This post is in the same spirit than the ones from argp.
- Complete title: Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
- PDF: 9bc7dd6f063509ecffef7c178ef817e788f1d57319f27deda422c4b40704ff29
Since XSS aren't a solved problem yet, everyone shifted focus on second line of defence, like browser filters, HTML sanitizer, WAF and CSP. The point of the paper is to use javascript-gadgets, a bit like the ROP we're used to do in the memory-corruption world, mostly via DOM selectors, to bypass mitigations like Noscript, DOMPurify, browser XSS filters, and various CSP shenigans. Useful gadgets can be found in all modern javascript frameworks (Vue.js, Aurelia, AngularJS, Polymer, EmberJS, jQuery, Bootstrap, …). Gadgets can apparently be found by taint data-flow analysis, but it doesn't elaborate much on this front, except that it's based on the paper 25 Million Flows Later - Large-scale Detection of DOM-based XSS.
The attack looks like:
- Injection of our payload into the raw HTML.
- The XSS defence validates the payload.
- Our payload is modified, its markup interpreted, using gadgets.
- Our modified payload is executed.
I really liked the Aurelia payload to bypass everything:
<div ref=foo s.bind="$this.foo.ownerDocument.defaultview.alert(1)">
The authors are concluding:
As we have demonstrated, the current generation of XSS mitigations is unable to handle XSS attacks that leverage script gadgets to execute their payloads.
It's worth noticing that the paper comes, as it should be the case for every
decent research one, with code to play with
reproduce their results; it can be found
here,
or here (local mirror, 2017-09-04),
reading the bypasses.md file is recommended ;)