Krzysztof Kotowicz
Research Areas
Authored Publications
Sort By
Adopting Trusted Types in Production Web Frameworks to Prevent DOM-Based Cross-Site Scripting: A Case Study
Bjarki Ágúst Guðmundsson
Proceedings of the 2021 IEEE European Symposium on Security and Privacy Workshops, IEEE (to appear)
Preview abstract
Cross-site scripting (XSS) is a common security vulnerability foundin web applications. DOM-based XSS, one of the variants, is becoming particularly more prevalent with the boom of single-page applications where most of the UI changes are achieved by modifying the DOM through in-browser scripting. It is very easy for developers to introduce XSS vulnerabilities into web applications since there are many ways for user-controlled, unsanitized input to flow into a Web API and get interpreted as HTML markup and JavaScript code.
An emerging web security standard called Trusted Types aims to prevent DOM XSS by making Web APIs secure by default. Different from other XSS mitigations that mostly focus on post-development protection, Trusted Types direct developers to write XSS-free code in the first place.
One of the common concerns when adopting a new security mechanism is how much effort is required to refactor existing applications. In this paper, we report a case study on adopting Trusted Types in a well-established web framework. Our experience can help the web community better understand the benefits of making web applications compatible with Trusted Types, while also getting to know the related challenges and resolutions. We focused our work on Angular, which is one of the most popular web development frameworks available on the market.
View details
Preview abstract
The document summarises Trusted Types adoption inside, and outside of Google and the overall Trusted Types landscape status.
View details
Preview abstract
Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data.
As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search).
This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.
View details
Preview abstract
Cross-Site Scripting (XSS) is a constant problem of the Web platform. Since its initial public documentation in the year 2000 until the present day, XSS is continuously on top of the vulnerability statistics. Even though a considerable amount of research and developer education has been conducted to address XSS on the source code level, the overall number of discovered XSS problems remains high. For this reason various approaches to mitigate XSS have been proposed as a second line of defense, with HTML sanitizers, Web Application Firewalls, browser-based XSS filters, and the Content Security Policy being only some prominent examples. Thereby, most of these mechanisms focus on
script tags and event handlers, by either removing them from user-provided content or by preventing their script code from executing.
In this paper, we demonstrate that this approach is no longer sufficient for modern applications: We describe a novel Web attack that is capable to circumvent all currently existing XSS mitigation
techniques. In this attack, the attacker abuses so called script gadgets to execute JavaScript. Script gadgets are legitimate JavaScript fragments within an application’s legitimate code base. In most cases, these gadgets utilize DOM selectors to interact with elements in the Web document. Through an initial injection point, the attacker can inject benign-looking HTML elements, which are ignored by potential mitigation technique but match the selector of the gadget.
This way, the attacker can hijack the input of a gadget and, thus, cause processing of his input, which in turn leads to code execution of attacker-controlled values. We demonstrate that these gadgets are omnipresent in almost all modern JavaScript frameworks and present an empirical study showing the prevalence of script gadgets in productive code. As a result, we assume most mitigation techniques in web applications written today can be bypassed.
View details
Preview abstract
MIME type sniffing or content sniffing has led to a new class of web security problems closely related to polyglots: if one partially controls the server response in, e.g., an API call response or a returned document and convinces the browser to treat this response as HTML, then it’s straightforward
XSS. The attacker would be able to impersonate the user in the context of the given domain: if it is hosting a web application, an exploit would be able to read user data and perform arbitrary actions
in the name of the user in the given web application. In other cases, user content might be interpreted
as other (non-HTML) types, and then, instead of XSS, content-sniffing vulnerabilities would be permitted for the exfiltration of cross-domain data— just as bad.
We focus on PDF-based content-sniffing attacks. Our goal is to construct a payload that turns a harmless content injection into passive file formats (e.g., JSON or CSV) into an XSS-equivalent content sniffing vulnerability.
View details