DiffCSP is the first differential testing framework to find CSP enforcement bugs involving JS execution. The details of the testing strategy is in our paper, "DiffCSP: Finding Browser Bugs in Content Security Policy Enforcement through Differential Testing", which appeared in NDSS 2023. To see how to configure and execute DiffCSP, see the followings.
- Install dependencies
$ pip install playwright
$ pip install pandas
$ pip install scikit-learn
- Clone HiddenCPG
$ git clone https://github.com/WSP-LAB/DiffCSP.git
- Execute
make_page.pywith the following command.
$ python2 make_page.py conf.json > test.html
Through this command, the pages to be tested are created line by line in the test.html file.
- Execute preprocess.py with the following command.
$ python3 preprocess.py test.html 80
This command splits test.html into multiple files because the size of test.html is large and several pages (eg, redirection via window.open()) cannot coexist with other pages.
Executing this command produces two outputs:
outputdirectory: the divided html files are saved in this directory.test_list.txtfile: A file listing the names of the divided pages. This file will be used in browser testing (Step 2).
$ python2 make_csp.py > testing_csp_list.txt
Through this command, you will get a list of CSPs to be tested (testing_csp_list.txt).
- Install the database
$ cd backend
$ python3 generate_sql.py
Through this command, you can get install.sql. Please run this sql file into mysql.
Through this, a testing account of ID: cspuzz/ PW: cspuzz is created in
mysql, and a DB called cspuzz_result and its corresponding tables are created
for saving inconsistent results. Note that each table in cspuzz_result DB
represents each testing csp.
- Executing the backend
$ cp -r output/* backend/src/test
$ cd backend/src
$ node app.js
Visit http://127.0.0.1:8000/test/example.html. If you can see "test" text in the browser, it means the backend is working well!
- Move list of testing HTML file (
test_list.txt) and CSP (testing_csp_list.txt) to thetesterdirectory
$ cp test_list.txt tester
$ cp testing_csp_list.txt tester
$ cd tester
- Execute destop browsers
$ python3 tester_playwright.py --target_browser [Chrome, Firefox, Safari] --start_csp 0
- Execute mobile browsers
First, we need to the Android emulators. Check mobile-setting directory.
$ python3 tester_mobile.py --package_name [apk package name] --start_csp 0
Through this command, the specified browser visits each page for each CSP.
- Export the testing results from DB
$ cd analyzer
$ ./export_db.sh
Through this command, testing results can be exported to export directory.
- Make dataset
$ cd ..
$ cp test_list.txt analyzer
$ cp testing_csp_list.txt analyzer
$ cd analyzer
$ python3 make_features_logs.py
We can get the two output: features.txt and logs.txt.
- Train and debug a decision tree
$ python3 decision_tree_train.py features.txt logs.txt
Then, we can get the debugging information (i.e., set of conditions) of each decision paths.
inconsist leaf!
250,895,,script-src-elem http://127.0.0.1:8080 'unsafe-inline' 'strict-dynamic';connect-src http://127.0.0.1:8000;
#895 - executed: ['Firefox', 'Safari'], non-executed: ['Chrome']
Rules used to predict sample 16239470:
decision id node 0 : (CSP-directive:default-src (= 0.0) <= 0.5)
decision id node 1 : (CSP-directive:script-src (= 0.0) <= 0.5)
decision id node 2 : (CSP-directive:script-src-elem (= 1.0) > 0.5)
decision id node 204 : (CSP-directive:script-src-attr (= 0.0) <= 0.5)
decision id node 205 : ([Write to static file] (= 0.0) <= 0.5)
decision id node 206 : (CSP-value:unsafe-inline (= 1.0) > 0.5)
decision id node 238 : (JS_EXECUTION_METHOD (= 1.0) <= 1.5)
decision id node 239 : (CSP-value:strict-dynamic (= 1.0) > 0.5)
decision id node 247 : ([Expending current HTML] (= 0.0) <= 0.5)
decision id node 248 : ([Eval of child frame] (= 1.0) > 0.5)
leaf node 250 reached, no decision here
To cite our paper:
@INPROCEEDINGS{wi:ndss:2023,
author = {Seongil Wi and Trung Tin Nguyen and Jihwan Kim and Ben Stock and Sooel Son},
title = {{DiffCSP}: Finding Browser Bugs in Content Security Policy Enforcement through Differential Testing},
booktitle = {Proceedings of the Network and Distributed System Security Symposium},
year = 2023
}