This post is in the same spirit than the ones from argp.
- Complete title: Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
- PDF: 9bc7dd6f063509ecffef7c178ef817e788f1d57319f27deda422c4b40704ff29
The attack looks like:
- Injection of our payload into the raw HTML.
- The XSS defence validates the payload.
- Our payload is modified, its markup interpreted, using gadgets.
- Our modified payload is executed.
I really liked the Aurelia payload to bypass everything:
<div ref=foo s.bind="$this.foo.ownerDocument.defaultview.alert(1)">
The authors are concluding:
As we have demonstrated, the current generation of XSS mitigations is unable to handle XSS attacks that leverage script gadgets to execute their payloads.
It's worth noticing that the paper comes, as it should be the case for every
decent research one, with code to
reproduce their results; it can be found
or here (local mirror,
bypasses.md file is recommended ;)