Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser

In recent years, a significant part of web application functionality moves to client side. Increasing complexity of client-side code leads to a considerable growth in the number of client-side vulnerabilities and even to an emergence of new types of vulnerabilities, among which DOM-based XSS is most well-known. In this paper, we present an approach to detect and validate DOM-based XSS vulnerabilities. Our approach leverages dynamic tracking of data flows on the client side of web application to identify insecure ones (those which lead to vulnerability). An insecure data flow is a flow, in which a critical operation is data-dependent on attacker-controlled data, which is not sanitised properly. Data flows are tracked and classified using taint propagation technique (also known as “taint checking”). Potentially insecure data flows are tested for the presence of exploitable vulnerability by means of fuzzing – enumeration of possible attack vectors, which are passed to a data flow source. Vulnerability is confirmed if an execution of any injected payload is observed. Our approach was implemented on top of Firefox browser, controlled via it's debugger API. The paper discusses and justifies advantages of such implementation. The paper also provides an analysis of related work in the subject field, and comparison with other approaches is made. The proposed approach and its implementation are maintainable and extensible, which is crucial for analyzing applications in constantly evolving environment such as client side web technologies.