DOMPu­ri­fy: Cli­ent-Si­de Pro­tec­tion Against XSS and Mar­kup In­jec­tion

Mario Hei­de­rich, Chris­to­pher Späth, Jörg Schwenk

(2017, Sep­tem­ber). DOMPu­ri­fy: Cli­ent-Si­de Pro­tec­tion Against XSS and Mar­kup In­jec­tion. In Eu­ropean Sym­po­si­um on Re­se­arch in Com­pu­ter Se­cu­ri­ty (ESO­RICS), Sprin­ger, Cham.


Ab­stract

To prevent Cross-Si­te Script­ing (XSS) and re­la­ted at­tacks, sa­ni­ta­ti­on of un­trusted con­tent is usual­ly per­for­med eit­her on the ser­ver side, or by cli­ent-si­de fil­ters like XSS Au­di­tor or No­Script. Howe­ver, mo­dern web ap­p­li­ca­ti­ons (in­clu­ding mo­bi­le apps) may not be able to rely on these me­cha­nis­ms any more since un­trusted con­tent may pass these fil­ters as ci­pher­text or may com­ple­te­ly be pro­ces­sed wi­t­hin the DOM of the brow­ser/app.

To cope with this pro­blem, XSS sa­ni­ta­ti­on wi­t­hin the Do­cu­ment Ob­ject Model (DOM) is re­qui­red. This poses a novel tech­ni­cal chal­len­ge: A DOM-ba­sed sa­niti­zer must rely on na­ti­ve Ja­va­Script func­tions. Howe­ver, in the DOM, any func­tion or pro­per­ty can be over­writ­ten, through a class of at­tacks cal­led DOM Clob­be­ring.

We pre­sent a two-part so­lu­ti­on: First we show how to embed any ser­ver or cli­ent side fil­te­ring tech­no­lo­gy se­cu­re­ly into the DOM. Se­cond, we give an ex­amp­le in­stan­tia­ti­on of an XSS fil­ter which is high­ly ef­fi­ci­ent when im­ple­men­ted in Ja­va­script. Both parts are com­bined into a wor­king and batt­le-tested pro­of-of-con­cept im­ple­men­ta­ti­on cal­led DOMPu­ri­fy.

Tags: