隨著網路科技越來越進步，網頁開始擁有比以前更多的功能，使用者現在甚 至可以利用手機網頁去做很多事情，例如:利用電子商務網站購買商品、訂車 票、查詢所要的地點等等。因此，使用者的隱私安全會更顯重要，使用者無法偵 測應用程式何時搜集他們的個人資料，在瀏覽網頁途中就可能被攻擊者竊取敏感 的資料，例如帳號密碼、地理位置等等。 在本篇論文中，我們介紹了新的網 頁技術–HTML5，HTML5 是現代網頁中常常會用到的技術，它將許多以往需要 在伺服器實作的技術移轉到使用者端，這會讓開發者更方便開發網頁，但也可能 造成致命的 DOM-Based XSS 攻擊，我們在這篇論文列出了許多 HTML5 可能造 成的 DOM-Based XSS 攻擊方式，並且提出一套用於偵測 HTML5 網頁是否暴露 於 DOM-Based XSS 威脅的檢測系統，以期能夠降低 DOM-Based XSS 攻擊的影 響。

With the evolution of the Internet technology, there are more and more functions in web applications. Even users can do lots of things via web applications on the smart phones. For example, buying some stu s on the e-commerce websites, booking train tickets, search the locations, and so on. As a result, user’s privacy is getting more and more important, the attackers may steal the sensitive data when the users type their information. For instance, stealing the user’s account number and password, watching the user’s location.
In this paper, we introduce a new web technology called HTML5. HTML5 is a common used technology in the modern web applications. It moves a large number of functions which used to implement on the server side to the client side. That makes developers can develop web applications easily. However, it may also su er from new methods of DOM-Based XSS attacks. We list a lot of HTML5 DOM- Based XSS vectors in this paper. In addition, we propose a System for Detecting DOM-Based XSS Posed on HTML5 web applications.

Table of Contents .......................................................................................... i List of Figures ................................................................................................ iii List of Tables .................................................................................................. v
Chapter 1 Introduction .............................................................................. 1
1.1 Motivation........................................................................................... 1
1.2 Our Contribution ................................................................................ 2
1.3 Organization ....................................................................................... 2
Chapter 2 Background ............................................................................... 3
2.1 Cross-site Scripting Methods .............................................................. 3
2.1.1 Re ected XSS ....................................................................... 3
2.1.2 Stored XSS ........................................................................... 4
2.1.3 DOM-Based XSS .................................................................. 5
2.2 DOM (Document Object Model) ........................................................ 5
2.3 HTML5 Techniques............................................................................. 6
2.3.1 HTML5 Improvement........................................................... 6
2.3.2 HTML5 API ......................................................................... 7
Chapter 3 HTML5 DOM-Based XSS Vulnerabilities.......................... 9
3.1 Event Attributes ................................................................................. 9
3.1.1 Window Events .................................................................... 9
3.1.2 Form Events ......................................................................... 11
3.1.3 Drag Events.......................................................................... 12
3.1.4 Media Events........................................................................ 13
3.1.5 Misc Events .......................................................................... 13
3.2 HTML5 APIs ...................................................................................... 14
3.2.1 Geolocation .......................................................................... 15
3.2.2 Webstorage ........................................................................... 16
3.2.3 Postmessage ......................................................................... 17
3.2.4 Web SQL.............................................................................. 18
3.2.5 SVG (Scalable Vector Graphics) .......................................... 19
3.3 DOM Manipulation Methods .............................................................. 20
3.3.1 Write raw HTML ................................................................. 21
3.3.2 Directly modifying the DOM ............................................... 21
3.3.3 Redirect the document URL ................................................ 22
3.3.4 Opening and modifying a window ........................................ 23
3.3.5 Directly executing script ...................................................... 24
3.4 HTML5 XSS Attack Vectors............................................................... 26
Chapter 4 Implementation ........................................................................ 28
4.1 Goal .................................................................................................... 28
4.2 System Requirement ........................................................................... 29
4.3 Tools ................................................................................................... 29
4.4 System Architecture............................................................................ 30
4.5 Results ................................................................................................ 32
Chapter 5 Mitigation.................................................................................. 37
5.1 X-XSS-Protection................................................................................ 37
5.2 HSTS (HTTP Strict Transport Security) ........................................... 38
5.3 CSP (Content-Security-Policy) ........................................................... 39
Chapter 6 Conclusions ............................................................................... 41 6.1 Conclusion........................................................................................... 41

[1] Owasp: Cross site scripting. https://www.slideshare.net/m1ke/ owasp-a3-xss.
[2] Soojin Yoon, JongHun Jung, and HwanKuk Kim. Attacks on web browsers with html5. In Internet Technology and Secured Transactions (ICITST), 2015 10th International Conference for, pages 193–197. IEEE, 2015.
[3] The html dom. https://www.w3schools.com/js/js_htmldom.asp.
[4] Html event attributes. https://www.w3schools.com/tags/ref_
eventattributes.asp.
[5] Html5onresizeevent.https://www.w3schools.com/jsref/event_onresize.
asp.
[6] Html5 oninput event. https://www.w3schools.com/jsref/event_oninput.
asp.
[7] Html5 drag and drop api. https://www.w3schools.com/html/html5_
draganddrop.asp.
[8] Html5 oncanplay event. https://www.w3schools.com/jsref/event_
oncanplay.asp.
[9] Html5 ontoggle event. https://www.w3schools.com/jsref/event_ ontoggle.asp.
[10] Html5 geolocation api. https://www.w3schools.com/html/html5_geolocation.asp.
[11] Html5 webstorage api. https://www.w3schools.com/html/html5_webstorage.asp.
[12] Html5 postmessage api. http://xyz.cinc.biz/2014/05/html5-postmessage-text.html.
[13] Html5 websql xss attack. http://www.andlabs.org/html5/csXSS1.html.
[14] Svg (scalable vector graphics). https://www.w3schools.com/graphics/svg_
intro.asp.
[15] Amit Klein. Dom based cross site scripting or xss of the third kind. http://
www. webappsec. org/projects/articles/071105. shtml, 2005.
[16] Prabhu Seshagiri, Anu Vazhayil, and Padmamala Sriram. Ama: Static code analysis of web page for the detection of malicious scripts. Procedia Computer Science, 93:768–773, 2016.
[17] Shukai Liu, Xuexiong Yan, Qingxian Wang, Xu Zhao, Chuansen Chai, and Yajing Sun. A protection mechanism against malicious html and javascript code in vulnerable web applications. Mathematical Problems in Engineering, 2016, 2016.
[18] Npm (node package manager). https://www.npmjs.com.
[19] The crawler module. https://www.npmjs.com/package/crawler.
[20] The yargs module. http://yargs.js.org.
[21] The express module. https://expressjs.com.
[22] Daniel Hedin and Andrei Sabelfeld. Web application security using js ow. In
Symbolic and Numeric Algorithms for Scienti c Computing (SYNASC), 2015 17th International Symposium on, pages 16–19. IEEE, 2015.
[23] W3school.com. https://www.w3schools.com.
[24] The x-xss-protection header. https://developer.mozilla.org/en-US/docs/
Web/HTTP/Headers/X-XSS-Protection.
[25] Hsts (http strict-transport-security). https://developer.mozilla.org/
en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
[26] Csp (content security policy). https://developer.mozilla.org/en-US/ docs/Web/HTTP/CSP.