The Web has become highly interactive and an
important driver for modern life, enabling information retrieval,
social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious
attacks against Web clients. Research has long since focused
on three categories of XSS: Reflected, Persistent, and DOMbased XSS. In this paper, we argue that our community must
consider at least four important classes of XSS, and present
the first systematic study of the threat of Persistent Client-Side
XSS, caused by the insecure use of client-side storage. While
the existence of this class has been acknowledged, especially by
the non-academic community like OWASP, prior works have
either only found such flaws as side effects of other analyses or
focused on a limited set of applications to analyze. Therefore, the
community lacks in-depth knowledge about the actual prevalence
of Persistent Client-Side XSS in the wild.
To close this research gap, we leverage taint tracking to
identify suspicious flows from client-side persistent storage (Web
Storage, cookies) to dangerous sinks (HTML, JavaScript, and
script.src). We discuss two attacker models capable of
injecting malicious payloads into storage, i.e., a Network Attacker
capable of temporarily hijacking HTTP communication (e.g., in
a public WiFi), and a Web Attacker who can leverage flows into
storage or an existing reflected XSS flaw to persist their payload.
With our taint-aware browser and these models in mind, we
study the prevalence of Persistent Client-Side XSS in the Alexa
Top 5,000 domains. We find that more than 8% of them have
unfiltered data flows from persistent storage to a dangerous sink,
which showcases the developers’ inherent trust in the integrity
of storage content. Even worse, if we only consider sites that
make use of data originating from storage, 21% of the sites are
vulnerable. For those sites with vulnerable flows from storage
to sink, we find that at least 70% are directly exploitable by
our attacker models. Finally, investigating the vulnerable flows
originating from storage allows us to categorize them into four
disjoint categories and propose appropriate mitigations.
History
Preferred Citation
Marius Steffens, Christian Rossow, Martin Johns and Ben Stock. Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.. In: Network and Distributed System Security Symposium (NDSS). 2019.
Primary Research Area
Empirical and Behavioral Security
Secondary Research Area
Threat Detection and Defenses
Name of Conference
Network and Distributed System Security Symposium (NDSS)
Legacy Posted Date
2018-11-09
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_2744,
title = "Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.",
author = "Steffens, Marius and Rossow, Christian and Johns, Martin and Stock, Ben",
booktitle="{Network and Distributed System Security Symposium (NDSS)}",
year="2019",
}