Thursday, May 21 • 11:05 - 11:50
Client-Side Protection Against DOM-Based XSS Done Right

Sign up or log in to save this to your schedule and see who's attending!

In this talk, we present an analysis of Chrome's XSS Auditor, in which
we discovered 17 flaws, that enable us to bypass the Auditor's filtering
capabilities. We will demonstrate the bypasses and present a tool to
automatically generated XSS attacks utilizing the bypasses.

Furthermore, we will report on a practical, empirical study of the Auditor's
protection capabilities in which we ran our generated attacks against a set of
several thousand DOM-based, zero-day XSS vulnerabilities in the Alexa
Top 10.000. In our experiments, we were able to successfully bypass the
XSS filter on first try in over 80% of all vulnerable Web applications.

Finally, we present an alternative XSS filter design, that reliably detects successful XSS attacks via
client-side taint tracking in the JavaScript engine. Unlike the current approach,
our filter does not rely on coarse approximation but on precise data flow information,
that allows us to robustly stop DOM-XSS for good.

avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the... Read More →
avatar for Sebastian Lekies

Sebastian Lekies

Sebastian  Lekies is a Phd candidate at SAP and the University of  bochum. His main field of research is Web application security.
avatar for Ben Stock

Ben Stock

Ben Stock is a third-year PhD student at the  Friedrich-Alexander-University Erlangen-Nuremberg, focussing his research on client-side Web security. Ben is a published author at well-known  academic conferences such as CCS, USENIX Security and AsiaCCS and a  returning... Read More →

Thursday May 21, 2015 11:05 - 11:50
E104&105 Amsterdam RAI

Attendees (0)