Conference Venue: RAI Amsterdam, Europaplein 24, 1078 GZ Amsterdam, The Netherlands

Book Hotel click HERE
Back To Schedule
Friday, September 27 • 11:05am - 11:50am
Don't Trust The Locals: Evaluating and Mitigating the Insecurity Caused by Trusting Your Client-Side Storage

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Most informational resources (OWASP one of the few positive counterexamples) name three categories of XSS: reflected, persistent, and DOM-based XSS. In this talk, we provide real-world insights that show that the categorization into client/server and reflected/persistent XSS as done by the OWASP is much more sensible. To do so, we report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can successfully be infected with a malicious payload. Additionally, we also analyze the vulnerable code pieces and classify them according to their intended use case. On the one hand, we can reason about the prevalent places in which developers put full trust into the integrity of the storages. On the other hand, this allows us to discuss how to achieve the same goal in a secure fashion, hence providing the audience with actionable insights for their own applications.

avatar for Marius Steffens

Marius Steffens

CISPA Helmholtz Center for Information Security
Marius Steffens is a first-year Ph.D. student at the Secure Web Applications Group at CISPA-Helmholtz Center for Information Security, where Ben Stock supervises him. Marius is currently interested in the area of web security and is looking into the prevalence of vulnerabilities... Read More →

Friday September 27, 2019 11:05am - 11:50am CEST