Client-Side Protection Against DOM-Based XSS Done Right (tm)

Presented at Black Hat Asia 2015, Unknown date/time (Unknown duration).

Cross-Site Scripting (XSS) is one of the most severe security vulnerabilities of the web. With the introduction of HTML5, the complexity of web applications is ever increasing and despite the existence of robust protection libraries, Cross-Site Scripting vulnerabilities are nowadays omnipresent on the Web. In order to protect end users from being exploited, browser vendors reacted to this serious threat by outfitting their browsers with client-side XSS filters. Unfortunately, as we had to notice, the currently provided protection is severely limited, leaving end-users vulnerable to exploits in the majority of cases. In this talk, we first present an analysis of Chrome's XSS Auditor, in which we discovered 17 flaws that enable us to bypass the Auditor's filtering capabilities. We will demonstrate the bypasses and present a tool to automatically generated XSS attacks utilizing the bypasses. Furthermore, we will report on a practical, empirical study of the Auditor's protection capabilities in which we ran our generated attacks against a set of several thousand DOM-based, zero-day XSS vulnerabilities in the Alexa Top 10.000. In our experiments, we were able to successfully bypass the XSS filter on the first try in over 80% of all vulnerable Web applications. Thus, it appears safe to state that the current client-side defenses against DOM-XSS are insufficient to protect end-users. However, unlike general XSS, in the DOM-based variant, all significant information is readily available. Hence, we present an alternative XSS filter design that reliably detects successful XSS attacks via client-side taint tracking in the JavaScript engine. Unlike the current approach, our filter does not rely on coarse approximation but on precise data flow information that allows us to robustly stop DOM-XSS for good.


Presenters:

  • Martin Johns - SAP AG
    Dr. Martin Johns is a Research Expert in the Security and Trust group within SAP AG, where he leads the web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau. Martin has a track record of 8+ years applied web AppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, including the OWASP AppSec series, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress.
  • Sebastian Lekies - University of Bochum
    Sebastian Lekies is a PhD candidate at the University of Bochum. His main field of research is web application security. Thereby, he mainly foccuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc. He regularly publishes his work at academic and non-academic security conferences such as CCS, Usenix Security, OWASP Appsec, Deepsec, etc.
  • Ben Stock - University Erlangen-Nuremberg
    Ben is currently a PhD student and research fellow at the Security Research Group of the University Erlangen-Nuremberg. His research interests lie within web security and malware analysis and he enjoys the challenges provided in capture-the-flag contests.

Links:

Similar Presentations: