Consider yourself "blitzdingst" for the previous news post. In this paper, we formally study the problem of inconsistencies in framing control policies across different browsers and we implement an automated policy analyzer based on our theory, which we use to assess the state of click-jacking protection on the Web. Aurore Fass and Ben Stock working outside. Search for Ben Stock's work. Here, we find that CSP can be easily deployed to fit those security scenarios, but both lack wide-spread adoption. Our analysis shows that 10% of the (distinct) framing control policies in the wild are inconsistent and most often do not provide any level of protection to at least one browser. A botnet is a network of compromised machines under the control of an attacker. The inclusion of remote scripts via the HTML script tag, however, is exempt from this policy. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties which also host such libraries. Before joining CISPA, I was a PhD student and research fellow at the Security Research Group of the University Erlangen-Nuremberg, supervised by Felix Freiling. Finally, we design and implement a server-side proxy to retrofit security in web applications. If a notification report is read by the owner of the vulnerable application, the likelihood of a subsequent resolution of the issues is sufficiently high: about 40%. For reproducibility and direct deployability of our modules, we make our system publicly available. Ben Stock. Using these components, we conducted a large-scale analysis of the Alexa top 5000. Inspired by my PhD advisor Felix Freiling, since May 2020 I am introducing d for my inbox. We successfully implemented our extended SOP for the Chromium Web browser and report on our implementation’s interoperability and security properties. In recent years, the Web witnessed a move towards sophisticated client-side functionality. “Eradicating DNS Rebinding with the Extended Same-Origin Policy.” In, Lekies, Sebastian, Ben Stock, and Martin Johns. As ScriptProtect is realized through a lightweight JavaScript instrumentation, it does not require changes to the browser and only incurs a low runtime overhead of about 6%. In combination with the aforementioned redirect logic, this enables us to bypass 10% of otherwise secure CSPs in the wild. For this, we comprehensively survey existing communication channels and evaluate their usability in an automated notification process. In addition, I enjoy the challenges provided in Capture the Flag competitions and am always trying to get more students involved in them (especially in our local team saarsec). Thus, we conclude that currently no reliable notification channels exist, which significantly inhibits the success and impact of large-scale notification. Search Search. Sebastian Roth. A botnet is a network of compromised machines under the control of an attacker. In recent years, the drive-by malware space has undergone significant consolidation. However, our exploration of alternative communication channels did not suggest a more promising medium. Led by the idea that the attacker cannot fabricate the number of hops between the amplifier and the victim, Hop Count Filtering (HCF) mechanisms that analyze the Time to Live of incoming packets have been proposed as a solution. However, as it offloads the work to the user’s browser, it can be used to engage in malicious activities such as Crypto-Mining, Drive-by-Download attacks, or redirections to web sites hosting malicious software. Aurore Fass. Hence, we find the complexity of secure, yet functional content restriction gives CSP a bad reputation, resulting in operators not leveraging its potential to secure a site against the non-original attack vectors. Given the prevalence of such nefarious scripts, the anti-virus industry has increased the focus on their detection. The direct client-side inclusion of cross-origin JavaScript resources in Web applications is a pervasive practice to consume third-party services and to utilize externally provided libraries. In this paper, we leverage the unique vantage point of the Internet Archive to conduct a historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains. To achieve this performance, however, such an approach must allow for a tolerance of +/-2 hops. Session Chair: Ben Stock (CISPA Helmholtz Center for Information Security) The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures Jens Hiller (RWTH Aachen University); Johanna Amann (ICSI, Corelight, LBNL); Oliver Hohlfeld (Brandenburg University of … To understand the reasons behind this, we run a notification campaign and subsequent survey, concluding that operators have often experienced the complexity of CSP (and given up), utterly unaware of the easy-to-deploy components of CSP. “Efficient and Flexible Discovery of PHP Application Vulnerabilities.” In, Stock, Ben, Martin Johns, Marius Steffens, and Michael Backes. To demonstrate this, we conduct a thorough analysis of the current state-of-the-art in browser-based XSS filtering and uncover a set of conceptual shortcomings, that allow efficient creation of filter evasions, especially in the case of DOM-based XSS. Ironically, this well-regarded software engineering practice allows us to build a scalable and precise detector that is able to quickly respond to superficial but frequent changes in EKs. Thus, all potential security problems in the code directly affect the including site. Furthermore, there is a noticeable gap in adoption speed between easy-to-deploy security headers and more involved measures such as CSP. Ben Stock, CISPA, Saarland University; Martin Johns, SAP SE; Marius Steffens and Michael Backes, CISPA, Saarland University Abstract: While in its early days, the Web was mostly static, it has organically grown into a full-fledged technology stack. In the malware field, learning-based systems have become popular to detect new malicious variants. “On the Feasibility of TTL-Based Filtering for DRDoS Mitigation.” In, Stock, Ben, Benjamin Livshits, and Benjamin Zorn. We discuss two attacker models capable of injecting malicious payloads into these storages, i.e., a network attacker capable of temporarily hijacking HTTP communication (e.g., in a public WiFi), and a Web attacker who can leverage flows into storage or an existing reflected XSS flaw to persist their payload. 2019. In practice, we are able to generate 91,020 malicious scripts from 22 malicious seeds and 8,279 benign web pages. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. CISPA Helmholtz Center for Information Security, Saarbruecken, Germany, Michael Backes. 2016. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. The issues related to disclosing the vulnerability information to the affected parties, however, have only been treated as a side note in prior research. Ben Stock Tenure-Track Faculty at CISPA Helmholtz Center (i.G.) These static approaches are not infallible though and lead to misclassifications. In den letzten Jahren kann jedoch eine zunehmende Verlagerung von Anwendungslogik in den Browser beobachtet werden; eine Entwicklung, die im Rahmen des sogenannten Web 2.0 begonnen hat. 2016. “On the Feasibility of TTL-Based Filtering for DRDoS Mitigation.” In, Stock, Ben, Benjamin Livshits, and Benjamin Zorn. While in its early days, the Web was mostly static, it has organically grown into a full-fledged technology stack. In particular, inconsistencies might arise due to the lack of support for CSP and the different implementations of the underspecified XFO header. Finally, we argue that any (current or future) defensive system based on TTL values can be bypassed in a similar fashion, and find that future research must be steered towards more fundamental solutions to thwart any kind of IP spoofing attacks. This coarse approximation of occurring data flows is incapable of reliably stopping attacks which leverage nontrivial injection contexts. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. Even worse, if we only consider sites that make use of data originating from storages, 21% of the sites are vulnerable. Next to these new insights, we also shed light on the usage of CSP for other use cases, in particular, TLS enforcement and framing control. The inclusion of remote scripts via the HTML script tag, however, is exempt from this policy. On the contrary, our data shows for instance that sites that use HTTPonly cookies are actually more likely to have a Cross-Site Scripting problem. To that end, we detail how a server can use active probing to learn TTLs of alleged packet senders. 2020. In this paper, we evaluate the feasibility of using Hop Count Filtering to mitigate DRDoS attacks. In addition, we conducted an anonymous survey with the notified operators, investigating their perspectives on our notifications. Our experiments show that Kizzle produces high-accuracy signatures. In addition, we can hide on average 14 malicious samples in a benign AST of the Alexa top 10, and 13 in each of the five most popular JavaScript libraries. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code. Thus, a successful Cross-site Scripting attack can be leveraged by the attacker to read and leak password data which has been provided by the password manager. Research has long since focussed on three categories of XSS: reflected, persistent, and DOM-based XSS. 2013. “Eradicating DNS Rebinding with the Extended Same-Origin Policy.” In, Stock, Ben, Jan Göbel, Markus Engelberth, Felix Freiling, and Thorsten Holz. Kizzle is able to generate anti-virus signatures for detecting EKs, which compare favorably to manually created ones. In practice, we are able to generate 91,020 malicious scripts from 22 malicious seeds and 8,279 benign web pages. Cross-site Scripting (XSS) ist eine weit verbreitete Verwundbarkeitsklasse in Web-Anwendungen und kann sowohl von server-seitigem als auch von client-seitigem Code verursacht werden. Skip slideshow. “Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification.”, Backes, Michael, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. “Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification.” In, Stock, Ben, Sebastian Lekies, and Martin Johns. In recent years, the drive-by malware space has undergone significant consolidation. Im Rahmen dieser Studie, konnten wir 6.167 derartige Verwundbarkeiten identifizieren, die sich auf 480 der untersuchten Anwendungen verteilen. In diesem Beitrag stellen wir eine umfassende Studie vor, in der wir, mittels eines voll-automatisierten Ansatzes, die fuehrenden 5000 Webseiten des Alexa Indexes auf DOM-basiertes XSS untersucht haben. “JaST: Fully Syntactic Detection of Malicious (Obfuscated) JavaScript.” In, Stock, Ben, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. Modern Web sites frequently generate JavaScript on-the- fly via server-side scripting, incorporating personalized user data in the process. Campus E9.1, Room 2.09 +49 (0)681 302 57377 stock [at] cispa.saarland. Finally, we observe that the rising security awareness and introduction of dedicated security technologies had no immediate impact on the overall security of the client-side Web. To further answer our main research question, we conduct a hypothetical what-if analysis. “From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting.”, Backes, Michael, Thorsten Holz, Christian Rossow, Teemu Rytilahti, Milivoj Simeonovski, and Ben Stock. Especially in combination with CSP’s logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise secure policy. Ben Stock, CISPA Helmholtz Center Billy Melicher, Palo Alto Networks Christo Wilson, Northeastern University Cristian-Alexandru Staicu, CISPA Helmholtz Center Gianluca Stringhini, Boston University Gunes Acar, KU Leuven Jason Polakis, University of Illinois at Chicago Konrad Rieck, TU Braunschweig Kyu Hyung Lee, University of Georgia As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. To close this research gap, we leverage taint tracking to identify suspicious flows from client-side persistent storage (Web Storage, cookies) to dangerous sinks (HTML, JavaScript, and script.src). However, the Web servers themselves are only indirectly involved in the corresponding security decision. Address. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. Based on data sets of benign and spoofed NTP requests, we find that a TTL-based defense could block over 75% of spoofed traffic, while allowing 85% of benign traffic to pass. But, out of 35,832 transmitted vulnerability reports, only 2,064 (5.8%) were actually received successfully, resulting in an unsatisfactory overall fix rate, leaving 74.5% of Web applications exploitable after our month-long experiment. To further answer our main research question, we conduct a hypothetical what-if analysis. That is, if you haven't received an answer from me within d, assume you'll not get an answer anymore. Instead, the SOP relies on information obtained from the domain name system, which is not necessarily controlled by the Web server’s owners. In this paper, we present an interprocedural analysis technique for PHP applications based on code property graphs that scales well to large amounts of code and is highly adaptable in its nature. This paper presents Kizzle, the first prevention technique specifically designed for finding exploit kits. Nevertheless, it has been shown that attackers with specific and internal knowledge of a target system may be able to produce input samples which are misclassified. The first works in this area have shown that while notifications are helpful to a significant fraction of operators, the vast majority of systems remain unpatched. To validate our findings, we report on practical experiments using a set of 1,602 real-world vulnerabilities, achieving a rate of 73% successful filter bypasses. This exemption allows an adversary to import and execute dynamically generated scripts while a user visits an attacker-controlled Web site. Based on this insight, we propose a light-weight extension to the SOP which takes Web server provided information into account. In the malware field, learning-based systems have become popular to detect new malicious variants. By using a combination of tracerouting and BGP data, we build statistical models which allow to estimate the TTL within that tolerance level. Using a data set of over 44,000 vulnerable Web sites, we measure success rates, both with respect to the total number of fixed vulnerabilities and to reaching responsible parties, with the following high-level results: Although our campaign had a statistically significant impact compared to a control group, the increase in the fix rate of notified domains is marginal. Our attack allows reliable DNS Rebinding attacks, circumventing all currently deployed browser-based defense measures. 2017. “How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security.” In, Backes, Michael, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. In this paper, we propose JStap, a modular static JavaScript detection system, which extends the detection capability of existing lexical and AST-based pipelines by also leveraging control and data flow information. View the profiles of professionals named "Ben Stock" on LinkedIn. Although this issues has been known for several years under the term Cross-Site Script Inclusion, it has not been analyzed in-depth on the Web. “Call to Arms: a Tale of the Weaknesses of Current Client-Side Xss Filtering.”, Stock, Ben, Sebastian Lekies, and Martin Johns. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. In practice, JStap outperforms existing systems, which we reimplemented and tested on our dataset totaling over 270,000 samples. In this paper, we therefore ask the question: is deploying CSP in a secure fashion even possible without a priori knowledge of all files hosted on even a partially trusted origin?To answer this question, we investigate the severity of the findings of Lekies et al., showing real-world Web sites on which, even in the presence of CSP and without code containing such gadgets being added by the developer, an attacker can sideload libraries with known script gadgets, as long as the hosting site is whitelisted in the CSP. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. Our detector is composed of ten modules, including five different ways of abstracting code, with differing levels of context and semantic information, and two ways of extracting features. 2016. Ben Stock. The number one programming language in Web applications is PHP, powering more than 80% of the top ten million websites. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. Given the results of our study, we provide a secure and functionally equivalent alternative to the use of dynamic scripts. Prior to that, I was a research group leader and previously postdoctoral researcher at the Center for IT-Security, Privacy and Accountability at Saarland University in the group of Michael Backes. To ease the burden of repeated password authentication on multiple sites, modern Web browsers provide password managers, which offer to automatically complete password fields on Web pages, after the password has been stored once. “Protecting Users Against XSS-Based Password Manager Abuse.” In, Stock, Ben, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. “Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.” In, Fass, Aurore, Robert Krawczyk, Michael Backes, and Ben Stock. Even though the analysis is entirely static, it yields a high detection accuracy of almost 99.5% and has a low false-negative rate of 0.54%. In this paper, we present a novel DNS Rebinding attack method leveraging the HTML5 Application Cache. The security of such applications is of the utmost importance, as exploits can have a devastating impact on personal and economic levels. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. Today, the most common source of drive-by downloads are socalled exploit kits (EKs). Specifically, it replaces benign sub-ASTs by identical malicious ones and adjusts the benign data dependencies–without changing the AST–, so that the malicious semantics is kept after execution. Ben Stock, CISPA Helmholtz Center for Information Security. Even though the server-side code of the past has long since vanished, the Internet Archive gives us a unique view on the historical development of the Web’s client side and its (in)security. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. In this study, we identified 6,167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem. 2019. “ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices.” In, Fass, Aurore, Michael Backes, and Ben Stock. +49 (0)681 302 57377. stock [at] cispa.saarland. Therefore, to systematically investigate the issue, we conduct a study on its prevalence in a set of 150 top-ranked domains. We show the pitfalls of email-based communications, such as the impact of anti-spam filters, the lack of trust by recipients, and hesitations to fix vulnerabilities despite awareness. While in its early days, the Web was mostly static, it has organically grown into a full-fledged technology stack. These small snippets of benign JavaScript code transform non-script markup contained in a page into executable JavaScript, opening the door for bypasses of a deployed CSP. Based on the frequency of these specific patterns, we train a random forest classifier for each module. Furthermore, we analyze the fundamental problem which allows DNS Rebinding to work in the first place: The SOP’s main purpose is to ensure security boundaries of Web servers. Dr.-Ing. During that time, I was fortunate enough to join Ben Livshits and Ben Zorn at Microsoft Research in Redmond for an internship. CISPA’s 3 Year Professional Acting Course has recently been awarded a BA level certification by the Danish Accreditation Institution! 2017. “Efficient and Flexible Discovery of PHP Application Vulnerabilities.” In, Stock, Ben, Bernd Kaiser, Stephan Pfistner, Sebastian Lekies, and Martin Johns. This mismatch is exploited by DNS Rebinding. Im Rahmen dieser Studie, konnten wir 6.167 derartige Verwundbarkeiten identifizieren, die sich auf 480 der untersuchten Anwendungen verteilen. For reproducibility and direct deployability of our modules, we make our system publicly available. Ben Stock Email. Dies legt die Vermutung nahe, dass auch client-seitiges XSS an Bedeutung gewinnen koennte. In addition, I enjoy the challenges provided in Capture the Flag competitions and am always trying to get more students involved in them (especially in our local team saarsec). In recent years, the Web witnessed a move towards sophisticated client-side functionality. I am a tenure-track faculty at the CISPA Helmholtz Center for Information Security. During that time, I was fortunate enough to join Ben Livshits and Ben Zorn at Microsoft Research in Redmond for an internship. ‪CISPA Helmholtz Center for Information Security‬ - ‪Cited by 741‬ - ‪Web Security‬ - ‪Network Security‬ - ‪Usable Security‬ To demonstrate this, we conduct a thorough analysis of the current state-of-the-art in browser-based XSS filtering and uncover a set of conceptual shortcomings, that allow efficient creation of filter evasions, especially in the case of DOM-based XSS. To that end, we examined the code and header information of the most important Web sites for each year between 1997 and 2016, amounting to 659,710 different analyzed Web documents. In this paper, we build on these previous works, aiming to understand why the effects are not more significant. 2016. Given the results of our study, we provide a secure and functionally equivalent alternative to the use of dynamic scripts. The Web today is a growing universe of pages and applications teeming with interactive content. We thus propose recommendations for web developers and browser vendors to mitigate this issue. Deploying such a policy enables a Web developer to whitelist from where script code can be loaded, essentially constraining the capabilities of the attacker to only be able to execute injected code from said whitelist. 2020. “A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web.” In, Roth, Sebastian, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, and Ben Stock. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. To achieve this we implemented a clone of the Waledac bot named Walowdac. Our proposed approach has a low false positive rate and robustly protects against DOM-based XSS exploits. Open Access Media. Therefore, to systematically investigate the issue, we conduct a study on its prevalence in a set of 150 top-ranked domains. As of May 2020, d is set to 7 days. While the existence of this class has been acknowledged, especially by the non-academic community like OWASP, prior works have either only found such flaws as side effects of other analyses or focused on a limited set of applications to analyze. The direct client-side inclusion of cross-origin JavaScript resources in Web applications is a pervasive practice to consume third-party services and to utilize externally provided libraries. We observe that a third of the surveyed sites utilize dynamic JavaScript. We subsequently classify all vulnerabilities in our data set accordingly to enable a more systematic analysis. ... CISPA, Saarland University Saarbrücken, Deutschland. Seeing these results, we pinpoint future directions in improving security notifications. Mohit Tiwari, UT Austin and Symmetry Systems. In this paper, we systematically examine the feasibility and efficacy of large-scale notification campaigns. 2009. “Walowdac-Analysis of a Peer-to-Peer Botnet.” In, Security Research Group of the University of Erlangen-Nuremberg, Busy Beaver Teaching Award for lecture "Foundations of Cybersecurity 1" at Saarland University (Winter Term 2018/2019), Busy Beaver Teaching Award for lecture "Web Security" at Saarland University (Summer Term 2018), Finalist for Best Dissertation Award (CAST e.V.)