logo

Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions

2022-11-17

Authors:   David Klein


Abstract

Hand sanitizers have been an important tool to prevent the Covid pandemic from spreading even further. However, not everything related to hand sanitization is as positive. Hand written sanitizing functions, frequently found on the web, are a grave security risk. Input sanitization is the main technique to defend against injection attacks such as Cross-Site Scripting (XSS). With more and more functionality being offered in the form of web applications, the importance of correct sanitizing functions increases.While evidence of broken sanitizers exist, no comprehensive study about real world JavaScript sanitizing functions existed. To close this gap we leveraged a taint-tracking enabled Web browser to detect JavaScript code performing input sanitization. We built an analysis framework to evaluate the collected functions for both generality and security. We found 10% of the analyzed sanitizers to be blatantly insecure with our framework being able to automatically generate a modified payload passing through the sanitizer. However, most of the remaining sanitizers were only secure for the exact piece of code surrounding them, running danger that a simple modification, such as changing from single to double quotes, opens the door to injection vulnerabilities.By attending this session you will learn about the intricacies of input sanitization on the web, how to protect your website and what to avoid when doing so. You will also get a glimpse towards upcoming mitigations against Client-Side XSS, which might aid to finally ridden the web of this vulnerability class.

Materials: