-
DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws
Authors:
Antonín Steinhauser,
Petr Tůma
Abstract:
Cross-site scripting (XSS) flaws are a class of security flaws that permit the injection of malicious code into a web application. In simple situations, these flaws can be caused by missing input sanitizations. Sometimes, however, all application inputs are sanitized, but the sanitizations are not appropriate for the browser contexts of the sanitized values. Using an incorrect sanitizer can make t…
▽ More
Cross-site scripting (XSS) flaws are a class of security flaws that permit the injection of malicious code into a web application. In simple situations, these flaws can be caused by missing input sanitizations. Sometimes, however, all application inputs are sanitized, but the sanitizations are not appropriate for the browser contexts of the sanitized values. Using an incorrect sanitizer can make the application look protected, when it is in fact vulnerable as if no sanitization was used, creating a context-sensitive XSS flaw.
To discover context-sensitive XSS flaws, we introduce DjangoChecker. DjangoChecker combines extended dynamic taint tracking with a model browser for context analysis. We demonstrate the practical application of DjangoChecker on eight mature web applications based on Django, discovering previously unknown flaws in seven of the eight applications, including highly severe flaws that allow arbitrary JavaScript execution in the seven flawed applications.
△ Less
Submitted 14 May, 2020;
originally announced May 2020.
-
Database Traffic Interception for Graybox Detection of Stored and Context-Sensitive XSS
Authors:
Antonín Steinhauser,
Petr Tůma
Abstract:
XSS is a security vulnerability that permits injecting malicious code into the client side of a web application. In the simplest situations, XSS vulnerabilities arise when a web application includes the user input in the web output without due sanitization. Such simple XSS vulnerabilities can be detected fairly reliably with blackbox scanners, which inject malicious payload into sensitive parts of…
▽ More
XSS is a security vulnerability that permits injecting malicious code into the client side of a web application. In the simplest situations, XSS vulnerabilities arise when a web application includes the user input in the web output without due sanitization. Such simple XSS vulnerabilities can be detected fairly reliably with blackbox scanners, which inject malicious payload into sensitive parts of HTTP requests and look for the reflected values in the web output.
Contemporary blackbox scanners are not effective against stored XSS vulnerabilities, where the malicious payload in an HTTP response originates from the database storage of the web application, rather than from the associated HTTP request. Similarly, many blackbox scanners do not systematically handle context-sensitive XSS vulnerabilities, where the user input is included in the web output after a transformation that prevents the scanner from recognizing the original value, but does not sanitize the value sufficiently. Among the combination of two basic data sources (stored vs reflected) and two basic vulnerability patterns (context sensitive vs not so), only one is therefore tested systematically by state-of-the-art blackbox scanners.
Our work focuses on systematic coverage of the three remaining combinations. We present a graybox mechanism that extends a general purpose database to cooperate with our XSS scanner, reporting and injecting the test inputs at the boundary between the database and the web application. Furthermore, we design a mechanism for identifying the injected inputs in the web output even after encoding by the web application, and check whether the encoding sanitizes the injected inputs correctly in the respective browser context. We evaluate our approach on eight mature and technologically diverse web applications, discovering previously unknown and exploitable XSS flaws in each of those applications.
△ Less
Submitted 7 August, 2020; v1 submitted 7 May, 2020;
originally announced May 2020.
-
Duet Benchmarking: Improving Measurement Accuracy in the Cloud
Authors:
Lubomír Bulej,
Vojtěch Horký,
Petr Tůma,
François Farquet,
Aleksandar Prokopec
Abstract:
We investigate the duet measurement procedure, which helps improve the accuracy of performance comparison experiments conducted on shared machines by executing the measured artifacts in parallel and evaluating their relative performance together, rather than individually. Specifically, we analyze the behavior of the procedure in multiple cloud environments and use experimental evidence to answer m…
▽ More
We investigate the duet measurement procedure, which helps improve the accuracy of performance comparison experiments conducted on shared machines by executing the measured artifacts in parallel and evaluating their relative performance together, rather than individually. Specifically, we analyze the behavior of the procedure in multiple cloud environments and use experimental evidence to answer multiple research questions concerning the assumption underlying the procedure. We demonstrate improvements in accuracy ranging from 2.3x to 12.5x (5.03x on average) for the tested ScalaBench (and DaCapo) workloads, and from 23.8x to 82.4x (37.4x on average) for the SPEC CPU 2017 workloads.
△ Less
Submitted 17 January, 2020; v1 submitted 16 January, 2020;
originally announced January 2020.
-
On Evaluating the Renaissance Benchmarking Suite: Variety, Performance, and Complexity
Authors:
Aleksandar Prokopec,
Andrea Rosà,
David Leopoldseder,
Gilles Duboscq,
Petr Tůma,
Martin Studener,
Lubomír Bulej,
Yudi Zheng,
Alex Villazón,
Doug Simon,
Thomas Wuerthinger,
Walter Binder
Abstract:
The recently proposed Renaissance suite is composed of modern, real-world, concurrent, and object-oriented workloads that exercise various concurrency primitives of the JVM. Renaissance was used to compare performance of two stateof-the-art, production-quality JIT compilers (HotSpot C2 and Graal), and to show that the performance differences are more significant than on existing suites such as DaC…
▽ More
The recently proposed Renaissance suite is composed of modern, real-world, concurrent, and object-oriented workloads that exercise various concurrency primitives of the JVM. Renaissance was used to compare performance of two stateof-the-art, production-quality JIT compilers (HotSpot C2 and Graal), and to show that the performance differences are more significant than on existing suites such as DaCapo and SPECjvm2008.
In this technical report, we give an overview of the experimental setup that we used to assess the variety and complexity of the Renaissance suite, as well as its amenability to new compiler optimizations. We then present the obtained measurements in detail.
△ Less
Submitted 25 March, 2019;
originally announced March 2019.