Category Archives: Uncategorized

From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting

We got this paper accepted at the upcoming CCS in Denver in October!

Although studies have shown that at least one in ten Web pages contains a client-side XSS vulnerability, the prevalent causes for this class of Cross-Site Scripting have not been studied in depth. Therefore, in this paper, we present a large-scale study to gain insight into these causes. To this end, we analyze a set of 1,273 real-world vulnerabilities contained on the Alexa Top 10k domains using a specifically designed architecture, consisting of an infrastructure which allows us to persist and replay vulnerabilities to ensure a sound analysis. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws.

Based on the observable characteristics of the vulnerable JavaScript, we derive a set of metrics to measure the complexity of each flaw. We subsequently classify all vulnerabilities in our data set accordingly to enable a more systematic analysis. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code.

Read it here.

Timelapse of a research paper

Since I had some time to spare after the deadline for USENIX’15, I went ahead and generated timelapses for our papers. Basically, my script checks out all revisions from SVN and builds the PDF. Subsequently, every single page of the paper is extracted and stitched together to form complete image. All the images are then put together using ffmpeg to form the timelapse.

But well, see for your self 🙂

Precise Client-side Protection against DOM-based Cross-Site Scripting

25 Million Flows Later – Large-scale Detection of DOM-based XSS