Sebastian Lekies
ABSTRACT
In recent years, the Web witnessed a move towards sophis- ticated client-side functionality. This shift caused a signifi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnera- bilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues. In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, show- ing that 9,6% of the examined sites carry at least one DOM- based XSS problem.
- Bates, D., Barth, A., and Jackson, C. Regular expressions considered harmful in client-side XSS filters. In WWW '10: Proceedings of the 19th international conference on World wide web (New York, NY, USA, 2010), ACM, pp. 91--100. Google Scholar
Digital Library
- Bisht, P., and Venkatakrishnan, V. N. XSS-GUARD: Precise dynamic detection of cross-site scripting attacks. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'08) (2008). Google ScholarDigital Library
- CERT. Advisory ca-2000-02 malicious html tags embedded in client web requests, February 2000.Google Scholar
- Conti, J. J., and Russo, A. A taint mode for python via a library. In NordSec (2010), T. Aura, K. J\"arvinen, and K. Nyberg, Eds., vol. 7127 of Lecture Notes in Computer Science, Springer, pp. 210--222. Google ScholarDigital Library
- Criscione, C. Drinking the Ocean - Finding XSS at Google Scale. Talk at the Google Test Automation Conference, (GTAC'13), http://goo.gl/8qqHA, April 2013.Google Scholar
- d'Amore, F., and Gentile, M. Automatic and context-aware cross-site scripting filter evasion. Department of Computer, Control, and Management Engineering Antonio Ruberti Technical Reports 1, 4 (2012).Google Scholar
- Di Paola, S. DominatorPro: Securing Next Generation of Web Applications. {software}, https://dominator.mindedsecurity.com/, 2012.Google Scholar
- Google Developers. Chrome Extensions - Developer's Guide. {online}, http://developer.chrome.com/extensions/devguide.html, last access 06/05/13, 2012.Google Scholar
- Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., and Berg, R. Saving the world wide web from vulnerable javascript. In ISSTA (2011), M. B. Dwyer and F. Tip, Eds., ACM, pp. 177--187. Google ScholarDigital Library
- Guha, A., Krishnamurthi, S., and Jim, T. Using static analysis for Ajax intrusion detection. In Proceedings of the 18th international conference on World wide web (WWW'09) (New York, NY, USA, 2009), ACM, pp. 561--570. Google ScholarDigital Library
- Hanna, S., Chul, E., Shin, R., Akhawe, D., Boehm, A., Saxena, P., and Song, D. The emperor's new apis: On the (in) secure usage of new client-side primitives. In Web 2.0 Security and Privacy (W2SP 2010) (2010).Google Scholar
- Heiderich, M., Nava, E., Heyes, G., and Lindsay, D. Web Application Obfuscation: -/WAFs..Evasion..Filters//alert (/Obfuscation/)-. Elsevier/Syngress, 2010. Google ScholarDigital Library
- Heyes, G. Bypassing XSS Auditor. {online}, http://www.thespanner.co.uk/2013/02/19/bypassing-xss-auditor/, last accessed 08/05/13, February 2013.Google Scholar
- Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In IEEE Symposium on Security and Privacy (May 2006). Google ScholarDigital Library
- Kieyzun, A., Guo, P. J., Jayaraman, K., and Ernst, M. D. Automatic creation of sql injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (Washington, DC, USA, 2009), ICSE '09, IEEE Computer Society, pp. 199--209. Google ScholarDigital Library
- Klein, A. Dom based cross site scripting or xss of the third kind. Web Application Security Consortium, Articles 4 (2005).Google Scholar
- Lekies, S., and Johns, M. Lightweight Integrity Protection for Web Storage-driven Content Caching. In 6th Workshop on Web 2.0 Security and Privacy (W2SP 2012) (May 2012).Google Scholar
- Martin, M., and Lam, M. S. Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking. In Usenix Security (2008). Google ScholarDigital Library
- Nadji, Y., Saxena, P., and Song, D. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In Network & Distributed System Security Symposium (NDSS 2009) (2009).Google Scholar
- Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., and Evans, D. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference (May 2005).Google ScholarCross Ref
- Nikiforakis, N. Bypassing Chrome's Anti-XSS filter. {online}, http://blog.securitee.org/?p=37, last access 08/05/13, September 2011.Google Scholar
- Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S. V., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In 19th ACM Conference on Computer and Communications Security (CCS 2012) (2012). Google ScholarDigital Library
- Pietraszek, T., and Berghe, C. V. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Recent Advances in Intrusion Detection (RAID2005) (2005). Google ScholarDigital Library
- Richards, G., Hammer, C., Burg, B., and Vitek, J. The eval that men do - a large-scale study of the use of eval in javascript applications. In ECOOP (2011), M. Mezini, Ed., vol. 6813 of Lecture Notes in Computer Science, Springer, pp. 52--78. Google ScholarDigital Library
- Saxena, P., Hanna, S., Poosankam, P., and Song, D. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS (2010), The Internet Society.Google Scholar
- Son, S., and Shmatikov, V. The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In Network and Distributed System Security Symposium (NDSS'13) (2013).Google Scholar
- Su, Z., and Wassermann, G. The Essence of Command Injection Attacks in Web Applications. In Proceedings of POPL'06 (January 2006). Google ScholarDigital Library
- Tripp, O., Pistoia, M., Fink, S. J., Sridharan, M., and Weisman, O. TAJ: Effective Taint Analysis for Java. In ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation (PLDI 2009) (June 2009). Google ScholarDigital Library
- Vikram, K., Prateek, A., and Livshits, B. Ripley: Automatically securing distributed Web applications through replicated execution. In Conference on Computer and Communications Security (Oct. 2009). Google ScholarDigital Library
- Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., and Vigna, G. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007).Google Scholar
- Wassermann, G., and Su, Z. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of Programming Language Design and Implementation (PLDI'07) (San Diego, CA, June 10--13 2007). Google ScholarDigital Library
- Xie, Y., and Aiken, A. Static Detection of Security Vulnerabilities in Scripting Languages. In 15th USENIX Security Symposium (2006). Google ScholarDigital Library
- Xu, W., Bhatkar, S., and Sekar, R. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In 15th USENIX Security Symposium (August 2006). Google ScholarDigital Library
- Yue, C., and Wang, H. Characterizing insecure javascript practices on the web. In WWW (2009), J. Quemada, G. León, Y. S. Maarek, and W. Nejdl, Eds., ACM, pp. 961--970. Google ScholarDigital Library
Index Terms
- 25 million flows later: large-scale detection of DOM-based XSS
Recommendations
Talking About My Generation: Targeted DOM-based XSS Exploit Generation using Dynamic Data Flow Analysis
EuroSec '21: Proceedings of the 14th European Workshop on Systems SecuritySince the invention of JavaScript 25 years ago, website functionality has been continuously shifting from the server-side to the client-side. Web browsers have evolved into an application platform, and HTML5 emerged as a first-class environment for ...
Auto-patching DOM-based XSS at scale
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringDOM-based cross-site scripting (XSS) is a client-side code injection vulnerability that results from unsafe dynamic code generation in JavaScript applications, and has few known practical defenses. We study dynamic code evaluation practices on nearly a ...
DexterJS: robust testing platform for DOM-based XSS vulnerabilities
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringDOM-based cross-site scripting (XSS) is a client-side vulnerability that pervades JavaScript applications on the web, and has few known practical defenses. In this paper, we introduce DEXTERJS, a testing platform for detecting and validating DOM-based ...
Comments