To hash or not to hash: A security assessment of CSP’s unsafe-hashes expression

2022 IEEE Security and Privacy Workshops (SPW) Pub Date : 2022-05-01 DOI:10.1109/spw54247.2022.9833888

Peter Stolz, S. Roth, Ben Stock

{"title":"To hash or not to hash: A security assessment of CSP’s unsafe-hashes expression","authors":"Peter Stolz, S. Roth, Ben Stock","doi":"10.1109/spw54247.2022.9833888","DOIUrl":null,"url":null,"abstract":"More and more people use the Web on a daily basis. We use it for communicating, doing bank transactions, and entertainment. This popularity of the Web has made it one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). To mitigate the effect of those attacks, the prevalence of the Content Security Policy (CSP) is increasing. Such a policy allows developers to control the content that should be allowed on their Web applications precisely. Because this content includes JavaScript (via the script-src directive), it can also be an effective tool to mitigate the damage of markup injections such as XSS. Developers can specify fine-grained policies for scripts to only allow trusted third parties and disallow the usage of functions like eval and its derivatives that directly execute strings as code. As the whole Web is still evolving, so is CSP. The experimental source-expression unsafe-hashes aims to ease the adoption of secure CSPs, by allowing trusted scripts to be used as inline event handlers for HTML tags, which is currently only possible by blindly allowing all inline scripts to be executed. Our goal is to analyze if this expression is able to improve the security of a Web application or if it mainly provides a false sense of security because it still enables attackers to bypass the CSP. We built an automatic crawler utilizing dynamic JavaScript analysis using taint tracking and forced execution to detect security vulnerabilities of inline event handlers. This crawler visited 753,715 unique URLs from the Alexa Top 1,000 domains up to a maximum of 500 URLs per domain. We collected a total of 735,105 individual event handlers, where 443 of those had attribute values that flow into a dangerous JavaScript sink. Our manual analysis of the event handlers revealed that 370 of those handlers on 34 different domains are still vulnerable in presence of a CSP that contains the unsafe-hashes expression. We show that attackers can exploit these flows with only partial injections, such as adding new attributes to existing tags in most cases and discuss the impact of our findings on the future of the CSP standard.","PeriodicalId":334852,"journal":{"name":"2022 IEEE Security and Privacy Workshops (SPW)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Security and Privacy Workshops (SPW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/spw54247.2022.9833888","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

More and more people use the Web on a daily basis. We use it for communicating, doing bank transactions, and entertainment. This popularity of the Web has made it one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). To mitigate the effect of those attacks, the prevalence of the Content Security Policy (CSP) is increasing. Such a policy allows developers to control the content that should be allowed on their Web applications precisely. Because this content includes JavaScript (via the script-src directive), it can also be an effective tool to mitigate the damage of markup injections such as XSS. Developers can specify fine-grained policies for scripts to only allow trusted third parties and disallow the usage of functions like eval and its derivatives that directly execute strings as code. As the whole Web is still evolving, so is CSP. The experimental source-expression unsafe-hashes aims to ease the adoption of secure CSPs, by allowing trusted scripts to be used as inline event handlers for HTML tags, which is currently only possible by blindly allowing all inline scripts to be executed. Our goal is to analyze if this expression is able to improve the security of a Web application or if it mainly provides a false sense of security because it still enables attackers to bypass the CSP. We built an automatic crawler utilizing dynamic JavaScript analysis using taint tracking and forced execution to detect security vulnerabilities of inline event handlers. This crawler visited 753,715 unique URLs from the Alexa Top 1,000 domains up to a maximum of 500 URLs per domain. We collected a total of 735,105 individual event handlers, where 443 of those had attribute values that flow into a dangerous JavaScript sink. Our manual analysis of the event handlers revealed that 370 of those handlers on 34 different domains are still vulnerable in presence of a CSP that contains the unsafe-hashes expression. We show that attackers can exploit these flows with only partial injections, such as adding new attributes to existing tags in most cases and discuss the impact of our findings on the future of the CSP standard.

查看原文本刊更多论文

散列还是不散列:对CSP的不安全散列表达式的安全性评估

越来越多的人每天都在使用网络。我们用它来交流、进行银行交易和娱乐。Web的流行使其成为攻击的主要目标之一，最突出的是跨站点脚本(XSS)攻击。为了减轻这些攻击的影响，内容安全策略(CSP)越来越流行。这样的策略允许开发人员精确地控制Web应用程序上应该允许的内容。由于此内容包含JavaScript(通过script-src指令)，因此它也可以成为减轻标记注入(如XSS)的损害的有效工具。开发人员可以为脚本指定细粒度的策略，只允许受信任的第三方，不允许使用eval等函数及其派生函数，这些函数直接将字符串作为代码执行。随着整个Web的发展，CSP也在不断发展。实验性的源表达式不安全哈希旨在通过允许将可信脚本用作HTML标记的内联事件处理程序来简化安全csp的采用，目前这只能通过盲目地允许执行所有内联脚本来实现。我们的目标是分析这个表达式是否能够提高Web应用程序的安全性，或者它是否主要提供了一种错误的安全感，因为它仍然允许攻击者绕过CSP。我们利用动态JavaScript分析构建了一个自动爬虫，使用污染跟踪和强制执行来检测内联事件处理程序的安全漏洞。这个爬虫访问了753,715个唯一的url从Alexa前1000个域最多500个url每个域。我们总共收集了735,105个单独的事件处理程序，其中443个事件处理程序的属性值流入了一个危险的JavaScript接收器。我们对事件处理程序的手工分析显示，在34个不同域中的这些处理程序中，有370个仍然容易受到包含不安全哈希表达式的CSP的攻击。我们展示了攻击者仅通过部分注入就可以利用这些流，例如在大多数情况下向现有标签添加新属性，并讨论了我们的发现对CSP标准未来的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE Security and Privacy Workshops (SPW)

自引率

0.00%

发文量