Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting

TL;DR

This paper introduces a novel method for detecting blind XSS vulnerabilities by synthesizing polyglot payloads that can execute across multiple contexts, enabling effective vulnerability verification without feedback channels.

Contribution

It presents the first comprehensive approach to blind XSS detection using polyglot payloads, covering all common injection contexts and validating effectiveness on real-world websites.

Findings

Discovered 20 blind XSS vulnerabilities in popular websites.

Polyglot payloads achieve detection rates comparable to existing taint tracking methods.

Seven polyglots cover a state-of-the-art XSS testbed.

Abstract

Cross-Site Scripting (XSS) is a prevalent and well known security problem in web applications. Numerous methods to automatically analyze and detect these vulnerabilities exist. However, all of these methods require that either code or feedback from the application is available to guide the detection process. In larger web applications, inputs can propagate from a frontend to an internal backend that provides no feedback to the outside. None of the previous approaches are applicable in this scenario, known as blind XSS (BXSS). In this paper, we address this problem and present the first comprehensive study on BXSS. As no feedback channel exists, we verify the presence of vulnerabilities through blind code execution. For this purpose, we develop a method for synthesizing polyglots, small XSS payloads that execute in all common injection contexts. Seven of these polyglots are already sufficient to cover a state-of-the-art XSS testbed. In a validation on real-world client-side vulnerabilities, we show that their XSS detection rate is on par with existing taint tracking approaches. Based on these polyglots, we conduct a study of BXSS vulnerabilities on the Tranco Top 100,000 websites. We discover 20 vulnerabilities in 18 web-based backend systems. These findings demonstrate the efficacy of our detection approach and point at a largely unexplored attack surface in web security.