Google Research

Analysis of UXSS exploits and mitigations in Chromium

Google (2019), pp. 20

Abstract

UXSS (Universal Cross-Site Scripting) is an attack that exploits client-side vulnerabilities in the browser or browser extensions in order to execute malicious code (usually JavaScript) with an access to arbitrary resources (origins). To put it simply:

A victim visits a malicious (or hacked / infected) website and an attacker becomes able to read victim’s GMail contents, private messages on Facebook, and so on, as well as to perform other actions on behalf of the victim: send emails, upload photos, etc.

The goal of this research is to analyze vulnerabilities in Chromium leading to UXSS attacks that were reported over the 3 years (2014 - 2016), to evaluate potential mitigations that can be implemented in Chromium browser, and to explore the possibilities of new techniques to be used for prevention or detection of vulnerabilities leading to UXSS.

Learn more about how we do research

We maintain a portfolio of research projects, providing individuals and teams the freedom to emphasize specific types of work