Mime artist: Bypassing whitelisting for the Web with JavaScript mimicry attacks

Presenter: Stefanos Chaliasos
Date: 13 September 2019

Abstract

Despite numerous efforts to mitigate Cross-Site Scripting (XSS) attacks, XSS remains one of the most prevalent threats to modern web applications. Recently, a number of novel XSS patterns, based on code-reuse and obfuscated payloads, were introduced to bypass different protection mechanisms such as sanitization frameworks, web application firewalls, and the Content Security Policy (CSP). Nevertheless, a class of script-whitelisting defenses that perform their checks inside the JavaScript engine of the browser, remains effective against these new patterns. We have evaluated the effectiveness of whitelisting mechanisms for the web by introducing “JavaScript mimicry attacks”. The concept behind such attacks is to use slight transformations (i.e. changing the leaf values of the abstract syntax tree) of an application’s benign scripts as attack vectors, for malicious purposes. Our proof-of-concept exploitations indicate that JavaScript mimicry can bypass script-whitelisting mechanisms affecting either users (e.g. cookie stealing) or applications (e.g. cryptocurrency miner hijacking). Furthermore, we have examined the applicability of such attacks at scale by performing two studies: one based on popular application frameworks (e.g. WordPress) and the other focusing on scripts coming from Alexa’s top 20 websites. Finally, we have developed an automated method to help researchers and practitioners discover mimicry scripts in the wild. To do so, our method employs symbolic analysis based on a lightweight weakest precondition calculation.