Don't Trust the DOM: Bypassing XSS Mitigations via Script Gadgets

Presented at Black Hat USA 2017, July 27, 2017, 11 a.m. (50 minutes)

Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.

In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.


Presenters:

  • Sebastian Lekies - Senior Software Engineer, Google
    Sebastian Lekies is a Senior Software Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests include client-side Web application security and Web application security scanning. At Google, Sebastian is tech leading the Web application security scanning team, which develops Google's internal Web security scanner. Before joining Google, Sebastian was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...
  • Krzysztof Kotowicz - Information Security Engineer, Google
    Krzysztof Kotowicz is an Information Security Engineer at Google and a panel member of Google's Vulnerability Rewards Program. He's a web security researcher specialized in Javascript, browser extensions and client-side security. Author of multiple open-source pentesting tools, and recognized HTML5/UI redressing attack vectors. Speaker at international IT security conferences & meetings (Black Hat, BruCON, Hack In Paris, CONFidence, SecurityByte, HackPra, OWASP AppSec, Insomni'Hack).
  • Eduardo Vela - Information Security Engineering Manager, Google
    Eduardo "sirdarckcat" Vela Nava leads Google's Product Security Response Team, and is a professional slacker that does web security research when he can escape from his day job. Presented in several industry conferences, and focused mostly on offensive web security. Loves collecting vulnerabilities and having fun with mitigations.

Links:

Similar Presentations: