Anti XSS approaches:
• HTML Encoding
• Encoding lib + Contextual Encoding
<div onclick="showError ('<%=
An error occurred ....</div>
• Secure coding standards (enforced!)
• Design (use the right libs)
…still error prone!
Anti XSS evolution:
Contextual encoding templates:
• Very strict
• Hard to encode in nested contexts / double encoding
Anti XSS evolution/2:
• CPC: Content Security Policy
• ECMAScript security features (e.g. strict mode)
• Sandboxing JS (Google CAJA, sanitizer libraries)
• Anti XSS browser features WAF
• Secure Application Design
• Third parties JS libraries compatibility?
• Legacy systems?
…still not fully secure (evasion)
“DOM-Based XSS is notoriously hard to
detect, as the server never gets a chance
to see the attack taking place.[…]”
• SPA: Single Page Applications
• Frameworks: Angular, React…
• Third party libraries (JQuery and others)
• High degree of integration: portals/services
Why is always more important?
• Big codebases
DIFFICULT, time consuming and error prone.
• Classic security tools use SCA (Static Code Analysis) that leads to :
1. Too many false positives
2. Too many false negatives
Why is always more difficult?
❑ Sources: the input data that
can be directly or indirectly
controlled by an attacker.
❑ Filters: operations on Sources
which change the content or check
for specific structures/values.
❑ Sinks: potentially dangerous
functions the can be abused to take
advantage of some kind of
Code Flow and Taint analysis
var l = location.href;
var user = l.substring(l.indexOf(“user”));
document.write(“Hello, ” + user);
The process of following the
tainted value from source to
sink is known as Taint
Tools for JS Code analysis
SCA, static code analysis:
• Lower accuracy (false positives)
• Adaptability (false negatives…needs custom rules)
• Broad language support
Dynamic code analysis/IAST:
• Requires instrumentation
• More accurate
• Fuzzing capabilities!
DOM XSS Wiki:
Attacker controls all parts of a location except the victim hostname.
path/to/page.ext/ PathInfo ?Query=String #Hash=valuehttp://hostname/
He can force a user to visit a forged url address.!
Direct Input Sources: Location
Cookie value could have been instantiated somewhere else and retrieved
on another page. Its value can be accessed/modified with:
var cvalue = document.cookie;
var cstart = cvalue.indexOf(“username=");
cvalue = unescape(cvalue.substring(cstart+9, cstart+9+length));
alert(“Welcome ” + cvalue);
The attacker could force a malicious cookie value!
Indirect Input Sources: Cookies