XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Regular expressions considered harmful in client-side XSS filters
Proceedings of the 19th international conference on World wide web
Fast and precise sanitizer analysis with BEK
SEC'11 Proceedings of the 20th USENIX conference on Security
Toward secure embedded web interfaces
SEC'11 Proceedings of the 20th USENIX conference on Security
A systematic analysis of XSS sanitization in web application frameworks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
Proceedings of the 18th ACM conference on Computer and communications security
The Tangled Web: A Guide to Securing Modern Web Applications
The Tangled Web: A Guide to Securing Modern Web Applications
Server Side Detection of Content Sniffing Attacks
ISSRE '11 Proceedings of the 2011 IEEE 22nd International Symposium on Software Reliability Engineering
Rozzle: De-cloaking Internet Malware
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
KameleonFuzz: evolutionary fuzzing for black-box XSS detection
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.00 |
Back in 2007, Hasegawa discovered a novel Cross-Site Scripting (XSS) vector based on the mistreatment of the backtick character in a single browser implementation. This initially looked like an implementation error that could easily be fixed. Instead, as this paper shows, it was the first example of a new class of XSS vectors, the class of mutation-based XSS (mXSS) vectors, which may occur in innerHTML and related properties. mXSS affects all three major browser families: IE, Firefox, and Chrome. We were able to place stored mXSS vectors in high-profile applications like Yahoo! Mail, Rediff Mail, OpenExchange, Zimbra, Roundcube, and several commercial products. mXSS vectors bypassed widely deployed server-side XSS protection techniques (like HTML Purifier, kses, htmlLawed, Blueprint and Google Caja), client-side filters (XSS Auditor, IE XSS Filter), Web Application Firewall (WAF) systems, as well as Intrusion Detection and Intrusion Prevention Systems (IDS/IPS). We describe a scenario in which seemingly immune entities are being rendered prone to an attack based on the behavior of an involved party, in our case the browser. Moreover, it proves very difficult to mitigate these attacks: In browser implementations, mXSS is closely related to performance enhancements applied to the HTML code before rendering; in server side filters, strict filter rules would break many web applications since the mXSS vectors presented in this paper are harmless when sent to the browser. This paper introduces and discusses a set of seven different subclasses of mXSS attacks, among which only one was previously known. The work evaluates the attack surface, showcases examples of vulnerable high-profile applications, and provides a set of practicable and low-overhead solutions to defend against these kinds of attacks.