DexterJS: Auto-Patching DOM-based XSS At Scale

Home Publications Demo Resources FAQ
Our scanning service is now online! Our DOM-based XSS scanning service is now up and running. If you are interested, please visit this website to test out our system. A short video clip demonstrating our DexterJS platform is available here.


JavaScript has become a scripting language that goes beyond client-side web. However, presently, applications built with JavaScript are fraught with DOM-based XSS vulnerability, which is known to be highly pervasive and an elusive category of vulnerabilities for many commercial scanners to find. We develop a complete system called DexterJS for automatically synthesizing patches for DOM-based XSS vulnerabilities in JavaScript applications. DexterJS performs dynamic analysis to detect and repair DOM-based XSS bugs in real web applications. Our automatically-synthesized patches are directly deployed on the website via a hot-patching mechanism, offering a quick defense that requires no developer effort. Our patches are browser agnostic, require no browser or server-side code modifications, and do not require users to install any plug-ins or add-ons.

The study was done by Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, and Prateek Saxena. Their peer-reviewed reports will be presented at the ESEC/ACM SIGSOFT Symposium of the Foundations of Software Engineering (FSE) in August 2015 (Links).

  • Download our camera-ready version paper here
  • Try out our DexterJS scanning service here
June 30, 2015: We release a dataset consisting of web pages vulnerable to DOM-based XSS. Please see this page for details. Disclaimer: we have responsibly reported such vulnerabilities to the site's admin and hence the majority of reported websites are no longer vulnerable.
May 27, 2015: Our full research paper about DexterJS's auto-patching technique is accepted at FSE'15!

Research Contributions




Acknowledgements and Sponsors

This research is supported in part by the National Research Foundation, Prime Minister's Office, Singapore under its National Cybersecurity R&D Program (Award No. NRF2014NCR-NCR001-21) and administered by the National Cybersecurity R&D Directorate. This work is also supported in part by a university research grant from Intel.