research-article

From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting

Authors:

Stephan Pfistner,

Sebastian Lekies,

Martin JohnsAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 1419 - 1430

https://doi.org/10.1145/2810103.2813625

Published: 12 October 2015 Publication History

Abstract

Although studies have shown that at least one in ten Web pages contains a client-side XSS vulnerability, the prevalent causes for this class of Cross-Site Scripting have not been studied in depth. Therefore, in this paper, we present a large-scale study to gain insight into these causes. To this end, we analyze a set of 1,273 real-world vulnerabilities contained on the Alexa Top 10k domains using a specifically designed architecture, consisting of an infrastructure which allows us to persist and replay vulnerabilities to ensure a sound analysis. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. Based on the observable characteristics of the vulnerable JavaScript, we derive a set of metrics to measure the complexity of each flaw. We subsequently classify all vulnerabilities in our data set accordingly to enable a more systematic analysis. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code.

References

[1]

D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In WWW, 2010.

Digital Library

[2]

BuiltWith. jQuery Usage Statistics. http://goo.gl/czK9XU (accessed 16/05/15), 2015.

[3]

I. Chowdhury and M. Zulkernine. Can Complexity, Coupling, and Cohesion Metrics Be Used As Early Indicators of Vulnerabilities? In SAC, 2010.

Digital Library

[4]

A. Cortesi and M. Hils. mitmproxy. https://goo.gl/VA9xw4 (accessed 16/05/15), 2014.

[5]

C. Criscione. Drinking the Ocean - Finding XSS at Google Scale. Talk at the Google Test Automation Conference, (GTAC'13), http://goo.gl/8qqHA, 2013.

[6]

M. E. Daggett. Enforcing Style. In Expert JavaScript. 2013.

[7]

S. Di Paola. DominatorPro: Securing Next Generation of Web Applications. https://goo.gl/L6tJth (accessed 16/05/15), 2012.

[8]

S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the World Wide Web from Vulnerable JavaScript. In International Symposium on Software Testing and Analysis, 2011.

Digital Library

[9]

I. Hickson and D. Hyatt. HTML 5 - A vocabulary and associated APIs for HTML and XHTML. W3c working draft, W3C, 2008.

[10]

jQuery Bug Tracker. SELECTOR INTERPRETED AS HTML. http://goo.gl/JNggpp (accessed 16/05/15), 2012.

[11]

A. Klein. DOM based cross site scripting or XSS of the third kind. Web Application Security Consortium, 2005.

[12]

S. Lekies, B. Stock, and M. Johns. 25 Million Flows Later: Large-scale Detection of DOM-based XSS. In CCS, 2013.

Digital Library

[13]

M. McDaniel and M. H. Heydari. Content based file type detection algorithms. In HICSS, 2003.

Digital Library

[14]

F. Meawad, G. Richards, F. Morandat, and J. Vitek. Eval begone!: semi-automated removal of eval from javascript programs. ACM SIGPLAN Notices, 47, 2012.

Digital Library

[15]

Mozilla Developer Network. Element.innerHTML - Web API Interfaces | MDN. https://goo.gl/udFqtb (accessed 16/05/15), 2015.

[16]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In CCS, 2012.

Digital Library

[17]

F. Ocariza, K. Pattabiraman, and B. Zorn. JavaScript errors in the wild: An empirical study. In Software Reliability Engineering, 2011.

Digital Library

[18]

E. Oftedal. Retire.js - identify JavaScript libraries with known vulnerabilities in your application. http://goo.gl/r4BQoG (accessed 16/05/15), 2013.

[19]

G. Richards, C. Hammer, B. Burg, and J. Vitek. The eval that men do. In ECOOP. 2011.

[20]

G. Richards, S. Lebresne, B. Burg, and J. Vitek. An Analysis of the Dynamic Behavior of JavaScript Programs. In PLDI, 2010.

Digital Library

[21]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript. In IEEE S&P, 2010.

Digital Library

[22]

P. Saxena, S. Hanna, P. Poosankam, and D. Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS, 2010.

[23]

T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda. Preventing input validation vulnerabilities in web applications through automated type analysis. In Computer Software and Applications Conference. IEEE, 2012.

Digital Library

[24]

A. Seville. Blanket.js - seamless javascript code coverage. http://goo.gl/hzJFTn (accessed 16/05/15), 2014.

[25]

Y. Shin, A. Meneely, L. Williams, and J. Osborne. Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities. Transactions on Software Engineering, 2011.

Digital Library

[26]

Y. Shin and L. Williams. An Empirical Model to Predict Security Vulnerabilities Using Code Complexity Metrics. In International Symposium on Empirical Software Engineering and Measurement, 2008.

Digital Library

[27]

B. Stock, S. Lekies, T. Mueller, P. Spiegel, and M. Johns. Precise client-side protection against DOM-based cross-site scripting. In USENIX Security, 2014.

Digital Library

[28]

The jQuery Foundation. Working with JSONP. https://goo.gl/Wdqgo3 (accessed 16/05/15), 2015.

[29]

W3Techs. Usage Statistics and Market Share of JQuery for Websites, February 2015. http://goo.gl/jyQEZR (accessed 16/05/15), 2015.

[30]

G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In International Conference on Software Engineering, 2008.

Digital Library

[31]

F. Yamaguchi, F. Lindner, and K. Rieck. Vulnerability Extrapolation: Assisted Discovery of Vulnerabilities Using Machine Learning. In USENIX WOOT, 2011.

Digital Library

[32]

F. Yamaguchi, M. Lottmann, and K. Rieck. Generalized Vulnerability Extrapolation Using Abstract Syntax Trees. In ACSAC, 2012.

Digital Library

Cited By

Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Hantke FRoth SMrowczynski RUtz CStock B(2024)Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00104(4405-4423)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00104
Rautenstrauch JMitkov MHelbrecht THetterich LStock B(2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00094
Show More Cited By

Index Terms

From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting
1. Information systems
  1. World Wide Web
    1. Web interfaces
      1. Browsers
2. Security and privacy
  1. Network security

Recommendations

Characterizing complexity of highly-configurable systems with variational call graphs: analyzing configuration options interactions complexity in function calls
HotSoS '15: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

Security has consistently been the focus of attention in many highly-configurable software systems. Several vulnerabilities on widely-used systems, such as the Linux kernel and OpenSSL, are reported every day in the National Vulnerability Database (NVD)...
Using Taint Analysis for Threat Risk of Cloud Applications
ICEBE '14: Proceedings of the 2014 IEEE 11th International Conference on e-Business Engineering

Most existing approaches to developing cloud applications using threat analysis involve program vulnerability analyses for identifying the security holes associated with malware attacks. New malware attacks can bypass firewall-based detection by ...
An initial study on the use of execution complexity metrics as indicators of software vulnerabilities
SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems

Allocating code inspection and testing resources to the most problematic code areas is important to reduce development time and cost. While complexity metrics collected statically from software artifacts are known to be helpful in finding vulnerable ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Union

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
794
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)1

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Hantke FRoth SMrowczynski RUtz CStock B(2024)Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00104(4405-4423)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00104
Rautenstrauch JMitkov MHelbrecht THetterich LStock B(2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00094
Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100634
Weidmann NBarber TWressnegger C(2023)Load-and-Act: Increasing Page Coverage of Web ApplicationsInformation Security10.1007/978-3-031-49187-0_9(163-182)Online publication date: 1-Dec-2023
https://doi.org/10.1007/978-3-031-49187-0_9
Klein DMusch MBarber TKopmann MJohns M(2022)Accept All Exploits: Exploring the Security Impact of Cookie BannersProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564647(911-922)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564647
Klein DBarber TBensalim SStock BJohns M(2022)Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00023(236-250)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00023
Roth SGröber LBackes MKrombholz KStock BKim YKim JVigna GShi E(2021)12 Angry Developers - A Qualitative Study on Developers' Struggles with CSPProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484780(3085-3103)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484780
Bensalim SKlein DBarber TJohns M(2021)Talking About My GenerationProceedings of the 14th European Workshop on Systems Security10.1145/3447852.3458718(27-33)Online publication date: 26-Apr-2021
https://dl.acm.org/doi/10.1145/3447852.3458718
Lekies SEngels DMitkov M(2021)JSONPS: Secure an inherently insecure practice with this one weird trick!2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00010(24-31)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSPW54576.2021.00010
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents