Nuno Sabino (Carnegie Mellon University, Instituto Superior Técnico, Universidade de Lisboa, and Instituto de Telecomunicações), Darion Cassel (Carnegie Mellon University), Rui Abreu (Universidade do Porto, INESC-ID), Pedro Adão (Instituto Superior Técnico, Universidade de Lisboa, and Instituto de Telecomunicações), Lujo Bauer (Carnegie Mellon University), Limin Jia (Carnegie Mellon University)

DOM-based cross-site scripting (DOM-XSS) is a prevalent form of web vulnerability. Prior work on automated detection and confirmation of such vulnerabilities at scale has several limitations. First, prior work does not interact with the page and thus misses vulnerabilities in event handlers whose execution depends on user actions. Second, prior work does not find URL components, such as GET parameters and fragment values that, when instantiated with specific keys/values, execute more code paths. To address this, we introduce SWIPE, a DOM-XSS analysis infrastructure that uses fuzzing to generate user interactions to trigger event handlers and leverages dynamic symbolic execution (DSE) to automatically synthesize URL parameters and fragments. We run SWIPE on 44,480 URLs found in pages from the Tranco top 30,000 popular domains. Compared to prior work, SWIPE’s fuzzer finds 15% more vulnerabilities. Additionally, we find that a lack of parameters and fragments in URLs significantly hinders DOM-XSS detection, and show that SWIPE’s DSE engine can synthesize previously unseen URL parameters and fragments that trigger 20 new vulnerabilities.

View More Papers

Before the Vicious Cycle Starts: Preventing Burnout Across SOC...

Kashyap Thimmaraju (Technische Universitat Berlin), Duc Anh Hoang (Technische Universitat Berlin), Souradip Nath (Arizona State University), Jaron Mink (Arizona State University), Gail-Joon Ahn (Arizona State University)

Read More

Adaptive Quantum-Safe Cryptography for 6G Vehicular Networks via Context-Aware...

Poushali Sengupta (University of Oslo), Mayank Raikwar (University of Oslo), Sabita Maharjan (University of Oslo), Frank Eliassen (University of Oslo), Yan Zhang (University of Oslo)

Read More

Lessons Learned through Customer Discovery in a Provenance-based Security...

Akul Goyal (Provenance Security, Inc.), Adam Bates (Provenance Security, Inc.)

Read More