Sebastian Lekies
Research Areas
Authored Publications
Sort By
Preview abstract
Cross-Site Scripting (XSS) is a constant problem of the Web platform. Since its initial public documentation in the year 2000 until the present day, XSS is continuously on top of the vulnerability statistics. Even though a considerable amount of research and developer education has been conducted to address XSS on the source code level, the overall number of discovered XSS problems remains high. For this reason various approaches to mitigate XSS have been proposed as a second line of defense, with HTML sanitizers, Web Application Firewalls, browser-based XSS filters, and the Content Security Policy being only some prominent examples. Thereby, most of these mechanisms focus on
script tags and event handlers, by either removing them from user-provided content or by preventing their script code from executing.
In this paper, we demonstrate that this approach is no longer sufficient for modern applications: We describe a novel Web attack that is capable to circumvent all currently existing XSS mitigation
techniques. In this attack, the attacker abuses so called script gadgets to execute JavaScript. Script gadgets are legitimate JavaScript fragments within an application’s legitimate code base. In most cases, these gadgets utilize DOM selectors to interact with elements in the Web document. Through an initial injection point, the attacker can inject benign-looking HTML elements, which are ignored by potential mitigation technique but match the selector of the gadget.
This way, the attacker can hijack the input of a gadget and, thus, cause processing of his input, which in turn leads to code execution of attacker-controlled values. We demonstrate that these gadgets are omnipresent in almost all modern JavaScript frameworks and present an empirical study showing the prevalence of script gadgets in productive code. As a result, we assume most mitigation techniques in web applications written today can be bypassed.
View details
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
Artur Janc
Proceedings of the 23rd ACM Conference on Computer and Communications Security, ACM, Vienna, Austria (2016)
Preview abstract
Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies.
We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result covers CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies – the most comprehensive study to date. We introduce the security-relevant aspects of the CSP specification and provide an in-depth analysis of its threat model, focusing on XSS protections. We identify three common classes of CSP bypasses and explain how they subvert the security of a policy.
We then turn to a quantitative analysis of policies deployed on the Internet in order to understand their security benefits. We observe that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.
Finally, we propose the ’strict-dynamic’ keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists. We discuss our experience deploying such a nonce-based policy in a complex application and provide guidance to web authors for improving their policies.
View details