Visible to the public Detecting DOM-Sourced Cross-Site Scripting in Browser Extensions

TitleDetecting DOM-Sourced Cross-Site Scripting in Browser Extensions
Publication TypeConference Paper
Year of Publication2017
AuthorsPan, J., Mao, X.
Conference Name2017 IEEE International Conference on Software Maintenance and Evolution (ICSME)
Keywordsabstract syntax tree parser, application program interfaces, browser extension vulnerability, browser extensions, Browsers, client-side vulnerabilities, computational linguistics, Cross Site Scripting, Cross Site Scripting (XSS), Document Object Model, DOM-sourced cross-site scripting detection, DOM-sourced XSS, dynamic symbolic execution, HTML documents, HTML5 API, Human Behavior, human factor, human factors, hypermedia markup languages, Internet, Java, JavaScript, JavaScript engines, metadata, online front-ends, program diagnostics, program testing, pubcrawl, resilience, Resiliency, Scalability, security of data, shadow DOM, static analysis, text analysis, text filter, trees (mathematics), Uniform resource locators, Web applications, Web pages, web security, XSS vulnerabilities

In recent years, with the advances in JavaScript engines and the adoption of HTML5 APIs, web applications begin to show a tendency to shift their functionality from the server side towards the client side, resulting in dense and complex interactions with HTML documents using the Document Object Model (DOM). As a consequence, client-side vulnerabilities become more and more prevalent. In this paper, we focus on DOM-sourced Cross-site Scripting (XSS), which is a kind of severe but not well-studied vulnerability appearing in browser extensions. Comparing with conventional DOM-based XSS, a new attack surface is introduced by DOM-sourced XSS where the DOM could become a vulnerable source as well besides common sources such as URLs and form inputs. To discover such vulnerability, we propose a detecting framework employing hybrid analysis with two phases. The first phase is the lightweight static analysis consisting of a text filter and an abstract syntax tree parser, which produces potential vulnerable candidates. The second phase is the dynamic symbolic execution with an additional component named shadow DOM, generating a document as a proof-of-concept exploit. In our large-scale real-world experiment, 58 previously unknown DOM-sourced XSS vulnerabilities were discovered in user scripts of the popular browser extension Greasemonkey.

Citation Keypan_detecting_2017