Isolating Java Script in Dynamic Code Environments Execution

Isolating Java. Script in Dynamic Code Environments Execution Environments for Cloud Applications – Spring 2011

Background o o Modern web applications involve combining client-side and server side technologies to generate dynamic content. (Example: PHP and Java. Script) Different web frameworks handle different methods to do code mixing. Identification of different levels of intermixing of programming languages is required. Beneficial for XSS mitigation schemes, operations like code analysis, optimization and refactoring.

Key Points o o Analyze the source code of web applications (php. BB, Word. Press, php. My. Admin and Drupal) Identify the coding idioms for dynamic content generation and intermixing of languages (PHP, Java. Script) o Classify them into different classes. o Provide methods to reduce mixing in each of the classes.

Analysis Methodology o Each web application’s code is processed on a customized tool involving the below two parts. n n o o Part 1: Removal of PHP, HTML comments, HTML events such as onclick, onload. Part 2: Randomization Process by parser. If parser fails to randomize the code, intermixing is confirmed. All the scripts are processed in the tool and the failures are noted.

Analysis Results Table o o The final column shows the number of scripts involving code mixing. Total of 163 scripts out of 1000 are found to have intermixed code.

Classifying coding idioms o o Manual investigation of 163 scripts done to identify five cases of coding idioms. Case 1 : n Partial injection of non-mixed Java. Script source using the PHP built-in function echo()

Classifying coding idioms o Case 2 : String concatenations n n Single and double quotes are part of complex string concatenation operations. The parser fails to randomize

Classifying coding idioms o Case 3 : n The most frequent case of code intermixing Partial Java. Script code generation by PHP scripting blocks n Parser fails to consume PHP code. n

Classifying coding idioms o Case 4 : n This case occurs only in php. BB n Java. Script code generation by using frameworks’ meta languages n Example

Classifying coding idioms o Case 5 : n n n Markup injections Symbols like ‘&’ are processed as ‘& ’ Example

Classification Results Table o o Most of the scripts fall in the third case The meta-language case, Case 4, occurs only in php. BB Cases 1 and 5 are limited. The dominant idioms are string concatenations, partial injection using PHP scripting blocks.

Mixing reduction o o Done by altering the mixing code or extending the parser to support individual cases. Case 1 : n n Alternate coding preferred The programmer can inject the Java. Script code in the PHP block.

Mixing reduction o Case 2 : n n n Alternate coding preferred Mix reduction achieved by less use of quotes and concatenation parts Example

Mixing reduction o Case 3 : n n Alternate coding and parser extension is done Parser identifies the PHP block and consumes it first. In case of failure after the above step, alternate coding. Example

Mixing reduction q o Case 4 : n Parser extended if substitution is simple. n Alternate coding is done if otherwise. Case 5 : n Parser is extended to recognize HTML entities (like &amp) and ignore them in syntax analysis.

Results after reduction o o Parser extensions and code rewriting manages to strongly reduce intermixing. Results show that the reduction process minimizes failing rates for Case 3 and Case 4.

Conclusion o o Over half a million of Lo. Cs were processed. 1000 scripts were identified of which 163 scripts had PHP intermixed with Java. Script. 163 scripts were manually investigated to create a classification scheme of five distinct classes. Techniques to minimize reduction were proposed.

Questions? ? Comments!!