Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting

TL;DR

This work addresses Blind Cross-Site Scripting (BXSS), where no feedback from internal backends is available to guide exploitation. It introduces an automatic polyglot synthesis pipeline based on Monte Carlo Tree Search (MCTS) to generate small payload sets that activate across multiple BXSS injection contexts, achieving broad testbed coverage with seven polyglots. The authors validate their approach on real client-side XSS vulnerabilities and demonstrate competitive performance against precise taint-tracking exploit generation, while also conducting the first large-scale BXSS study in the wild across the Tranco Top 100k domains, uncovering 20 BXSS vulnerabilities in 18 backends. The results reveal a significant, previously underexplored attack surface and offer publicly available tooling to assist researchers and defenders in automatic BXSS detection and disclosure.

Abstract

Cross-Site Scripting (XSS) is a prevalent and well known security problem in web applications. Numerous methods to automatically analyze and detect these vulnerabilities exist. However, all of these methods require that either code or feedback from the application is available to guide the detection process. In larger web applications, inputs can propagate from a frontend to an internal backend that provides no feedback to the outside. None of the previous approaches are applicable in this scenario, known as blind XSS (BXSS). In this paper, we address this problem and present the first comprehensive study on BXSS. As no feedback channel exists, we verify the presence of vulnerabilities through blind code execution. For this purpose, we develop a method for synthesizing polyglots, small XSS payloads that execute in all common injection contexts. Seven of these polyglots are already sufficient to cover a state-of-the-art XSS testbed. In a validation on real-world client-side vulnerabilities, we show that their XSS detection rate is on par with existing taint tracking approaches. Based on these polyglots, we conduct a study of BXSS vulnerabilities on the Tranco Top 100,000 websites. We discover 20 vulnerabilities in 18 web-based backend systems. These findings demonstrate the efficacy of our detection approach and point at a largely unexplored attack surface in web security.

Figures (11)

• Figure 1: Code segments depicting injections in three different contexts: In HTML , in a URI , and in JavaScript code .
• Figure 2: Attack flows of stored XSS (a) and blind XSS (b) vulnerabilities. Only the stored XSS scenario allows the attacker to inspect the injection context to adapt their exploit.
• Figure 3: Two injection contexts that are mutually exclusive, i.e., can not be solved by the same XSS polyglot.
• Figure 4: Composition of our minimal polyglot set solving all 111.0 test cases of our testbed. Squares ($\blacksquare$) indicates solved tests. The top row (D) visualizes the overall difficulty of each test case, calculated from the total ratio of polyglots we generated that solve this test i.e., difficult tests with fewer solutions are red ($\blacksquare$), while the color of more frequently solved tests gradually shifts to yellow ($\blacksquare$). The numbered rows show the performance of our polyglot set. Diamonds ($\blacklozenge$) are placed instead of squares, where only one polyglot in the set solves a test. For comparison, the bottom row (*) shows the performance of the Ultimate polyglot.
• Figure 5: A typical Client-Side XSS vulnerability.