Jump to content
Nytro

25 Million Flows Later - Large-scale Detection of DOM-based XSS

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

25 Million Flows Later - Large-scale Detection of DOM-based XSS

Sebastian Lekies

SAP AG

sebastian.lekies@sap.com

Ben Stock

FAU Erlangen-Nuremberg

ben.stock@cs.fau.de

Martin Johns

SAP AG

martin.johns@sap.com

Abstract

In recent years, the Web witnessed a move towards sophisticated

client-side functionality. This shift caused a signi-

cant increase in complexity of deployed JavaScript code and

thus, a proportional growth in potential client-side vulnerabilities,

with DOM-based Cross-site Scripting being a high

impact representative of such security issues. In this paper,

we present a fully automated system to detect and validate

DOM-based XSS vulnerabilities, consisting of a taint-aware

JavaScript engine and corresponding DOM implementation

as well as a context-sensitive exploit generation approach.

Using these components, we conducted a large-scale analysis

of the Alexa top 5000. In this study, we identied 6167

unique vulnerabilities distributed over 480 domains, showing

that 9,6% of the examined sites carry at least one DOMbased

XSS problem.

Download:

http://ben-stock.de/wp-content/uploads/domxss.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...