In recent years, a significant part of web application functionality moves to client side. Increasing complexity of client-side code leads to a considerable growth in the number of client-side vulnerabilities and even to an emergence of new types of vulnerabilities, among which DOM-based XSS is most well-known. In this paper, we present an approach to detect and validate DOM-based XSS vulnerabilities. Our approach leverages dynamic tracking of data flows on the client side of web application to identify insecure ones (those which lead to vulnerability). An insecure data flow is a flow, in which a critical operation is data-dependent on attacker-controlled data, which is not sanitised properly. Data flows are tracked and classified using taint propagation technique (also known as "taint checking"). Potentially insecure data flows are tested for the presence of exploitable vulnerability by means of fuzzing - enumeration of possible attack vectors, which are passed to a data flow source. Vulnerability is confirmed if an execution of any injected payload is observed. Our approach was implemented on top of Firefox browser, controlled via it's debugger API. The paper discusses and justifies advantages of such implementation. The paper also provides an analysis of related work in the subject field, and comparison with other approaches is made. The proposed approach and its implementation are maintainable and extensible, which is crucial for analyzing applications in constantly evolving environment such as client side web technologies.
Download file
Counter downloads: 548
- Title Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser
- Headline Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser
- Publesher
Tomsk State University - Issue Prikladnaya Diskretnaya Matematika - Applied Discrete Mathematics 35
- Date:
- DOI 10.17223/20710410/35/6
Keywords
DOM-based XSS, уязвимости веб-приложений, динамический анализ, fuzz-тестирование, DOM-based XSS, web application vulnerabilities, dynamic analysis, fuzzingAuthors
References
StefanoD.P., Heiderich M., and Braun F. https://code.google.com/p/domxsswiki/ - DOM XSS Test Cases Wiki Cheatsheet Project. 2010.
http://www.ecma-international.org/publications/standards/Ecma-262.htm - Стандарты языка программирования ECMAScript.
Schwartz E. J., Avgerinos T., and Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask) // IEEE Symp. Security and Privacy. Auckland: IEEE, 2010. P. 317-331.
Wagner D. Static analysis and software assurance. SAS'01. Proc. 8th Intern. Symp. Static Analysis. Paris: Springer Verlag, 2001. 431 p.
https://developer.mozilla.org/en-US/docs/Tools/Debugger-API - Документация отладочного интерфейса Mozilla Debugger API.
McLean J. Security Models // Encyclopedia of Software Engineering. N.Y.: John Wiley & Sons Inc., 1994. P. 1136-1145.
Chugh R. et al. Staged information flow for JavaScript // ACM Sigplan Notices. 2009. V. 44. No. 6. P. 50-52.
Guha A., Krishnamurthi S., and Jim T. Using static analysis for Ajax intrusion detection // Proc. 18th Intern. Conf. on World Wide Web. Madrid: ACM, 2009. P. 561-570.
Madsen M., Livshits B., and Fanning M. Practical static analysis of JavaScript applications in the presence of frameworks and libraries // Proc. 9th Joint Meeting on Foundations of Software Engineering. St. Petersburg: ACM, 2013. P. 499-509.
Feldthaus A. et al. Efficient construction of approximate call graphs for JavaScript IDE services // 35th Intern. Conf. Software Engineering (ICSE). San Francisco: IEEE, 2013. P. 752-761.
http://htmlunit.sourceforge.net/ - Документация эмулятора управляемого веб-обозревателя HtmlUnit. 2016.
https://www.codemagi.com/downloads/dom-xss-scanner-checks - Описание Codemagi Burp DOM-XSS Scanner - расширения для инструмента BurpSuite, предназначенного для поиска DOMXSS.
http://www. ethicalhack3r.co.uk/staticburp-burp-suite-potential-dom-xss-analysis/ - Описание StaticBurp - расширения для инструмента BurpSuite, предназначенного для поиска DOMXSS.
https://dominator.mindedsecurity.com/ - Описание средства поиска DOMXSS DOMinator
Just S. et al. Information flow analysis for JavaScript // Proc. 1st ACM SIGPLAN Intern. Workshop on Programming Language and Systems Technologies. Portland: ACM, 2011. P. 9-18.
Lekies S., Stock B., and Johns M. 25 million flows later: large-scale detection of DOM-based XSS // Proc. ACM SIGSAC Conf. Computer & Communications Security. Berlin: ACM, 2013. P. 1193-1204.
Lekies S., Stock B., and Johns M. Practical blended taint analysis for JavaScript // Proc. Intern. Symp. Software Testing and Analysis. Lugano: ACM, 2013. P. 336-346.
Xiao W. et al. Preventing client side XSS with rewrite based dynamic information flow // Sixth Intern. Symp. Parallel Architectures, Algorithms and Programming (PAAP). Pekin: IEEE, 2014. P. 238-243.
Jang D. et al. Rewriting-based dynamic information flow for JavaScript // 17th ACM Conf. Computer and Communications Security. Chicago: ACM, 2010. http://goto.ucsd.edu/ ~rjhala/papers/rewriting_based_dynamic_information_flow_for_javascript.pdf
Prabawa A. and Chin W. N. Titania: Generic Dynamic Information Flow Analysis Framework for JavaScript. http://www.comp.nus.edu.sg/~adi-yoga/Titania/Titania.pdf (дата обращения: 01.09.2016).
https://code.google.com/pZra2-dom-xss-scanner/ - Документация средства поиска DOMXSS Ra.2.
www.jsprime.org - Описание средства поиска DOMXSS JSPrime.
Guarnieri S. et al. Saving the world wide web from vulnerable JavaScript // Proc. Intern. Symp. Software Testing and Analysis. Toronto: ACM, 2011. P. 177-187.
Saxena P. et al. A symbolic execution framework for JavaScript // IEEE Symp. Security and Privacy. Auckland: IEEE, 2010. P. 513-528.
Tripp O., Ferrara P., and Pistoia M. Hybrid security analysis of Web JavaScript code via dynamic partial evaluation // Proc. Intern. Symp. Software Testing and Analysis. San Jose: ACM, 2014. P. 49-59.
Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser | Prikladnaya Diskretnaya Matematika - Applied Discrete Mathematics. 2017. № 35. DOI: 10.17223/20710410/35/6
Download full-text version
Counter downloads: 438