(2013) 25 Million Flows Later - Large-scale Detection of DOM-based XSS.
|
Text
domxss.pdf - Published Version Download (968kB) | Preview |
Abstract
In recent years, the Web witnessed a move towards sophis- ticated client-side functionality. This shift caused a signifi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnera- bilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues. In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, show- ing that 9,6% of the examined sites carry at least one DOM- based XSS problem.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Additional Information: | pub_id: 1050 Bibtex: lekies201325 URL date: None |
| Divisions: | Ben Stock (Secure Web Applications Group, SWAG) |
| Conference: | CCS ACM Conference on Computer and Communications Security |
| Depositing User: | Sebastian Weisgerber |
| Date Deposited: | 26 Jul 2017 10:28 |
| Last Modified: | 18 Jul 2019 12:12 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/3 |
Actions
Actions (login required)
 |
View Item |