Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild

Proceedings 2019 Network and Distributed System Security Symposium Pub Date : 2019-02-01 DOI:10.14722/ndss.2019.23009

Marius Steffens, C. Rossow, Martin Johns, Ben Stock

{"title":"Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild","authors":"Marius Steffens, C. Rossow, Martin Johns, Ben Stock","doi":"10.14722/ndss.2019.23009","DOIUrl":null,"url":null,"abstract":"The Web has become highly interactive and an \nimportant driver for modern life, enabling information retrieval, \nsocial exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious \nattacks against Web clients. Research has long since focused \non three categories of XSS: Reflected, Persistent, and DOMbased XSS. In this paper, we argue that our community must \nconsider at least four important classes of XSS, and present \nthe first systematic study of the threat of Persistent Client-Side \nXSS, caused by the insecure use of client-side storage. While \nthe existence of this class has been acknowledged, especially by \nthe non-academic community like OWASP, prior works have \neither only found such flaws as side effects of other analyses or \nfocused on a limited set of applications to analyze. Therefore, the \ncommunity lacks in-depth knowledge about the actual prevalence \nof Persistent Client-Side XSS in the wild. \nTo close this research gap, we leverage taint tracking to \nidentify suspicious flows from client-side persistent storage (Web \nStorage, cookies) to dangerous sinks (HTML, JavaScript, and \nscript.src). We discuss two attacker models capable of \ninjecting malicious payloads into storage, i.e., a Network Attacker \ncapable of temporarily hijacking HTTP communication (e.g., in \na public WiFi), and a Web Attacker who can leverage flows into \nstorage or an existing reflected XSS flaw to persist their payload. \nWith our taint-aware browser and these models in mind, we \nstudy the prevalence of Persistent Client-Side XSS in the Alexa \nTop 5,000 domains. We find that more than 8% of them have \nunfiltered data flows from persistent storage to a dangerous sink, \nwhich showcases the developers’ inherent trust in the integrity \nof storage content. Even worse, if we only consider sites that \nmake use of data originating from storage, 21% of the sites are \nvulnerable. For those sites with vulnerable flows from storage \nto sink, we find that at least 70% are directly exploitable by \nour attacker models. Finally, investigating the vulnerable flows \noriginating from storage allows us to categorize them into four \ndisjoint categories and propose appropriate mitigations.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"87 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"56","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23009","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 56

Abstract

The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Research has long since focused on three categories of XSS: Reflected, Persistent, and DOMbased XSS. In this paper, we argue that our community must consider at least four important classes of XSS, and present the first systematic study of the threat of Persistent Client-Side XSS, caused by the insecure use of client-side storage. While the existence of this class has been acknowledged, especially by the non-academic community like OWASP, prior works have either only found such flaws as side effects of other analyses or focused on a limited set of applications to analyze. Therefore, the community lacks in-depth knowledge about the actual prevalence of Persistent Client-Side XSS in the wild. To close this research gap, we leverage taint tracking to identify suspicious flows from client-side persistent storage (Web Storage, cookies) to dangerous sinks (HTML, JavaScript, and script.src). We discuss two attacker models capable of injecting malicious payloads into storage, i.e., a Network Attacker capable of temporarily hijacking HTTP communication (e.g., in a public WiFi), and a Web Attacker who can leverage flows into storage or an existing reflected XSS flaw to persist their payload. With our taint-aware browser and these models in mind, we study the prevalence of Persistent Client-Side XSS in the Alexa Top 5,000 domains. We find that more than 8% of them have unfiltered data flows from persistent storage to a dangerous sink, which showcases the developers’ inherent trust in the integrity of storage content. Even worse, if we only consider sites that make use of data originating from storage, 21% of the sites are vulnerable. For those sites with vulnerable flows from storage to sink, we find that at least 70% are directly exploitable by our attacker models. Finally, investigating the vulnerable flows originating from storage allows us to categorize them into four disjoint categories and propose appropriate mitigations.

查看原文本刊更多论文

不要相信当地人:调查持久客户端跨站点脚本在野外的流行

网络已成为高度互动性和现代生活的重要驱动力，使信息检索、社会交换和在线购物成为可能。从安全角度来看，跨站点脚本(XSS)是针对Web客户机的最恶劣的攻击之一。长期以来，研究一直集中在三类XSS上:反映的、持久的和基于域的XSS。在本文中，我们认为我们的社区必须考虑至少四个重要的XSS类别，并首次系统地研究了持久性客户端XSS的威胁，该威胁是由客户端存储的不安全使用引起的。虽然这个类的存在已经得到了承认，尤其是像OWASP这样的非学术社区，但之前的工作要么只发现了其他分析的副作用等缺陷，要么只关注了一组有限的应用程序来分析。因此，社区缺乏对持久客户端XSS实际流行情况的深入了解。为了缩小这一研究差距，我们利用污染跟踪来识别从客户端持久存储(Web storage, cookie)到危险汇(HTML, JavaScript和script.src)的可疑流。我们讨论了两种能够向存储中注入恶意有效载荷的攻击者模型，即，能够暂时劫持HTTP通信(例如，在公共WiFi中)的网络攻击者，以及可以利用流进入存储或现有的反射XSS漏洞来持久化其有效载荷的Web攻击者。考虑到我们的污染感知浏览器和这些模型，我们研究了Alexa前5000个域中持久客户端XSS的流行情况。我们发现，其中超过8%的数据流未经过滤，从持久存储流向危险的接收器，这显示了开发人员对存储内容完整性的内在信任。更糟糕的是，如果我们只考虑使用来自存储的数据的网站，21%的网站是脆弱的。对于那些具有从存储到接收器的易受攻击流的站点，我们发现至少70%可以被攻击者模型直接利用。最后，调查源自存储的易受攻击的流允许我们将它们分为四个互不相关的类别，并提出适当的缓解措施。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2019 Network and Distributed System Security Symposium

自引率

0.00%

发文量