun/ 128