Litcius/Paper detail

Talking About My Generation

Souphiane Bensalim, David Klein, Thomas Barber, Martin Johns

202120 citationsDOI

Abstract

Since the invention of JavaScript 25 years ago, website functionality has been continuously shifting from the server-side to the client-side. Web browsers have evolved into an application platform, and HTML5 emerged as a first-class environment for building rich cross-platform applications. This additional functionality on the client-side comes with the added risk of new security issues with increasingly severe consequences. In this work, we investigate the prevalence of DOM-based Cross-Site Scripting (DOM-based XSS) in the top 100,000 most popular websites using a novel targeted exploit generation technique based on dynamic data-flow tracking. In total, this work finds 15,710 potentially insecure dataflows where information from the URL is injected into the HTML of the Web page. Using large-scale exploit generation and validation services, 7199 of these flows lead to JavaScript execution, across 711 different domains. This represents a successful exploit rate of 45.82%, improving on previous methods by factors of 1.8 and 1.9 respectively.

Topics & Concepts

Cross-site scriptingExploitJavaScriptComputer scienceHTML5Scripting languageWorld Wide WebWeb applicationClient-sideDynamic web pageComputer securityWeb application securityWeb serviceOperating systemWeb developmentWeb Application Security VulnerabilitiesAdvanced Malware Detection TechniquesSoftware Testing and Debugging Techniques