Mime Artist: Bypassing Whitelisting for the Web with JavaScript Mimicry Attacks

  • Stefanos Chaliasos
  • George Metaxopoulos
  • George Argyros
  • Dimitris MitropoulosEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11736)


Despite numerous efforts to mitigate Cross-Site Scripting (xss) attacks, xss remains one of the most prevalent threats to modern web applications. Recently, a number of novel xss patterns, based on code-reuse and obfuscated payloads, were introduced to bypass different protection mechanisms such as sanitization frameworks, web application firewalls, and the Content Security Policy (csp). Nevertheless, a class of script-whitelisting defenses that perform their checks inside the JavaScript engine of the browser, remains effective against these new patterns. We have evaluated the effectiveness of whitelisting mechanisms for the web by introducing “JavaScript mimicry attacks”. The concept behind such attacks is to use slight transformations (i.e. changing the leaf values of the abstract syntax tree) of an application’s benign scripts as attack vectors, for malicious purposes. Our proof-of-concept exploitations indicate that JavaScript mimicry can bypass script-whitelisting mechanisms affecting either users (e.g. cookie stealing) or applications (e.g. cryptocurrency miner hijacking). Furthermore, we have examined the applicability of such attacks at scale by performing two studies: one based on popular application frameworks (e.g. WordPress) and the other focusing on scripts coming from Alexa’s top 20 websites. Finally, we have developed an automated method to help researchers and practitioners discover mimicry scripts in the wild. To do so, our method employs symbolic analysis based on a lightweight weakest precondition calculation.


Cross-site Scripting JavaScript Whitelisting Mimicry attacks 



We would like to thank the reviewers for their insightful comments and constructive suggestions. This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 825328.


  1. 1.
    Lekies, S., Kotowicz, K., Groß, S., Vela Nava, E.A., Johns, M.: Code-reuse attacks for the web: breaking cross-site scripting mitigations via script gadgets. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1709–1723. ACM (2017)Google Scholar
  2. 2.
    Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, New York, NY, USA, pp. 1406–1418. ACM (2015)Google Scholar
  3. 3.
    Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: 23rd USENIX Security Symposium, San Diego, CA, pp. 655–670 (2014)Google Scholar
  4. 4.
    Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 19th Conference on Computer and Communications Security, pp. 760–771 (2012)Google Scholar
  5. 5.
    Bojinov, H., Bursztein, E., Boneh, D.: XCS: cross channel scripting and its impact on web applications. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 420–431. ACM (2009)Google Scholar
  6. 6.
    Elias, A., Vasilis, P., Evangelos, M.: Code-injection attacks in browsers supporting policies. In: Proceedings of the 2nd Workshop on Web 2.0 Security and Privacy, Washington, DC, USA. IEEE (2009)Google Scholar
  7. 7.
    Marius, S., Rossow, C., Johns, M., Stock, B.: Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild. In: Proceedings of the 2019 Network and Distributed System Security Symposium (NDSS) (2019)Google Scholar
  8. 8.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM Symposium on Principles of Programming Languages, pp. 237–249. ACM (2007)Google Scholar
  9. 9.
    Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009, Washington, DC, USA, pp. 331–346. IEEE Computer Society (2009)Google Scholar
  10. 10.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, Washington, DC, USA, pp. 513–528. IEEE Computer Society (2010)Google Scholar
  11. 11.
    Giffin, D.B., Levy, A., Stefan, D., Terei, D., Mazières, D., Mitchell, J.C., Russo, A.: Hails: protecting data privacy in untrusted web applications. In: Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2012), Hollywood, CA, USA, pp. 47–60 (2012)Google Scholar
  12. 12.
    Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671 (2014)Google Scholar
  13. 13.
    Soni, P., Budianto, E., Saxena, P.: The SICILIAN defense: signature-based whitelisting of Web JavaScript. In: Proceedings of the 22nd Conference on Computer and Communications Security, pp. 1542–1557. ACM (2015)Google Scholar
  14. 14.
    Sharath, C.V., Selvakumar, S.: BIXSAN: browser independent XSS sanitizer for prevention of XSS attacks. SIGSOFT Softw. Eng. Notes 36(5), 1–7 (2011)Google Scholar
  15. 15.
    Saoji, T., Austin, T.H., Flanagan, C.: Using precise taint tracking for auto-sanitization. In: Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security, New York, NY, USA, PLAS 2017, pp. 15–24. ACM (2017)Google Scholar
  16. 16.
    Argyros, G., Stais, I., Jana, S., Keromytis, A.D., Kiayias, A.: SFADiff: automated evasion attacks and fingerprinting using black-box differential automata learning. In: Proceedings of the 2016 ACM Conference on Computer and Communications Security, pp. 1690–1701. ACM (2016)Google Scholar
  17. 17.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, New York, NY, USA, pp. 921–930. ACM (2010)Google Scholar
  18. 18.
    Heiderich, M., Späth, C., Schwenk, J.: DOMPurify: client-side protection against XSS and markup injection. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 116–134. Springer, Cham (2017). Scholar
  19. 19.
    Mitropoulos, D., Stroggylos, K., Spinellis, D., Keromytis, A.D.: How to train your browser: preventing XSS attacks using contextual script fingerprints. ACM Trans. Priv. Secur. 19(1), 2:1–2:31 (2016)CrossRefGoogle Scholar
  20. 20.
    Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: mitigating XSS attacks using a reverse proxy. In: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, Washington, DC, USA, pp. 33–39. IEEE Computer Society (2009)Google Scholar
  21. 21.
    Johns, M., Engelmann, B., Posegga, J.: XSSDS: server-side detection of cross-site scripting attacks. In: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 335–344. IEEE (2008)Google Scholar
  22. 22.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008). Scholar
  23. 23.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 255–264. ACM (2002)Google Scholar
  24. 24.
    Kayacik, H.G., Zincir-Heywood, A.N.: Mimicry attacks demystified: what can attackers do to evade detection? In: Proceedings of the Sixth Annual Conference on Privacy, Security and Trust, Washington, USA, pp. 213–223. IEEE (2008)Google Scholar
  25. 25.
    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Denning, D.E.R.: An intrusion detection model. IEEE Trans. Soft. Eng. 13(2), 222–232 (1987)CrossRefGoogle Scholar
  27. 27.
    Mitropoulos, D., Louridas, P., Polychronakis, M., Keromytis, A.D.: Defending against web application attacks: approaches, challenges and implications. IEEE Trans. Depend. Secure Comput. 16(2), 188–203 (2019)CrossRefGoogle Scholar
  28. 28.
    nsign’s source code repository on Github (2016). Accessed 06 July 2018
  29. 29.
    W3Techs - World Wide Web Technology Surveys. Accessed 28 Apr 2019
  30. 30.
    CVE Details: The Ultimate Vulnerability Data Source. Accessed 10 Sept 2018
  31. 31.
    Vulnerability Details: CVE-2016-14126 - XSS in the Participants Database Wordpress Plugin. Accessed 10 Sept 2018
  32. 32.
    Coinhive: A crypto miner for your website (2018). Accessed 10 Sept 2018
  33. 33.
    Vulnerability Details: CVE-2016-2153 - XSS Vulnerability in Moodle. Accessed 10 Sept 2018
  34. 34.
    Mitropoulos, D., Louridas, P., Salis, V., Spinellis, D.: All Your Script Are Belong to Us: Collecting and Analyzing JavaScript Code from 10K Sites for 9 Months, March 2019Google Scholar
  35. 35.
    Mitropoulos, D., Louridas, P., Salis, V., Spinellis, D.: Time present and time past: analyzing the evolution of JavaScript code in the wild. In: 16th International Conference on Mining Software Repositories: Technical Track, MSR 2019. IEEE Computer Society, May 2019Google Scholar
  36. 36.
    Code share. Nature 514, 536–537 (2014)Google Scholar
  37. 37.
    nightcrawler: Collecting JavaScript on a daily basis (2019). Accessed 26 Apr 2019
  38. 38.
    Haverbeke, M.: acornjs/acorn: a small, fast, JavaScript-based JavaScript parser. Accessed 10 June 2018
  39. 39.
    Rustan, K., Leino, M.: Efficient weakest preconditions. Inf. Process. Lett. 93(6), 281–288 (2005)MathSciNetCrossRefGoogle Scholar
  40. 40.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). Scholar
  41. 41.
    Zheng, Y., Zhang, X., Ganesh, V.: Z3-str: a Z3-based string solver for web application analysis. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 114–124. ACM (2013)Google Scholar
  42. 42.
    Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)CrossRefGoogle Scholar
  43. 43.
    Ray, D., Ligatti, J.: Defining code-injection attacks. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, New York, NY, USA, pp. 179–190. ACM (2012)Google Scholar
  44. 44.
    Bojinov, H., Bursztein, E., Boneh, D.: The emergence of cross channel scripting. Commun. ACM 53(8), 105–113 (2010)CrossRefGoogle Scholar
  45. 45.
    Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: Proceedings of the 23rd USENIX Conference on Security Symposium, Berkeley, CA, USA, pp. 989–1003. USENIX Association (2014)Google Scholar
  46. 46.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, New York, NY, USA, pp. 601–610. ACM (2007)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Stefanos Chaliasos
    • 1
  • George Metaxopoulos
    • 1
  • George Argyros
    • 2
  • Dimitris Mitropoulos
    • 1
    Email author
  1. 1.Department of Management Science and TechnologyAthens University of Economics and BusinessAthensGreece
  2. 2.Department of Computer ScienceColumbia UniversityNew YorkUSA

Personalised recommendations