Ultimate Dom Based XSS Detection Scanner on Cloud

Presented at Black Hat Asia 2014, Unknown date/time (Unknown duration)

As more and more rich interactive web applications are based on the HTML5's new capabilities by introducing native methods to improve user interactive experiences, XSS still ranks among as the top 3 vulnerabilities in the web application. There is a growing trend to one of its type - DOM-based XSS with the shift to the HTML5. However, due to the client nature of DOM-based XSS, there is no effective way to detect it in the open community. This work implemented tainted checking into the JavaScriptCore JavaScript engine and WebKit browser render engine. We modified String object by adding a tainted attribute to all DOM input interface, propagating this tainted attribute through all the String operations and detecting it at the DOM output interface. If the output was tainted, then we claimed the web application is DOM-based XSS vulnerable. By harnessing the power of PhantomJS, a headless browser for automation, we developed an ultimate DOM-based XSS detection scanner and a cloud infrastructure scanning our target products actively. It successfully caught production DOM-based XSS issues and reported back to us.

Presenters:

• Albert Yu - Yahoo!
  Albert Yu works as a security engineer for the Paranoid team at Yahoo. His interest is on seeing how things are built and how things break.
• Nera W. C. Liu - Yahoo!
  I am the Paranoid / information security engineer working in Yahoo!, focusing on Yahoo! security including both back-end and public-facing products. My main focus is the open web application vulnerabilities and related research.

Links:

• https://www.blackhat.com/asia-14/briefings.html#Liu
• https://www.youtube.com/watch?v=S9mCqd_RyD8

Similar Presentations:

• Black Hat USA 2010 / Hacking Browser's DOM - Exploiting Ajax and RIA
• AppSec USA 2012 / Unraveling Some of the Mysteries around DOM-Based XSS
• LocoMocoSec 2019 / Trusted types & the end of DOM XSS