research-article

25 million flows later: large-scale detection of DOM-based XSS

Authors:

Sebastian Lekies,

Martin JohnsAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 1193 - 1204

https://doi.org/10.1145/2508859.2516703

Published: 04 November 2013 Publication History

Abstract

In recent years, the Web witnessed a move towards sophis- ticated client-side functionality. This shift caused a signifi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnera- bilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues. In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, show- ing that 9,6% of the examined sites carry at least one DOM- based XSS problem.

References

[1]

Bates, D., Barth, A., and Jackson, C. Regular expressions considered harmful in client-side XSS filters. In WWW '10: Proceedings of the 19th international conference on World wide web (New York, NY, USA, 2010), ACM, pp. 91--100.

Digital Library

[2]

Bisht, P., and Venkatakrishnan, V. N. XSS-GUARD: Precise dynamic detection of cross-site scripting attacks. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'08) (2008).

Digital Library

[3]

CERT. Advisory ca-2000-02 malicious html tags embedded in client web requests, February 2000.

[4]

Conti, J. J., and Russo, A. A taint mode for python via a library. In NordSec (2010), T. Aura, K. J\"arvinen, and K. Nyberg, Eds., vol. 7127 of Lecture Notes in Computer Science, Springer, pp. 210--222.

Digital Library

[5]

Criscione, C. Drinking the Ocean - Finding XSS at Google Scale. Talk at the Google Test Automation Conference, (GTAC'13), http://goo.gl/8qqHA, April 2013.

[6]

d'Amore, F., and Gentile, M. Automatic and context-aware cross-site scripting filter evasion. Department of Computer, Control, and Management Engineering Antonio Ruberti Technical Reports 1, 4 (2012).

[7]

Di Paola, S. DominatorPro: Securing Next Generation of Web Applications. {software}, https://dominator.mindedsecurity.com/, 2012.

[8]

Google Developers. Chrome Extensions - Developer's Guide. {online}, http://developer.chrome.com/extensions/devguide.html, last access 06/05/13, 2012.

[9]

Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., and Berg, R. Saving the world wide web from vulnerable javascript. In ISSTA (2011), M. B. Dwyer and F. Tip, Eds., ACM, pp. 177--187.

Digital Library

[10]

Guha, A., Krishnamurthi, S., and Jim, T. Using static analysis for Ajax intrusion detection. In Proceedings of the 18th international conference on World wide web (WWW'09) (New York, NY, USA, 2009), ACM, pp. 561--570.

Digital Library

[11]

Hanna, S., Chul, E., Shin, R., Akhawe, D., Boehm, A., Saxena, P., and Song, D. The emperor's new apis: On the (in) secure usage of new client-side primitives. In Web 2.0 Security and Privacy (W2SP 2010) (2010).

[12]

Heiderich, M., Nava, E., Heyes, G., and Lindsay, D. Web Application Obfuscation: -/WAFs.Evasion.Filters//alert (/Obfuscation/)-. Elsevier/Syngress, 2010.

Digital Library

[13]

Heyes, G. Bypassing XSS Auditor. {online}, http://www.thespanner.co.uk/2013/02/19/bypassing-xss-auditor/, last accessed 08/05/13, February 2013.

[14]

Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In IEEE Symposium on Security and Privacy (May 2006).

Digital Library

[15]

Kieyzun, A., Guo, P. J., Jayaraman, K., and Ernst, M. D. Automatic creation of sql injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (Washington, DC, USA, 2009), ICSE '09, IEEE Computer Society, pp. 199--209.

Digital Library

[16]

Klein, A. Dom based cross site scripting or xss of the third kind. Web Application Security Consortium, Articles 4 (2005).

[17]

Lekies, S., and Johns, M. Lightweight Integrity Protection for Web Storage-driven Content Caching. In 6th Workshop on Web 2.0 Security and Privacy (W2SP 2012) (May 2012).

[18]

Martin, M., and Lam, M. S. Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking. In Usenix Security (2008).

Digital Library

[19]

Nadji, Y., Saxena, P., and Song, D. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In Network & Distributed System Security Symposium (NDSS 2009) (2009).

[20]

Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., and Evans, D. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference (May 2005).

[21]

Nikiforakis, N. Bypassing Chrome's Anti-XSS filter. {online}, http://blog.securitee.org/?p=37, last access 08/05/13, September 2011.

[22]

Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S. V., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In 19th ACM Conference on Computer and Communications Security (CCS 2012) (2012).

Digital Library

[23]

Pietraszek, T., and Berghe, C. V. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Recent Advances in Intrusion Detection (RAID2005) (2005).

Digital Library

[24]

Richards, G., Hammer, C., Burg, B., and Vitek, J. The eval that men do - a large-scale study of the use of eval in javascript applications. In ECOOP (2011), M. Mezini, Ed., vol. 6813 of Lecture Notes in Computer Science, Springer, pp. 52--78.

Digital Library

[25]

Saxena, P., Hanna, S., Poosankam, P., and Song, D. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS (2010), The Internet Society.

[26]

Son, S., and Shmatikov, V. The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In Network and Distributed System Security Symposium (NDSS'13) (2013).

[27]

Su, Z., and Wassermann, G. The Essence of Command Injection Attacks in Web Applications. In Proceedings of POPL'06 (January 2006).

Digital Library

[28]

Tripp, O., Pistoia, M., Fink, S. J., Sridharan, M., and Weisman, O. TAJ: Effective Taint Analysis for Java. In ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation (PLDI 2009) (June 2009).

Digital Library

[29]

Vikram, K., Prateek, A., and Livshits, B. Ripley: Automatically securing distributed Web applications through replicated execution. In Conference on Computer and Communications Security (Oct. 2009).

Digital Library

[30]

Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., and Vigna, G. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007).

[31]

Wassermann, G., and Su, Z. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of Programming Language Design and Implementation (PLDI'07) (San Diego, CA, June 10--13 2007).

Digital Library

[32]

Xie, Y., and Aiken, A. Static Detection of Security Vulnerabilities in Scripting Languages. In 15th USENIX Security Symposium (2006).

Digital Library

[33]

Xu, W., Bhatkar, S., and Sekar, R. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In 15th USENIX Security Symposium (August 2006).

Digital Library

[34]

Yue, C., and Wang, H. Characterizing insecure javascript practices on the web. In WWW (2009), J. Quemada, G. León, Y. S. Maarek, and W. Nejdl, Eds., ACM, pp. 961--970.

Digital Library

Cited By

Kanyal RSarangi SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)PanoptiChrome: A Modern In-browser Taint Analysis FrameworkProceedings of the ACM Web Conference 202410.1145/3589334.3645699(1914-1922)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645699
Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Show More Cited By

Index Terms

25 million flows later: large-scale detection of DOM-based XSS

Recommendations

Talking About My Generation: Targeted DOM-based XSS Exploit Generation using Dynamic Data Flow Analysis
EuroSec '21: Proceedings of the 14th European Workshop on Systems Security

Since the invention of JavaScript 25 years ago, website functionality has been continuously shifting from the server-side to the client-side. Web browsers have evolved into an application platform, and HTML5 emerged as a first-class environment for ...
Auto-patching DOM-based XSS at scale
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

DOM-based cross-site scripting (XSS) is a client-side code injection vulnerability that results from unsafe dynamic code generation in JavaScript applications, and has few known practical defenses. We study dynamic code evaluation practices on nearly a ...
DexterJS: robust testing platform for DOM-based XSS vulnerabilities
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

DOM-based cross-site scripting (XSS) is a client-side vulnerability that pervades JavaScript applications on the web, and has few known practical defenses. In this paper, we introduce DEXTERJS, a testing platform for detecting and validating DOM-based ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

110
Total Citations
View Citations
1,350
Total Downloads

Downloads (Last 12 months)120
Downloads (Last 6 weeks)17

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kanyal RSarangi SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)PanoptiChrome: A Modern In-browser Taint Analysis FrameworkProceedings of the ACM Web Conference 202410.1145/3589334.3645699(1914-1922)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645699
Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Khodayari SBarber TPellegrino G(2024)The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00098(166-184)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00098
Rautenstrauch JMitkov MHelbrecht THetterich LStock B(2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00094
Khan S(2024)LL-XSS: End-to-End Generative Model-based XSS Payload Creation2024 21st Learning and Technology Conference (L&T)10.1109/LT60077.2024.10469151(121-126)Online publication date: 15-Jan-2024
https://doi.org/10.1109/LT60077.2024.10469151
Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100634
Shcherbakov MBalliu MStaicu CCalandrino JTroncoso C(2023)Silent springProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620546(5521-5538)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620546
Henge SMaheswari GRamalingam RAlshamrani SRashid MMurugan J(2023)Dependable and Non-Dependable Multi-Authentication Access Constraints to Regulate Third-Party Libraries and Plug-Ins across PlatformsSystems10.3390/systems1105026211:5(262)Online publication date: 21-May-2023
https://doi.org/10.3390/systems11050262
Lim KKwon YKim DMontpetit MLeivadeas AUhlig SJaved M(2023)A Longitudinal Study of Vulnerable Client-side Resources and Web Developers' Updating BehaviorsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624804(162-180)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624804
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents