TY - GEN
T1 - Context-Auditor
T2 - 25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
AU - Kalantari, Faezeh
AU - Zaeifi, Mehrnoosh
AU - Bao, Tiffany
AU - Wang, Fish
AU - Shoshitaishvili, Yan
AU - Doupé, Adam
N1 - Funding Information:
We would like to thank the anonymous reviewers, and our shepherd Cong Wang, for their valuable feedback that helped us improve our paper. This work was supported by Defense Advanced Research Projects Agency (DARPA) under grants No. HR001118C0060, N6600120C4020, and HR00112190093, and the National Science Foundation (NSF) under grants No. 1651661 and 1703644 Any opinions, findings, conclusions, or recommendations expressed herein are those of the authors, and do not necessarily reflect those of the US Government.
Publisher Copyright:
© 2022 ACM.
PY - 2022/10/26
Y1 - 2022/10/26
N2 - Cross-site scripting (XSS) is the most common vulnerability class in web applications over the last decade. Much research attention has focused on building exploit mitigation defenses for this problem, but no technique provides adequate protection in the face of advanced attacks. One technique that bypasses XSS mitigations is the scriptless attack: a content injection technique that uses (among other options) CSS and HTML injection to infiltrate data. In studying this technique and others, we realized that the common property among the exploitation of all content injection vulnerabilities, including not just XSS and scriptless attacks, but also command injections and several others, is an unintended context switch in the victim program's parsing engine that is caused by untrusted user input. In this paper, we propose Context-Auditor, a novel technique that leverages this insight to identify content injection vulnerabilities ranging from XSS to scriptless attacks and command injections. We implemented Context-Auditor as a general solution to content injection exploit detection problem in the form of a flexible, stand-alone detection module. We deployed instances of Context-Auditor as (1) a browser plugin, (2) a web proxy (3) a web server plugin, and (4) as a wrapper around potentially-injectable system endpoints. Because Context-Auditor targets the root cause of content injection exploitation (and, more specifically for the purpose of our prototype, XSS exploitation, scriptless exploitation, and command injection), our evaluation results demonstrate that Context-Auditor can identify and block content injection exploits that modern defenses cannot while maintaining low throughput overhead and avoiding false positives.
AB - Cross-site scripting (XSS) is the most common vulnerability class in web applications over the last decade. Much research attention has focused on building exploit mitigation defenses for this problem, but no technique provides adequate protection in the face of advanced attacks. One technique that bypasses XSS mitigations is the scriptless attack: a content injection technique that uses (among other options) CSS and HTML injection to infiltrate data. In studying this technique and others, we realized that the common property among the exploitation of all content injection vulnerabilities, including not just XSS and scriptless attacks, but also command injections and several others, is an unintended context switch in the victim program's parsing engine that is caused by untrusted user input. In this paper, we propose Context-Auditor, a novel technique that leverages this insight to identify content injection vulnerabilities ranging from XSS to scriptless attacks and command injections. We implemented Context-Auditor as a general solution to content injection exploit detection problem in the form of a flexible, stand-alone detection module. We deployed instances of Context-Auditor as (1) a browser plugin, (2) a web proxy (3) a web server plugin, and (4) as a wrapper around potentially-injectable system endpoints. Because Context-Auditor targets the root cause of content injection exploitation (and, more specifically for the purpose of our prototype, XSS exploitation, scriptless exploitation, and command injection), our evaluation results demonstrate that Context-Auditor can identify and block content injection exploits that modern defenses cannot while maintaining low throughput overhead and avoiding false positives.
UR - http://www.scopus.com/inward/record.url?scp=85142500624&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85142500624&partnerID=8YFLogxK
U2 - 10.1145/3545948.3545992
DO - 10.1145/3545948.3545992
M3 - Conference contribution
AN - SCOPUS:85142500624
T3 - ACM International Conference Proceeding Series
SP - 431
EP - 445
BT - Proceedings of 25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
PB - Association for Computing Machinery
Y2 - 26 October 2022 through 28 October 2022
ER -