Full Report
XSS is cool and all but there's more to it. This wiki goes into other frontend security issues like CSRF, prototype pollution, CSS injection and many other things. Just a good reference overall.
Analysis Summary
# Vulnerability: Overview of Modern Front-end Security Vectors
## CVE Details
- **CVE ID:** N/A (General Class of Vulnerabilities)
- **CVSS Score:** Variable (ranges from 4.3 Medium to 9.8 Critical depending on specific implementation)
- **CWE:**
- CWE-79 (XSS)
- CWE-1321 (Prototype Pollution)
- CWE-352 (CSRF)
- CWE-1021 (Clickjacking)
- CWE-942 (CORS Misconfiguration)
## Affected Systems
- **Products:** Modern Web Applications, Client-side Frameworks (React, Vue, Angular), and Browsers.
- **Versions:** Language-agnostic; affects applications using insecure JavaScript coding patterns or improper security headers.
- **Configurations:** Systems lacking Content Security Policy (CSP), applications handling sensitive data via Cookies without `SameSite` attributes, and apps reflecting user input into the DOM.
## Vulnerability Description
This summary addresses a broad spectrum of front-end security flaws beyond traditional Cross-Site Scripting (XSS). These vulnerabilities exploit the way modern browsers interpret HTML, CSS, and JavaScript:
- **Prototype Pollution:** Exploiting JavaScript's inheritance model to inject properties into the `Object.prototype`, potentially leading to RCE or logic bypass.
- **DOM Clobbering:** Using HTML elements (like `<img>` or `<form>`) with specific `id` or `name` attributes to overwrite global JavaScript variables.
- **XSLeaks (Cross-site Leaks):** Utilizing side-channels (like execution time or frame counting) to determine a user's state on another website.
- **CSS Injection:** Using CSS selectors and features like `background-image: url()` to exfiltrate data (e.g., CSRF tokens) without requiring JavaScript execution.
## Exploitation
- **Status:** PoC available (Techniques are well-documented and actively seen in CTF challenges and real-world bug bounties).
- **Complexity:** Medium to High (requires deep understanding of browser internals and JS engine behavior).
- **Attack Vector:** Network (Web-based).
## Impact
- **Confidentiality:** High (Data exfiltration via CSS/XSLeaks, unauthorized access to sensitive tokens).
- **Integrity:** High (Modification of application logic via Prototype Pollution or DOM Clobbering).
- **Availability:** Low to Medium (Exceptions include "Cookie Bombs" which can deny service to a specific user).
## Remediation
### Patches
- **Framework Updates:** Keep front-end libraries (e.g., jQuery, Lodash) updated to versions that sanitize against Prototype Pollution.
- **Library Usage:** Use updated sanitization libraries like `DOMPurify` to handle HTML input.
### Workarounds
- **Security Headers:** Implement a strict Content Security Policy (CSP), `X-Content-Type-Options: nosniff`, and `X-Frame-Options`.
- **Cookie Security:** Set the `SameSite=Lax` or `Strict` attribute on all sensitive cookies to mitigate CSRF and XSLeaks.
- **Object Freezing:** Use `Object.freeze(Object.prototype)` to prevent basic Prototype Pollution.
## Detection
- **Indicators of Compromise:** Unusual DOM structures, unauthorized state changes in user accounts, or high volumes of cross-origin requests.
- **Detection methods and tools:**
- **Static Analysis:** Tools like Semgrep or ESLint (with security plugins) to find dangerous sinks like `innerHTML` or `eval()`.
- **Dynamic Analysis:** DAST scanners capable of identifying Prototype Pollution and missing security headers.
## References
- **Author's Wiki:** hxxps[://]aszx87410[.]github[.]io/beyond-xss/en/
- **OWASP Top 10:** hxxps[://]owasp[.]org/www-project-top-ten/
- **PortSwigger Web Security Academy:** hxxps[://]portswigger[.]net/web-security/