
We Built a Protection Against DOM-Based Cross-Site Scripting into Chromium - cujanovic
https://blogs.gnome.org/muelli/2016/03/taint-tracking-for-chromium/
======
ubernostrum
I'd be interested to see a comparison between this and the measures Microsoft
has been building in since IE8. IIRC Microsoft avoided full taint checking of
strings and went with an approach of just looking for reflected content.

~~~
ghusbands
The Microsoft/IE8 approach was fundamentally flawed and lead to XSS attacks in
otherwise-safe sites [1]. The approach in this article only ever prevents
execution without otherwise changing behaviour (modulo noted bugs and
slowdown), improving security.

However, developers may start accidentally depending on this security feature
and hence make sites less secure in browsers lacking the feature. If the taint
is hit, there should instead be a big red warning, akin to safe browsing or
https warnings.

[1] [http://www.zdnet.com/article/security-gone-awry-ie-8-xss-
fil...](http://www.zdnet.com/article/security-gone-awry-ie-8-xss-filter-
exposes-sites-to-xss-attacks/)

~~~
ubernostrum
If I'm remembering correctly, Microsoft later changed it from trying to
"sanitize" the suspicious content to just flat refusing to render the page
when it detects reflected content. I'm interested in pros/cons of the
reflection-detecting vs. taint-tracking approaches, not about different
approaches to actions taken post-detection (which is where the initial IE8
approach fell over).

------
xyzzy123
So, an up-to-date DOMinator for Chrome but with no source code available?

I quite liked the discussion of issues with current XSS auditor in Chrome
although I felt it was pressing the point a bit to call it "state of the art".

~~~
chipperyman573
What is DOMinator? Google seems to get confused by it being a real word and
other searches (DOMinator XSS, DOMinator chrome, etc) didn't turn anything up.

~~~
xyzzy123
Sorry, I meant this: [http://blog.mindedsecurity.com/2011/05/dominator-
project.htm...](http://blog.mindedsecurity.com/2011/05/dominator-project.html)
(pro version now at: dominator.mindedsecurity.com). This project also
implemented JS taint tracking, but for FF.

They released 2 versions, an open source version and a pro version, both of
these have lagged far behind current FF versions, presumably because it's not
easy to maintain these patches. That said, DOMinator pro is still used by some
pentesters (makes the browser run really slow though).

At a 20% or so performance hit, it sounds like this code is faster. The one
thing which would be even better would be if I could use it :p

