XSS漏洞几乎从动态网站诞生起就存在了,安全研究也在不断地发表。但是XSS还远没有被解决。
使用Cross-site等关键字在2020-2025的[[安全四大会]]和软工顶级会议FSE、ASE、ICSE中搜索,依然可以搜索到每年约10篇的论文(2025年5月统计),如下图所示。
![[Pasted image 20250604190046.png]]
有趣的是,Prof. [Martin Johns](https://www.martinjohns.com/) 从2009年博士时期开始就在做XSS研究,但直到15年后的2024年依然在发XSS的论文。
究其原因,XSS具备来自自身和外部双重的复杂性:
1. 浏览器技术被更广泛地使用在各种软件生态和场景中,导致XSS的安全影响在扩大。例如UXSS[^1] 、Xrce[^2]、BXSS[^3]……
2. XSS漏洞检测存在传统难题,包括存储型XSS难以高效检测的问题[^3][^4][^5][^6][^7] ,以及XSS利用时需要解决复杂上下文[^3][^8][^9][^10]等。
3. XSS漏洞检测存在传统难体以外的新难题,特别是当前端技术发展,前端的动态性增强,导致利用手法增多。例如Prototype pollution挖掘和链的检测[^9][^10],Vue框架的漏洞检测[^10],深层和复杂交互的问题[^6][^11][^12][^13]。
4. XSS的防护是很困难的。主要包括服务端XSS过滤在原理上是不可行的[^14],客户端XSS防护涉及对现有JS API规范的重新设计[^15],Content Security Policy (CSP)安全部署困难[^16]等。
[^1]: Extending a hand to attackers: browser privilege escalation attacks via extensions, Security 2023
[^2]: Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem, CCS 2022
[^3]: Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting, Security 2024
[^4]: Spider-Scents: Grey-box Database-aware Web Scanning for Stored XSS, Security 2024
[^5]: Black Widow: Blackbox Data-driven Web Scanning, SP 2021
[^6]: Black Ostrich: Web Application Scanning with String Solvers, CCS 2023
[^7]: Argus: All your (PHP) Injection-sinks are belong to us., Security 2024
[^8]: Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning, WWW 2022
[^9]: Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites, NDSS 2022
[^10]: Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites, SP 2025
[^11]: ReScan: A Middleware Framework for Realistic and Robust Black-box Web Application Scanning, NDSS 2023
[^12]: EvoCrawl: Exploring Web Application Code and State using Evolutionary Search, NDSS 2025
[^13]: YuraScanner: Leveraging LLMs for Task-driven Web App Scanning , NDSS 2025
[^14]: Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials, SP 2024
[^15]: If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening, ICSE 2021
[^16]: Who’s Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI, NDSS 2021