posted on 2023-11-29, 18:21authored byDavid Klein, Thomas Barber, Souphiane Bensalim, Ben StockBen Stock, Martin Johns
Despite the considerable amounts of resources invested into securing the Web, Cross-Site Scripting (XSS) is still widespread. This is especially true for Client-Side XSS as, unlike server-side application frameworks, Web browsers do not ship with standard protection routines, so-called sanitizers. Web developers, therefore, have to either resort to third-party libraries or write their own sanitizers to stop XSS in its tracks.Such custom sanitizer routines – dubbed hand sanitizers in the following – are notoriously difficult to implement securely. In this paper, we present a technique to automatically detect, extract, analyze, and validate JavaScript sanitizer functions using a combination of taint tracking and symbolic string analysis. While existing work evaluates server-side sanitizers using a small number of applications, we present the first large-scale study of client-side JavaScript sanitizers. Of the most popular 20,000 websites, our method detects 705 unique sanitizers across 1,415 domains, of which 12.5% are insecure. Of the vulnerable sanitizers, we were able to automatically generate circumventing exploits for 51.3% of them, highlighting the dangers of manual sanitization attempts. Interestingly, vulnerable sanitizers are present across the entire range of website rankings considered, and we find that most sanitizers are not generic enough to thwart XSS if used in just a slightly different context. Finally, we explore the origins of vulnerable sanitizers to motivate adopting a standardized sanitization API available directly in the browser.
History
Preferred Citation
David Klein, Thomas Barber, Souphiane Bensalim, Ben Stock and Martin Johns. Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions. In: IEEE European Symposium on Security and Privacy (EuroS&P). 2022.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
IEEE European Symposium on Security and Privacy (EuroS&P)
Legacy Posted Date
2022-06-02
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3708,
title = "Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions",
author = "Klein, David and Barber, Thomas and Bensalim, Souphiane and Stock, Ben and Johns, Martin",
booktitle="{IEEE European Symposium on Security and Privacy (EuroS&P)}",
year="2022",
}