8 CONCLUSION
In this paper, we comprehensively explored code-reuse attacks
in Web pages using script gadgets. Script gadgets come in many
variations and, as our empirical study uncovered, are omnipresent
in modern Web code.
As we have demonstrated, the current generation of XSS mitiga-
tions is unable to handle XSS attacks that leverage script gadgets
to execute their payloads. And, unfortunately, there is no linear
upgrade path to adapt the current mitigation approaches to robustly
handle the uncovered vulnerability pattern. While specic mitiga-
tion techniques can be modied to handle selected gadget types,
the high variance of script gadget form and functionality, due to
the vastly growing amount of custom client-side code and the con-
stant ow of new client-side frameworks, prevents a comprehensive
adaption to accommodate the problem.
This leads to a conundrum for the future of client-side Web se-
curity: The last 15 years of diculty in addressing XSS have shown
that XSS apparently cannot be thoroughly addressed in practice
through secure coding practices alone. And the subject of this paper,
especially in combination with complementary results [
9
,
32
], sug-
gest that the current approaches in XSS mitigation are insucient
to compensate the decits of code-based XSS prevention.
The question then arises: how do we handle XSS on the road
ahead? As discussed above, sophisticated isolation techniques could
oer a third way of dealing with the potential consequences of
attacker controlled JavaScript. Alternatively, safe code abstrac-
tions [
15
] and secure-by-default browser APIs [
20
] might also be an
option to overcome today’s inherent problems of ad-hoc, insecure
Web content generation.
However, regardless of which paradigm the next generation of
XSS countermeasures will be build upon, it is essential that they
have to be capable to handle the unexpected client-side execution-
and data-ows which may be caused by legitimate script gadgets.
REFERENCES
[1]
Acker, S. V., Hausknecht, D., and Sabelfeld, A. Data Exltration in the Face
of CSP. In AsiaCCS (2016).
[2]
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos,
E. P., and Karagiannis, T. xjs: practical xss prevention for web application
development. In Proceedings of the 2010 USENIX conference on Web application
development (2010), USENIX Association, pp. 13–13.
[3]
Bates, D., Barth, A., and Jackson, C. Regular expressions considered harmful
in client-side XSS lters. In WWW ’10: Proceedings of the 19th international
conference on World wide web (New York, NY, USA, 2010), ACM, pp. 91–100.
[4]
Calzavara, S., Rabitti, A., and Bugliesi, M. Content security problems?:
Evaluating the eectiveness of content security policy in the wild. In Proceedings
of the 2016 ACM SIGSAC Conference on Computer and Communications Security
(New York, NY, USA, 2016), CCS ’16, ACM, pp. 1365–1375.
[5]
CERT/CC. CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in
Client Web Requests. [online], http://www.cert.org/advisories/CA-2000-02.html
(01/30/06), February 2000.
[6]
Chen, E. Y., Gorbaty, S., Singhal, A., and Jackson, C. Self-exltration: The
dangers of browser-enforced information ow control. In Proceedings of the
Workshop of Web (2012), vol. 2, Citeseer.
[7]
Gundy, M. V., and Chen, H. Noncespaces: Using Randomization to Enforce
Information Flow Tracking and Thwart Cross-site Scripting Attacks. In 16th
Annual Network and Distributed System Security Symposium (NDSS 2009) (2009).
[8]
Heiderich, M. Towards Elimination of XSS Attacks with a Trusted and Capability
Controlled DOM. PhD thesis, Ruhr-University Bochum, 2012.
[9]
Heiderich, M. Jsmvcomfg - to sternly look at javascript mvc and tem-
plating frameworks. [online], https://www.slideshare.net/x00mario/
jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating-frameworks,
2013.
[10]
Heiderich, M. Mustache security wiki. [online], https://github.com/cure53/
mustache-security, 2014.
[11]
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., and Schwenk, J. Scriptless
attacks: stealing the pie without touching the sill. In Proceedings of the 2012 ACM
conference on Computer and communications security (2012), ACM, pp. 760–771.
[12]
Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., and Yang, E. Z. mxss
attacks: Attacking well-secured web-applications by using innerhtml mutations.
In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications
security (2013), ACM, pp. 777–788.
[13] Hickson, I. The iframe element, November 2013.
[14]
Jim, T., Swamy, N., and Hicks, M. Defeating script injection attacks with browser-
enforced embedded policies. In Proceedings of the 16th international conference
on World Wide Web (2007), ACM, pp. 601–610.
[15]
Kern, C. Securing the tangled web. Communications of the ACM 57, 9 (2014),
38–47.
[16]
Klein, A. Dom based cross site scripting or xss of the third kind. Web Application
Security Consortium, Articles 4 (2005), 365–372.
[17]
Lekies, S., Stock, B., and Johns, M. 25 Million Flows Later - Large-scale
Detection of DOM-based XSS. In Proceedings of the 20th ACM Conference on
Computer and Communication Security (CCS ’13) (2013).
[18]
Louw, M. T., and Venkatakrishnan, V. BluePrint: Robust Prevention of Cross-
site Scripting Attacks for Existing Browsers. In IEEE Symposium on Security and
Privacy (Oakland’09) (May 2009).
[19] Maone, G. Noscript, 2009.
[20]
MSDN. toStaticHTML method. [API], https://msdn.microsoft.com/library/
Cc848922.
[21]
Nadji, Y., Saxena, P., and Song, D. Document Structure Integrity: A Robust
Basis for Cross-site Scripting Defense. In Network & Distributed System Security
Symposium (NDSS 2009) (2009).
[22]
Nava, E. A. V. Fighting XSS with Isolated Scripts. [online], http://sirdarckcat.
blogspot.de/2017/01/ghting-xss-with-isolated-scripts.html, January 2017.
[23]
Nava, E. V., and Lindsay, D. Our favorite XSS lters/IDS and how to attack
them. Presentation at the BlackHat US conference, 2009.
[24]
Oda, T., Wurster, G., van Oorschot, P. C., and Somayaji, A. Soma: Mutual
approval for included content in web pages. In Proceedings of the 15th ACM
conference on Computer and communications security (2008), ACM, pp. 89–98.
[25]
Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., and Zhou, T. Cspautogen: Black-box
enforcement of content security policy upon real-world websites. In Proceedings
of the 2016 ACM SIGSAC Conference on Computer and Communications Security
(New York, NY, USA, 2016), CCS ’16, ACM, pp. 653–665.
[26]
Parameshwaran, I., Budianto, E., Shinde, S., Dang, H., Sadhu, A., and Saxena,
P. Auto-patching dom-based xss at scale. In Proceedings of the 2015 10th Joint
Meeting on Foundations of Software Engine ering (New York, NY, USA, 2015), ACM,
pp. 272–283.
[27]
Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented
programming: Systems, languages, and applications. ACM Trans. Info. & System
Security 15, 1 (Mar. 2012).
[28]
Ross, D. Ie 8 xss lter architecture/implementation. Blog: http://blogs. tech-
net. com/srd/archive/2008/08/18/ie-8-xss-lter-architecture-implementation. aspx
(2008).
[29]
Ross, D. Happy 10th birthday cross-site scripting! [online], https://blogs.msdn.
microsoft.com/dross/2009/12/15/happy-10th-birthday-cross-site-scripting/,
2009.
[30]
Stamm, S., Sterne, B., and Markham, G. Reining in the web with content
security policy. In Proceedings of the 19th international conference on World wide
web (2010), ACM, pp. 921–930.
[31]
Stamm, S., Sterne, B., and Markham, G. Reining in the web with content
security policy. In Proceedings of the 19th international conference on World wide
web (New York, NY, USA, 2010), WWW ’10, ACM, pp. 921–930.
[32]
Stock, B., Lekies, S., Mueller, T., Spiegel, P., and Johns, M. Precise Client-side
Protection against DOM-based Cross-Site Scripting. In 23rd USENIX Security
Symposium (USENIX Security ’14) (2014).
[33]
Tantek Celik, Daniel Glazman, I. H. P. L. J. W. Selectors level 4. W3C Editor’s
Draft (2017).
[34]
W3C. Content Content Security Policy Level 3. W3C Editor’s Draft, 10 May
2017, https://w3c.github.io/webappsec-csp/, May 2017.
[35]
Weichselbaum, L., Spagnuolo, M., Lekies, S., and Janc, A. Csp is dead, long live
csp! on the insecurity of whitelists and the future of content security policy. In
Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications
Security (2016), ACM, pp. 1376–1387.
[36]
Weinberger, J., Akhawe, D., and Eisinger, J. Suborigins. W3C Editor’s Draft,
18 May 2017, https://w3c.github.io/webappsec-suborigins/, May 2017.
[37]
Zalewski, M. Postcards from the post-xss world. Online at http://lcamtuf.
coredump. cx/postxss (2011).
Session H2: Code Reuse Attacks
CCS’17, October 30-November 3, 2017, Dallas, TX, USA