This directory hosts proof-of-concept codes accompanying script gadgets research.
- Sebastian Lekies email@example.com
- Eduardo Vela Nava firstname.lastname@example.org
- Krzysztof Kotowicz email@example.com
Presentations / papers:
- "Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets" (AppSec EU 2017 slides)
- (Black Hat USA 2017 slides).
- ACM CCS'17 paper - with Samuel Groß and Martin Johns.
In order to use the code, you'll need a HTTP(S) server with PHP support. We used Apache2 + mod_php. Respective virtual hosts used in the PoCs are:
Feel free to replace those hostnames according to your setup with grep. Please set up both virtual hosts as serving the same directory, with the root of the site pointing to
The proof-of-concepts are organized by the XSS mitigation bypassed, so e.g.
/repo/csp/sd will host all Content Security Policy (CSP)
strict-dynamic bypasses. In each directory
each of the
*-exploit.* files contains bypass using a given framework or library, so
/repo/csp/ue/aurelia_exploit.php demonstrates how aurelia framework may bypass the
The full list of bypasses is in bypasses.md.