Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering

Presented at Black Hat USA 2014, Aug. 7, 2014, 3:30 p.m. (60 minutes)

Cross-Site Scripting (XSS) is one of the most severe security vulnerabilities of the web. With the introduction of HTML5, the complexity of web applications is ever increasing and despite the existence of robust protection libraries, Cross-Site Scripting vulnerabilities are nowadays omnipresent on the web. In order to protect end users from being exploited, browser vendors reacted to this serious threat by outfitting their browsers with client-side XSS filters. Unfortunately, as we had to notice, the currently provided protection is severely limited, leaving end-users vulnerable to exploits in the majority of cases. In this talk, we present an analysis of Chrome's XSS Auditor, in which we discovered 17 flaws that enable us to bypass the Auditor's filtering capabilities. We will demonstrate the bypasses and present a tool to automatically generated XSS attacks utilizing the bypasses. Furthermore, we will report on a practical, empirical study of the Auditor's protection capabilities in which we ran our generated attacks against a set of several thousand DOM-based zero-day XSS vulnerabilities in the Alexa Top 10.000 (we will also briefly cover, how we were able to find these vulnerabilities using a taint-aware browser engine). In our experiments, we were able to successfully bypass the XSS filter on first try in over 80% of all vulnerable web applications. We will conclude the talk with an outlook on potential future improvements to client-side XSS filtering, based our analysis and experiences in bypass generation.

Presenters:

• Sebastian Lekies - SAP AG
  Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security. Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc. He regularly publishes his work at academic and non-academic security conferences such as CCS, Usenix Security, OWASP Appsec, Deepsec, etc.
• Ben Stock - University Erlangen-Nuremberg
  Ben is currently a PhD student and research fellow at the Security Research Group of the University Erlangen-Nuremberg. His research interests lie within web security and malware analysis and he enjoys the challenges provided in capture-the-flag contests.
• Martin Johns - SAP AG
  Dr. Martin Johns is a Research Expert in the Security and Trust group within SAP AG, where he leads the web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau. Martin has a track record of 8+ years applied web AppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, including the OWASP AppSec series, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress.

Links:

• https://www.blackhat.com/us-14/archives.html#call-to-arms-a-tale-of-the-weaknesses-of-current-client-side-xss-filtering
• https://www.youtube.com/watch?v=KsRBig0u568
• https://www.blackhat.com/docs/us-14/materials/us-14-Johns-Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side-XSS-Filtering.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Johns-Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side-XSS-Filtering-WP.pdf

Similar Presentations:

• ShmooCon I (2005) / The Evils of XSS: Its not just for cookies anymore
• Black Hat Asia 2015 / Client-Side Protection Against DOM-Based XSS Done Right (tm)
• LocoMocoSec 2019 / Trusted types & the end of DOM XSS