Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, July 1 • 15:00 - 15:45
From Facepalm to Brain Bender - Exploring Client-Side Cross-Site Scripting

Sign up or log in to save this to your schedule and see who's attending!

With the current generation of dynamic, client-side Web applications, the issues related to attacks against the client rise. Arguably the biggest problem is Cross-Site Scripting, which has been known for a number of years. Although studies have shown that at least one in ten Web pages contains a client-side XSS vulnerability, the prevalent causes for this class of Cross-Site Scripting have not been studied in depth. Therefore we present a large-scale study to gain insight into these causes. To this end, we analyze a set of 1,273 real-world vulnerabilities contained on the Alexa Top 10k domains using a specifically designed architecture, consisting of an infrastructure which allows us to persist and replay vulnerabilities to ensure a sound analysis. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. 

Based on the observable characteristics of the vulnerable JavaScript, we derive a set of metrics to measure the complexity of each flaw. We subsequently classify all vulnerabilities in our data set accordingly to enable a more systematic analysis. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code. 

In addition, we showcase several of the identified problems and discuss the often occurring well-meant, but ultimately ineffective countermeasures we discovered. We will end the talk with an overview of best practices that allow developers to avoid such problems.

Speakers
avatar for Bernd Kaiser

Bernd Kaiser

Netzkollektiv
SL

Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the... Read More →
SP

Stephan Pfistner

Stephan Pfistner is an Information Security Engineer at Google. He holds a M.Sc. in IT Security from Technical University of Darmstadt. His research interests revolve around Web application and network security as well as security testing in those areas. As part of the Security Test Engineering team at Google, Stephan works on Google’s internal Web application security scanner and the externally facing Cloud Security Scanner... Read More →
avatar for Ben Stock

Ben Stock

CISPA, Saarland University
Dr.-Ing. Ben Stock is a postdoctoral researcher at the Center for IT-Security, Privacy, and Accountability at Saarland University. Prior to that, Ben finished his PhD at the University in Erlangen, researching the specifics of Client-Side Cross-Site Scripting. His research was published at major academic conferences and he has been a speaker and important non-academic conferences, such as OWASP AppSec and Blackhat. His research now focusses... Read More →


Friday July 1, 2016 15:00 - 15:45
Room A (Michelangelo Ballroom Sect. 3)

Attendees (30)