Appendix L — Exploits
We present exploits for leaking information via the DOM tree. These exploits have been tested against NoMoXSS — the latest practical implementation of JavaScript information flow control in a browser. Both exploits launder data in two phases: first they encode a portion of tainted data in the DOM tree, then they decode this data from the DOM tree and obtain the same data, but untainted. The core of both algorithms is the encoding and decoding of one bit. Knowing how to perform these two operations, constructing an algorithm that would launder data of arbitrary length is straightforward.
- the conditional navigation exploit (JavaScript source, pretty printed) uses the position of the pointer to the DOM tree to communicate the value of one bit. The encoding procedure assumes that there exists a div(*) node with one child. To encode a "1" bit a designated pointer should be set to the div node, setting the pointer to its child represents a "0" bit. This exploit leaks a string bit-by-bit: it encodes each bit of the source string, launders immediately and writes it to the resulting (laundered) string.
- the conditional deletion exploit (JavaScript source, pretty printed) uses the fact of existence of a node to communicate the value of one bit. Each "1" bit would be represented as a div element that has another div element as a child. A div element without children would represent a "0" bit. In this exploit we've chosen another magnification method (**): instead of bit-by-bit encoding and decoding, we encode and decode the whole string. In this approach a byte could be represented as a div which has 8 div descendants, each of them, in turn, representing a corresponding bit in a byte (little-endian encoding). A string is just a sequence of bytes and could be represented as another div element whose children are the subtrees that represent the bytes, in the same order.
tainted string using the deletion attack. It returns the string which is no longer tainted and could be sent to a third party,
even if monitored by the NoMoXSS tool [34]. Function leakConditionalNavigation has similar functionality,
but it utilizes the navigation attack. Both functions use a well-known magnification technique to lift a one-bit leaking
vulnerability to an n-bit leaking vulnerability.
(*) In fact, any other valid (X)HTML element could be chosen.
(**) Just for the sake of variety.