Cited By
View all- Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
PoliDOM: Mitigation of DOM-XSS by Detection and Prevention of Unauthorized DOM Tampering
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security
Article No.: 17, Pages 1 - 10
Abstract
The current generation of DOM (Document Object Model) Cross-Site Scripting (DOM-XSS) filters are mostly browser-based tools, and do not allow the web developers to control authorized or unauthorized modifications of the web page's DOM. In this work, we propose a policy-based and browser-based protection mechanism to detect and prevent unauthorized tampering of the DOM. To examine the efficiency and feasibility of our approach, we implement the proposed solution in an open source web browser, Chromium. Our proposed approach has little performance overhead and effectively detects malicious modifications of the DOM. We also conduct a thorough analysis of the current state-of-the-art policy-based MutationObserver API and uncover its limitations.
References
[1]
Abel Avram. 2013. Google, Opera Fork WebKit. Samsung Joins Firefox to Push Servo. https://www.infoq.com/news/2013/04/Google-Blink-Mozilla-Servo.
[2]
Browserbench. 2018. Speedometer 2.0: A Benchmark for Modern Web App Responsiveness. https://browserbench.org/Speedometer/.
[3]
Breach core. {n. d.}. A new modular browser. https://github.com/breach/breach_core.
[4]
Robert Hansen. {n. d.}. XSS Filter Evasion Cheat Sheet. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
[5]
Ashar Javed, Jens Riemer, and Jörg Schwenk. 2014. SIACHEN: A Fine-Grained Policy Language for the Mitigation of Cross-Site Scripting Attacks. In International Conference on Information Security. Springer, 515--528.
[6]
Amit Klein. 2005. DOM based cross site scripting or XSS of the third kind. http://www.webappsec.org/projects/articles/071105. shtml (2005).
[7]
Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 million flows later: Large-scale detection of DOM-based XSS. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 1193--1204.
[8]
Mozilla. {n. d.}. CSS Custom Properties. https://developer.mozilla.org/en-US/docs/Web/CSS/.
[9]
Mozilla. {n. d.}. MutationEvents.
[10]
Mozilla. {n. d.}. MutationObserver. https://developer.mozilla.org/en/docs/Web/API/MutationObserver.
[11]
Mozilla. {n. d.}. MutationObserverInit. https://developer.mozilla.org/en-US/docs/Web/API/MutationObserverInit.
[12]
Mozilla. {n. d.}. Using Shadow DOM. https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_shadow_DOM.
[13]
Trong Kha Nguyen and Seong Oun Hwang. 2016. Large-Scale Detection of DOM-Based XSS Based on Publisher and Subscriber Model. In Computational Science and Computational Intelligence (CSCI), 2016 International Conference on. IEEE, 975--980.
[14]
NodeOS. {n. d.}. First operating system powered by npm. http://node-os.com.
[15]
Octoverse. {n. d.}. The State of the Octoverse. https://octoverse.github.com.
[16]
Terri Oda and Anil Somayaji. 2011. Enhancing web page security with security style sheets. Carleton University (2011).
[17]
OS.js. {n. d.}. JavaScript Cloud/Web Desktop Platform. http://osjsv2.0o.no.
[18]
OWASP. {n. d.}. Top 10-2017 A7-Cross-Site Scripting (XSS). https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS).
[19]
OWASP. {n. d.}. Types of Cross-Site Scripting. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting.
[20]
Stefano Di Paola. {n. d.}. A Twitter DomXSS, a wrong fix and something more. http://goo.gl/dHF457.
[21]
Stefano Di Paola. {n. d.}. DOM XSS on Google Plus One Button. http://goo.gl/ohRAkM.
[22]
Stefano Di Paola. 2012. DominatorPro: Securing Next Generation of Web Applications. https://dominator.mindedsecurity.co/.
[23]
Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, and Prateek Saxena. 2015. Auto-patching DOM-based XSS at scale. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. ACM, 272--283.
[24]
Juan Picado. {n. d.}. WatchDOM. https://www.npmjs.com/package/watchdom.
[25]
The Chromium Projects. {n. d.}. Blink. https://www.chromium.org/blink.
[26]
The Chromium Projects. {n. d.}. XSS Auditor. https://www.chromium.org/developers/design-documents/xss-auditor.
[27]
Shahin Ramezany. {n. d.}. DOMSDAY: Analyzing a Dom-Based XSS in Yahoo. https://www.exploit-db.com/docs/english/24109-domsday---analyzing-a-dom-based-xss-in-yahoo!.pdf.
[28]
John Resig. 2010. Dromaeo: JavaScript performance testing. http://dromaeo.com/.
[29]
Suman Saha, Shizhen Jin, and Kyung-Goo Doh. 2012. Detection of dom-based cross-site scripting by analyzing dynamically extracted scripts. In The 6th International Conference on Information Security and Assurance.
[30]
Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web. ACM, 921--930.
[31]
Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise Client-side Protection against DOM-based Cross-Site Scripting. In USENIX Security Symposium. 655--670.
[32]
Louis Stowasser. {n. d.}. Crafty -- JavaScript HTML5 Game Engine. http://craftyjs.com.
[33]
W3C. {n. d.}. High Resolution Time API. https://www.w3.org/TR/hr-time/.
[34]
W3schools. {n. d.}. CSS Selectors. https://www.w3schools.com/cssref/css_selectors.asp.
[35]
W3schools. {n. d.}. DOM Element Object. https://www.w3schools.com/Jsref/dom_obj_all.asp.
[36]
Webkit. {n. d.}. A fast, open source web browser engine. https://webkit.org/.
[37]
Rafael Weinstein. {n. d.}. MutationSummary. https://github.com/rafaelw/mutation-summary.
Index Terms
- PoliDOM: Mitigation of DOM-XSS by Detection and Prevention of Unauthorized DOM Tampering
Recommendations
Talking About My Generation: Targeted DOM-based XSS Exploit Generation using Dynamic Data Flow Analysis
EuroSec '21: Proceedings of the 14th European Workshop on Systems SecuritySince the invention of JavaScript 25 years ago, website functionality has been continuously shifting from the server-side to the client-side. Web browsers have evolved into an application platform, and HTML5 emerged as a first-class environment for ...
DexterJS: robust testing platform for DOM-based XSS vulnerabilities
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringDOM-based cross-site scripting (XSS) is a client-side vulnerability that pervades JavaScript applications on the web, and has few known practical defenses. In this paper, we introduce DEXTERJS, a testing platform for detecting and validating DOM-based ...
25 million flows later: large-scale detection of DOM-based XSS
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityIn recent years, the Web witnessed a move towards sophis- ticated client-side functionality. This shift caused a signifi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnera- bilities, ...
Comments
Information & Contributors
Information
Published In
August 2019
979 pages
ISBN:9781450371643
DOI:10.1145/3339252
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 August 2019
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES '19
ARES '19: 14th International Conference on Availability, Reliability and Security
August 26 - 29, 2019
CA, Canterbury, United Kingdom
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 217Total Downloads
- Downloads (Last 12 months)16
- Downloads (Last 6 weeks)1
Reflects downloads up to 16 Jan 2025
Other Metrics
Citations
Cited By
View all- Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in