Global AppSec Amsterdam

The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Most informational resources (OWASP one of the few positive counterexamples) name three categories of XSS: reflected, persistent, and DOM-based XSS. In this talk, we provide real-world insights that show that the categorization into client/server and reflected/persistent XSS as done by the OWASP is much more sensible. To do so, we report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can successfully be infected with a malicious payload. Additionally, we also analyze the vulnerable code pieces and classify them according to their intended use case. On the one hand, we can reason about the prevalent places in which developers put full trust into the integrity of the storages. On the other hand, this allows us to discuss how to achieve the same goal in a secure fashion, hence providing the audience with actionable insights for their own applications.