In previous research, we found a large number of DOM-based Cross-Site Scripting vulnerabilities across the Alexa Top 5k. Continuing this research, we crawled the Alexa Top 10k and again found XSS of ~10% of the sites we visited. In order to verify the vulnerabilities, we turned off the XSSAuditor which is built into Chrome – in our notion, a vulnerability should be treated as such regardless of whether the filter in one browser catches it or not.
That being said, after the initial verification, we analysed how many of our exploits triggered even with the Auditor activated. Obviously these numbers were lower than the initial results, thus we tried to determine the reason for some exploits passing and some not passing. This led to a full-fledged analysis of the Auditor in which we discovered numerous bypasses that are related to both implementational decisions as well as conceptual issues such as the placement of the Auditor.
In our BlackHat talk, we presented these bypasses motivated from real-world examples of DOM-based XSS, showing that over 80% of all domains we discovered vulnerabilities on were prone to filter bypasses. Go ahead and check out the slides as well as our whitepaper.