DexterJS: Auto-Patching DOM-based XSS At Scale

HOME

Home

Publications

Demo

Resources

FAQ

Our scanning service is now online! Our DOM-based XSS scanning service is now up and running. If you are interested, please visit this website to test out our system. A short video clip demonstrating our DexterJS platform is available here.

Overview

JavaScript has become a scripting language that goes beyond client-side web. However, presently, applications built with JavaScript are fraught with DOM-based XSS vulnerability, which is known to be highly pervasive and an elusive category of vulnerabilities for many commercial scanners to find. We develop a complete system called DexterJS for automatically synthesizing patches for DOM-based XSS vulnerabilities in JavaScript applications. DexterJS performs dynamic analysis to detect and repair DOM-based XSS bugs in real web applications. Our automatically-synthesized patches are directly deployed on the website via a hot-patching mechanism, offering a quick defense that requires no developer effort. Our patches are browser agnostic, require no browser or server-side code modifications, and do not require users to install any plug-ins or add-ons.

The study was done by Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, and Prateek Saxena. Their peer-reviewed reports will be presented at the ESEC/ACM SIGSOFT Symposium of the Foundations of Software Engineering (FSE) in August 2015 (Links).

Quick Links!

[Expand]

Download our camera-ready version paper here
Try out our DexterJS scanning service here

News

June 30, 2015: We release a dataset consisting of web pages vulnerable to DOM-based XSS. Please see this page for details. Disclaimer: we have responsibly reported such vulnerabilities to the site's admin and hence the majority of reported websites are no longer vulnerable.

May 27, 2015: Our full research paper about DexterJS's auto-patching technique is accepted at FSE'15!

Research Contributions

We propose a backwards-compatible auto-patching defense for DOM-based XSS, which requires no modification on browsers or server-side code, and requires no developer effort. Our FSE paper describes the system in detail.
We build a robust browser-agnostic JavaScript rewriting engine to perform character precise fine-grained taint analysis . It is tested on over 228,541 URLS on several popular web browsers, including Chrome, Firefox, Safari and Opera. We have released it for public testing available here. A short video clip demonstrating our DexterJS platform is available here.
We carry out an extensive evaluation on Alexa Top 1000 sites. We crawl links from the top 1000 Alexa websites and analyzed JavaScript code from 228,541 URLs, resulting in over 777,082 distinct dynamic code evaluation instances constructed from untrusted data. A total of 820 distinct zero-day DOM-based XSS vulnerabilities across 89 different domains were confirmed exploitable. 583 of these exploits were from the Alexa top 1000 domains.

People

Inian Parameshwaran
Enrico Budianto
Shweta Shinde
Hung Dang
Atul Sadhu
Prateek Saxena

Contact

Questions: inian@nus.edu.sg, enricob@comp.nus.edu.sg

Acknowledgements and Sponsors

This research is supported in part by the National Research Foundation, Prime Minister's Office, Singapore under its National Cybersecurity R&D Program (Award No. NRF2014NCR-NCR001-21) and administered by the National Cybersecurity R&D Directorate. This work is also supported in part by a university research grant from Intel.