CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING presented at BlackHatUS 2014

by Martin Johns, Ben Stock, Sebastian Lekies,

Summary : Cross-Site Scripting (XSS) is one of the most severe security vulnerabilities of the web. With the introduction of HTML5, the complexity of web applications is ever increasing and despite the existence of robust protection libraries, Cross-Site Scripting vulnerabilities are nowadays omnipresent on the web.
In order to protect end users from being exploited, browser vendors reacted to this serious threat by outfitting their browsers with client-side XSS filters. Unfortunately, as we had to notice, the currently provided protection is severely limited, leaving end-users vulnerable to exploits in the majority of cases.
In this talk, we present an analysis of Chrome's XSS Auditor, in which we discovered 17 flaws that enable us to bypass the Auditor's filtering capabilities. We will demonstrate the bypasses and present a tool to automatically generated XSS attacks utilizing the bypasses.
Furthermore, we will report on a practical, empirical study of the Auditor's protection capabilities in which we ran our generated attacks against a set of several thousand DOM-based zero-day XSS vulnerabilities in the Alexa Top 10.000 (we will also briefly cover, how we were able to find these vulnerabilities using a taint-aware browser engine). In our experiments, we were able to successfully bypass the XSS filter on first try in over 80% of all vulnerable web applications.
We will conclude the talk with an outlook on potential future improvements to client-side XSS filtering, based our analysis and experiences in bypass generation.