Jump to Content

Analysis of UXSS exploits and mitigations in Chromium

Max Moroz
Google (2019), pp. 20


UXSS (Universal Cross-Site Scripting) is an attack that exploits client-side vulnerabilities in the browser or browser extensions in order to execute malicious code (usually JavaScript) with an access to arbitrary resources (origins). To put it simply: A victim visits a malicious (or hacked / infected) website and an attacker becomes able to read victim’s GMail contents, private messages on Facebook, and so on, as well as to perform other actions on behalf of the victim: send emails, upload photos, etc. The goal of this research is to analyze vulnerabilities in Chromium leading to UXSS attacks that were reported over the 3 years (2014 - 2016), to evaluate potential mitigations that can be implemented in Chromium browser, and to explore the possibilities of new techniques to be used for prevention or detection of vulnerabilities leading to UXSS.