Code-reuse attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets


Cross-Site Scripting (XSS) is a constant problem of the Web platform. Since its initial public documentation in the year 2000 until the present day, XSS is continuously on top of the vulnerability statistics. Even though a considerable amount of research and developer education has been conducted to address XSS on the source code level, the overall number of discovered XSS problems remains high. For this reason various approaches to mitigate XSS have been proposed as a second line of defense, with HTML sanitizers, Web Application Firewalls, browser-based XSS filters, and the Content Security Policy being only some prominent examples. Thereby, most of these mechanisms focus on script tags and event handlers, by either removing them from user-provided content or by preventing their script code from executing.

In this paper, we demonstrate that this approach is no longer sufficient for modern applications: We describe a novel Web attack that is capable to circumvent all currently existing XSS mitigation techniques. In this attack, the attacker abuses so called script gadgets to execute JavaScript. Script gadgets are legitimate JavaScript fragments within an application’s legitimate code base. In most cases, these gadgets utilize DOM selectors to interact with elements in the Web document. Through an initial injection point, the attacker can inject benign-looking HTML elements, which are ignored by potential mitigation technique but match the selector of the gadget. This way, the attacker can hijack the input of a gadget and, thus, cause processing of his input, which in turn leads to code execution of attacker-controlled values. We demonstrate that these gadgets are omnipresent in almost all modern JavaScript frameworks and present an empirical study showing the prevalence of script gadgets in productive code. As a result, we assume most mitigation techniques in web applications written today can be bypassed.