1. • Web
►
• Cross Site Scripting (XSS)
► Web
► Web
► 3
• Client-Side XSS
1
2. XSS Client-Side XSS
• Client-Side XSS ( : DOM Based XSS) [1]
2[1]. IPA, “IPA DOM Based XSS ”, https://www.ipa.go.jp/files/000024729.pdf , 2013
3. XSS
3
Client-Side XSS [2]
HTML XSS
Content Security PolicyWeb Application Firewall
[2]. Sebastian Lekies, Krzysztof Kotowicz, Samuel Groß, Eduardo A. Vela Nava, Martin Johns,
“Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets”, The ACM CCS, 2017
XSS
JavaScript
4. Client-Side XSS
• Client-Side XSS
► [3]
► [4]
► [5]
► … etc
4
JavaScript Web
[3]. Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, Martin Johns,
“Precise Client-side Protection against DOM-based Cross-Site Scripting”, 23rd USENIX Security Symposium, 2014
[4]. Inian Parameshwaran, Enrico Budianto, Shweta Shinde, “Auto-Patching DOM-based XSS At Scale”,
Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 272-283, 2015.
[5]. Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, Martin Johns.
"Scriptprotect: Mitigating unsafe third-party javascript practices", AsiaCCS, 2019.