Paper review - ScriptProtect Mitigating Unsafe Third Party JavaScript Practices
June 12, 2019
Summary
Goal is to eliminate vulnerable inclusion of third party libraries to prevent client side XSS attacks only.
XSS vs Client side attack = XSS has server in the loop (whether your script is reflected or stored)
Description
They create script file called ScriptProtect.js which needs to be inlcuded client side, this script filters all malicious calls. For example if attacker adds script tag to document write it is vulnerable, this is filtered out.
third-party scripts are considered to be non-malicious but vulnerable. Why this assumption?
Raw DOM content at rendering time. APIs which add additional HTML code to the document directly during the initial rendering of the document.
Runtime creation of DOM content. APIs and properties that allow the alteration of the HTML content at runtime.
Direct code conversion. JS executed directly.
All global methods and arguments are wrapped and sanitized (Fig 5) They have traces to find out if calls are to first party or third party libraries. If first party then no sanitization, if third party then sanitization.
Trace is via throwing error and checking stacktrace (Fig 10). Expensive? Trustworthy?
Strong Points
Good job of analysing failure results (tried to fix initial hypothesis and change their approach dynamically).
Easy to read.
Figured out that 99% of top 5k websites rely on third-party code.
Weak Points
Approach seems to have lots of ways to evade (only vulnerable libraries considered, not malicious libraries) If third party library introduces any new script it gets blocked (Table 3). No backward compatibility using ScriptProtect as such.
Evaluating bottom of stack frame for finding whether call was from first aprty or third party library does not evaluate calls in the middle of stack frame (middle calls could be malicious).
Eval cannot be wrapped (using innerHTML function).
Using Alexa top 5k was considered but they had their own filtering criteria to get the 5000 candidate websites (made dataset more robust but is harder to reproduce).
Even though 99% of websites use third party code but only 129 websites out of 5k had third party client side XSS issues. Seems like less true positives were caught.
Improvement
Results are not super good, top tier publications really want good results.