MatriXSSed: A New Taxonomy for XSS in the Modern Web

Cross-site scripting (XSS) constantly remains one of the most prevalent attacks on the Web. In this work, we question its current taxonomy, i.e., the client- or server-side reflected (non-persistent) or stored (persistent) matrix. The Web has extensively changed. Consequently, considering XSS with the lenses of this famous matrix has become at least imprecise, at most impossible for many code injection scenarios where (i) a service worker or an edge worker generates HTTP responses and can reflect or persist XSS payloads infecting not only JavaScript in web pages but also Web assembly, web workers and affecting one or many users automatically; (ii) an attacker sends a web push message directly to a browser push service to trigger code execution in a dormant service worker; or (iii) a cross-origin adversary tampers with code stored by a vulnerable website on the user’s physical/permanent file system, etc. Our proposal–to get out of the matrix and not enter another rigid oneexpresses the essence of XSS as code infection and affection attack, and allows for clearly specifying the different actors and components involved, their environments, contexts and storages, as well as their recurrence and persistence seen as a continuum rather than a binary marker. From a defensive perspective, we showcase the challenges and limitations of current mechanisms at mitigating XSS targetting the entire attack surface of modern websites. Finally, we demonstrate an abuse of the Service-Worker-Allowed (SWA) header to control entire domains with malicious service workers.