DexterJS: robust testing platform for DOM-based XSS vulnerabilities
- 30 August 2015
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering
Abstract
DOM-based cross-site scripting (XSS) is a client-side vulnerability that pervades JavaScript applications on the web, and has few known practical defenses. In this paper, we introduce DEXTERJS, a testing platform for detecting and validating DOM-based XSS vulnerabilities on web applications. DEXTERJS leverages source-to source rewriting to carry out character-precise taint tracking when executing in the browser context—thus being able to identify vulnerable information flows in a web page. By scanning a web page, DEXTERJS produces working exploits that validate DOM-based XSS vulnerability on the page. DEXTERJS is robust, has been tested on Alexa’s top 1000 sites, and has found a total of 820 distinct zero-day DOM-XSS confirmed exploits automatically.Keywords
Funding Information
- Intel Corporation
- National Research Foundation-Prime Minister's office, Republic of Singapore (NRF2014NCR-NCR001-21)
This publication has 3 references indexed in Scilit:
- Auto-patching DOM-based XSS at scalePublished by Association for Computing Machinery (ACM) ,2015
- Jalangi: a selective record-replay and dynamic analysis framework for JavaScriptPublished by Association for Computing Machinery (ACM) ,2013
- 25 million flows laterPublished by Association for Computing Machinery (ACM) ,2013