AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 15:00 - 15:45
From Facepalm to Brain Bender - Exploring Client-Side Cross-Site Scripting

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

With the current generation of dynamic, client-side Web applications, the issues related to attacks against the client rise. Arguably the biggest problem is Cross-Site Scripting, which has been known for a number of years. Although studies have shown that at least one in ten Web pages contains a client-side XSS vulnerability, the prevalent causes for this class of Cross-Site Scripting have not been studied in depth. Therefore we present a large-scale study to gain insight into these causes. To this end, we analyze a set of 1,273 real-world vulnerabilities contained on the Alexa Top 10k domains using a specifically designed architecture, consisting of an infrastructure which allows us to persist and replay vulnerabilities to ensure a sound analysis. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. 

Based on the observable characteristics of the vulnerable JavaScript, we derive a set of metrics to measure the complexity of each flaw. We subsequently classify all vulnerabilities in our data set accordingly to enable a more systematic analysis. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code. 

In addition, we showcase several of the identified problems and discuss the often occurring well-meant, but ultimately ineffective countermeasures we discovered. We will end the talk with an overview of best practices that allow developers to avoid such problems.

avatar for Bernd Kaiser

Bernd Kaiser


Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business... Read More →

Stephan Pfistner

Stephan Pfistner is an Information Security Engineer at Google. He holds a M.Sc. in IT Security from Technical University of Darmstadt. His research interests revolve around Web application and network security as well as security testing in those areas. As part of the Security Test... Read More →
avatar for Ben Stock

Ben Stock

Tenure-Track Faculty, CISPA Helmholtz Center for Information Security
I am a tenure-track faculty at the CISPA Helmholtz Center for Information Security. Prior to that, I was a research group leader and previously postdoctoral researcher at the Center for IT-Security, Privacy and Accountability at Saarland University in the group of Michael Backes... Read More →

Friday July 1, 2016 15:00 - 15:45 CEST
Room A (Michelangelo Ballroom Sect. 3)