research-article

Open access

Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets

Authors:

Sebastian Lekies,

Krzysztof Kotowicz,

Eduardo A. Vela Nava,

Martin JohnsAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 1709 - 1723

https://doi.org/10.1145/3133956.3134091

Published: 30 October 2017 Publication History

Abstract

Cross-Site Scripting (XSS) is an unremitting problem for the Web. Since its initial public documentation in 2000 until now, XSS has been continuously on top of the vulnerability statistics. Even though there has been a considerable amount of research and developer education to address XSS on the source code level, the overall number of discovered XSS problems remains high. Because of this, various approaches to mitigate XSS have been proposed as a second line of defense, with HTML sanitizers, Web Application Firewalls, browser-based XSS filters, and the Content Security Policy being some prominent examples. Most of these mechanisms focus on script tags and event handlers, either by removing them from user-provided content or by preventing their script code from executing.

In this paper, we demonstrate that this approach is no longer sufficient for modern applications: We describe a novel Web attack that can circumvent all of theses currently existing XSS mitigation techniques. In this attack, the attacker abuses so called script gadgets (legitimate JavaScript fragments within an application's legitimate code base) to execute JavaScript. In most cases, these gadgets utilize DOM selectors to interact with elements in the Web document. Through an initial injection point, the attacker can inject benign-looking HTML elements which are ignored by these mitigation techniques but match the selector of the gadget. This way, the attacker can hijack the input of a gadget and cause processing of his input, which in turn leads to code execution of attacker-controlled values. We demonstrate that these gadgets are omnipresent in almost all modern JavaScript frameworks and present an empirical study showing the prevalence of script gadgets in productive code. As a result, we assume most mitigation techniques in web applications written today can be bypassed.

Formats available

You can view the full content in the following formats:

Supplemental Material

MP4 File

Download
2109.07 MB

References

[1]

Acker, S. V., Hausknecht, D., and Sabelfeld, A. Data Exfiltration in the Face of CSP. In AsiaCCS (2016).

[2]

Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E. P., and Karagiannis, T. xjs: practical xss prevention for web application development. In Proceedings of the 2010 USENIX conference on Web application development (2010), USENIX Association, pp. 13--13.

[3]

Bates, D., Barth, A., and Jackson, C. Regular expressions considered harmful in client-side XSS filters. In WWW '10: Proceedings of the 19th international conference on World wide web (New York, NY, USA, 2010), ACM, pp. 91--100.

Digital Library

[4]

Calzavara, S., Rabitti, A., and Bugliesi, M. Content security problems?: Evaluating the effectiveness of content security policy in the wild. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2016), CCS '16, ACM, pp. 1365--1375.

Digital Library

[5]

CERT/CC. CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. [online], http://www.cert.org/advisories/CA-2000-02.html (01/30/06), February 2000.

[6]

Chen, E. Y., Gorbaty, S., Singhal, A., and Jackson, C. Self-exfiltration: The dangers of browser-enforced information flow control. In Proceedings of the Workshop of Web (2012), vol. 2, Citeseer.

[7]

Gundy, M. V., and Chen, H. Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In 16th Annual Network and Distributed System Security Symposium (NDSS 2009) (2009).

[8]

Heiderich, M. Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM. PhD thesis, Ruhr-University Bochum, 2012.

[9]

Heiderich, M. Jsmvcomfg - to sternly look at javascript mvc and templating frameworks. [online], https://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating-frameworks, 2013.

[10]

Heiderich, M. Mustache security wiki. [online], https://github.com/cure53/mustache-security, 2014.

[11]

Heiderich, M., Niemietz, M., Schuster, F., Holz, T., and Schwenk, J. Scriptless attacks: stealing the pie without touching the sill. In Proceedings of the 2012 ACM conference on Computer and communications security (2012), ACM, pp. 760--771.

Digital Library

[12]

Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., and Yang, E. Z. mxss attacks: Attacking well-secured web-applications by using innerhtml mutations. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (2013), ACM, pp. 777--788.

Digital Library

[13]

Hickson, I. The iframe element, November 2013.

[14]

Jim, T., Swamy, N., and Hicks, M. Defeating script injection attacks with browserenforced embedded policies. In Proceedings of the 16th international conference on World Wide Web (2007), ACM, pp. 601--610.

Digital Library

[15]

Kern, C. Securing the tangled web. Communications of the ACM 57, 9 (2014), 38--47.

Digital Library

[16]

Klein, A. Dom based cross site scripting or xss of the third kind. Web Application Security Consortium, Articles 4 (2005), 365--372.

[17]

Lekies, S., Stock, B., and Johns, M. 25 Million Flows Later - Large-scale Detection of DOM-based XSS. In Proceedings of the 20th ACM Conference on Computer and Communication Security (CCS '13) (2013).

[18]

Louw, M. T., and Venkatakrishnan, V. BluePrint: Robust Prevention of Crosssite Scripting Attacks for Existing Browsers. In IEEE Symposium on Security and Privacy (Oakland'09) (May 2009).

Digital Library

[19]

Maone, G. Noscript, 2009.

[20]

MSDN. toStaticHTML method. [API], https://msdn.microsoft.com/library/Cc848922.

[21]

Nadji, Y., Saxena, P., and Song, D. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In Network & Distributed System Security Symposium (NDSS 2009) (2009).

[22]

Nava, E. A. V. Fighting XSS with Isolated Scripts. [online], http://sirdarckcat.blogspot.de/2017/01/fighting-xss-with-isolated-scripts.html, January 2017.

[23]

Nava, E. V., and Lindsay, D. Our favorite XSS filters/IDS and how to attack them. Presentation at the BlackHat US conference, 2009.

[24]

Oda, T., Wurster, G., van Oorschot, P. C., and Somayaji, A. Soma: Mutual approval for included content in web pages. In Proceedings of the 15th ACM conference on Computer and communications security (2008), ACM, pp. 89--98.

Digital Library

[25]

Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., and Zhou, T. Cspautogen: Black-box enforcement of content security policy upon real-world websites. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2016), CCS '16, ACM, pp. 653--665.

Digital Library

[26]

Parameshwaran, I., Budianto, E., Shinde, S., Dang, H., Sadhu, A., and Saxena, P. Auto-patching dom-based xss at scale. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (New York, NY, USA, 2015), ACM, pp. 272--283.

Digital Library

[27]

Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented programming: Systems, languages, and applications. ACM Trans. Info. & System Security 15, 1 (Mar. 2012).

Digital Library

[28]

Ross, D. Ie 8 xss filter architecture/implementation. Blog: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx (2008).

[29]

Ross, D. Happy 10th birthday cross-site scripting! [online], https://blogs.msdn.microsoft.com/dross/2009/12/15/happy-10th-birthday-cross-site-scripting/, 2009.

[30]

Stamm, S., Sterne, B., and Markham, G. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web (2010), ACM, pp. 921--930.

Digital Library

[31]

Stamm, S., Sterne, B., and Markham, G. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web (New York, NY, USA, 2010), WWW '10, ACM, pp. 921--930.

Digital Library

[32]

Stock, B., Lekies, S., Mueller, T., Spiegel, P., and Johns, M. Precise Client-side Protection against DOM-based Cross-Site Scripting. In 23rd USENIX Security Symposium (USENIX Security '14) (2014).

[33]

Tantek Celik, Daniel Glazman, I. H. P. L. J. W. Selectors level 4. W3C Editor's Draft (2017).

[34]

W3C. Content Content Security Policy Level 3. W3C Editor's Draft, 10 May 2017, https://w3c.github.io/webappsec-csp/, May 2017.

[35]

Weichselbaum, L., Spagnuolo, M., Lekies, S., and Janc, A. Csp is dead, long live csp! on the insecurity of whitelists and the future of content security policy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016), ACM, pp. 1376--1387.

Digital Library

[36]

Weinberger, J., Akhawe, D., and Eisinger, J. Suborigins. W3C Editor's Draft, 18 May 2017, https://w3c.github.io/webappsec-suborigins/, May 2017.

[37]

Zalewski, M. Postcards from the post-xss world. Online at http://lcamtuf.coredump.cx/postxss (2011).

Cited By

Rajni Kaur PKaur H(2025)Cybersecurity and Its Vulnerabilities—A ReviewSmart Trends in Computing and Communications10.1007/978-981-96-7520-3_30(357-369)Online publication date: 1-Oct-2025
https://doi.org/10.1007/978-981-96-7520-3_30
Kaleli BEgele MStringhini G(2025)EasyCSPeasy: A Server-Side and Language-Agnostic XSS Mitigation by Devising and Ensuring Compliance with CSPSecurity and Privacy in Communication Networks10.1007/978-3-031-94455-0_15(320-346)Online publication date: 5-Sep-2025
https://doi.org/10.1007/978-3-031-94455-0_15
Hofny MZhao LMannan MYoussef A(2025)TEE-Receipt: A TEE-Based Non-repudiation Framework for Web ApplicationsSecurity and Privacy in Communication Networks10.1007/978-3-031-94448-2_12(224-247)Online publication date: 1-Sep-2025
https://doi.org/10.1007/978-3-031-94448-2_12
Show More Cited By

Index Terms

Recommendations

Comments

View Table of Contents