Taintaru: DOM-based XSS Detection using Taint Tracking

Abstract

A DOM-based Cross-Site Scripting (DOM-XSS) attack is one of the most dangerous and common client-side security problems in today\'s web applications. DOM-based XSS attacks are a serious risk to single-page applications, particularly those using React, Vue.js, Angular, and Svelte. Current detection methods fall short in three key ways: they consume too many system resources, need direct access to application source code, and can\'t handle obfuscated attack payloads effectively. Even worse, they miss the unique rendering behaviors of different JavaScript frameworks. This paper reviews the existing solutions, approximately thirty publications spanning 2005 to 2025, and introduces a Chrome Manifest V3 browser extension that tackles the gaps in the existing solutions. The approach will use service worker-based taint tracking to catch DOM-XSS vulnerabilities without slowing down applications. The system will include a unified taint abstraction layer that works across multiple frameworks and employs machine learning to decode obfuscated payloads. Taking hints from React Fiber\'s reconciliation process, we\'ve framed a conceptual idea of a delta re-analysis mechanism that will track taint propagation from network requests all the way to DOM manipulation—without touching the application code itself.

Introduction

Cross-Site Scripting (XSS) remains one of the most common web security vulnerabilities, with DOM-based XSS (DOM-XSS) being the most difficult to detect because malicious code executes entirely within the browser. Unlike reflected or stored XSS, DOM-XSS exploits client-side JavaScript by transferring attacker-controlled input from sources such as location.hash or window.name to dangerous sinks like innerHTML, eval(), or document.write(). Since the attack occurs on the client side, it often bypasses server-side defenses and web application firewalls. Large-scale studies have demonstrated the prevalence of DOM-XSS, identifying thousands of vulnerabilities across popular websites.

Background

XSS attacks are categorized into three types:

1. Reflected XSS – Malicious scripts are injected through requests and reflected by the server in responses.
2. Stored XSS – Malicious scripts are permanently stored in databases or other backend systems and served to users.
3. DOM-Based XSS – Vulnerabilities arise from unsafe client-side manipulation of the Document Object Model (DOM), with no server involvement.

DOM-XSS is particularly challenging to detect because:

• Execution occurs entirely in the browser.
• The server may never see the malicious payload.
• Detection requires monitoring JavaScript execution and data flow.

Taint Tracking Concept

DOM-XSS detection commonly relies on taint tracking, which monitors how potentially malicious data moves through an application.

The process involves:

• Introduction: Marking attacker-controlled input as tainted.
• Propagation: Tracking tainted data through program operations.
• Checking: Detecting when tainted data reaches dangerous sinks.
• Sanitization: Removing taint after proper validation or encoding.

Common attack sources include:

• document.URL
• location.hash
• postMessage()
• localStorage

Common dangerous sinks include:

• eval()
• Function()
• innerHTML
• outerHTML
• document.write()
• setTimeout() and setInterval()

Detection Approaches

Several methods have been developed to identify XSS vulnerabilities:

• Static Analysis: Examines source code without execution; fast but prone to false positives.
• Dynamic Taint Analysis: Tracks data flow during execution; more accurate but incurs runtime overhead.
• Policy-Based Prevention: Enforces security policies at browser or compiler levels.
• Database-Layer Analysis: Detects context-dependent XSS vulnerabilities through database interactions.
• Machine Learning Approaches: Use classifiers to identify malicious patterns, often combined with taint tracking for better accuracy.

Key Research Contributions

Foundational Taint-Tracking Research

• TaintCheck (2005): Introduced dynamic taint analysis concepts that became the foundation for later browser-based XSS detection tools.
• Firefox Taint Tracking: Demonstrated browser-level taint tracking and identified potentially dangerous information flows across millions of webpages.
• Large-Scale DOM-XSS Study: Found over 6,000 DOM-XSS vulnerabilities across 9.6% of the top 5,000 websites, proving the scalability of taint-based detection.

Dynamic Taint Tracking Systems

• TT-XSS: One of the first DOM-XSS detection frameworks using taint tracking, sources, sinks, and exploit verification.
• DOMsday: Used a modified Chromium browser to analyze millions of data flows and discovered thousands of confirmed vulnerabilities, detecting far more issues than static tools.
• Targeted Exploit Generation: Improved vulnerability validation rates by modifying only tainted portions of inputs.
• PanoptiChrome: Extended taint analysis across 675 browser APIs, reducing false positives while identifying previously unknown vulnerabilities.
• Augur: Enhanced taint tracking for asynchronous JavaScript operations such as Promises and async/await functions with lower performance overhead.

Static and Hybrid Analysis Systems

• Splendor: Focused on stored XSS detection in PHP applications and discovered multiple previously unknown vulnerabilities.
• Fluffy: Combined static taint analysis with machine learning, achieving high accuracy and identifying numerous known security vulnerabilities missed by traditional tools.

Conclusion

In addition, this review has sought to synthesize over thirty publications, from binary-level dynamic taint analysis to neural and machine learning-based approaches, in order to achieve a comparative evaluation of fifteen tools against the proposed Taintaru system. The major conclusion drawn is that none of the paradigms is individually effective; dynamic engine-level tracking is high-recall, high-overhead, policy-based approaches are low-cost but need universal acceptance; static approaches are scalable but circumvented by dynamic JavaScript; and the gray box database-based approach is effective against stored and context-dependent XSS. The combination of ML and taint is the best current balance for operation. Seven major gaps in the current state of the art are identified in terms of performance, framework coverage, adversarial tolerance, asynchronous propagation, integration of stored XSS, standardization of benchmarks, and context sensitivity. The proposed Taintaru system addresses some of these gaps through framework-aware instrumentation of browser extensions, and empirical evaluation is the first priority.

References

[1] J. Newsome and D. Song, \"Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,\" in Proc. 12th Annu. Network and Distributed System Security Symp. (NDSS), San Diego, CA, USA, Feb. 2005. [2] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna, \"Cross site scripting prevention with dynamic data tainting and static analysis,\" in Proc. 14th Annu. Network and Distributed System Security Symp. (NDSS), San Diego, CA, USA, Feb. 2007. [3] N. Jovanovic, C. Kruegel, and E. Kirda, \"Pixy: A static analysis tool for detecting web application vulnerabilities,\" in Proc. IEEE Symp. Security and Privacy (S&P), Oakland, CA, USA, May 2006. [4] P. Saxena, S. Hanna, P. Poosankam, and D. Song, \"FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications,\" in Proc. 17th Annu. Network and Distributed System Security Symp. (NDSS), San Diego, CA, USA, Mar. 2010. [5] S. Lekies, B. Stock, and M. Johns, \"25 million flows later: Large-scale detection of DOM-based XSS,\" in Proc. ACM SIGSAC Conf. Computer and Communications Security (CCS), Berlin, Germany, Nov. 2013, pp. 1193–1204. [6] I. Parameshwaran et al., \"DexterJS: Robust testing platform for DOM-based XSS vulnerabilities,\" in Proc. 10th Joint Meeting on Foundations of Software Engineering (FSE), Bergamo, Italy, Sep. 2015. [7] R. Wang, G. Xu, X. Zeng, X. Li, and Z. Feng, \"TT-XSS: A novel taint tracking based dynamic detection framework for DOM cross-site scripting,\" J. Parallel Distrib. Comput., 2017, doi: 10.1016/j.jpdc.2017.07.006. [8] J. Weinberger, P. Saxena et al., \"A systematic analysis of XSS sanitization in web application frameworks,\" in Proc. 16th European Symp. Research in Computer Security (ESORICS), Leuven, Belgium, Sep. 2011, pp. 150–171, doi: 10.1007/978-3-642-23822-2_9. [9] W. Melicher, A. Das, M. Sharif, L. Bauer, and L. Jia, \"Riding out DOMsday: Toward detecting and preventing DOM cross-site scripting,\" in Proc. 25th Annu. Network and Distributed System Security Symp. (NDSS), San Diego, CA, USA, Feb. 2018. [10] J. Iqbal, R. Kaur, and N. Stakhanova, \"PoliDOM: Mitigation of DOM-XSS by detection and prevention of unauthorized DOM tampering,\" in Proc. 14th Int. Conf. Availability, Reliability and Security (ARES), Canterbury, UK, Aug. 2019. [11] P. Wang, J. Bangert, and C. Kern, \"If it\'s not secure, it should not compile: Preventing DOM-based XSS in large-scale web development with API hardening,\" in Proc. IEEE Symp. Security and Privacy (S&P), San Francisco, CA, USA, May 2020. [12] J. C. Pazos, J.-S. Légaré, I. Beschastnikh, and W. Aiello, \"Precise XSS detection and mitigation with client-side templates (XSnare),\" in Proc. 9th ACM Conf. Data and Application Security and Privacy (CODASPY), Dallas, TX, USA, Mar. 2019. [13] S. Bensalim, D. Klein, T. Barber, and M. Johns, \"Talking about my generation: Targeted DOM-based XSS exploit generation using dynamic data flow analysis,\" in Proc. 14th European Workshop on Systems Security (EuroSec), Online, Apr. 2021. [14] W. Melicher, C. Fung, L. Bauer, and L. Jia, \"Towards a lightweight, hybrid approach for detecting DOM XSS vulnerabilities with machine learning,\" in Proc. Web Conf. (WWW), Ljubljana, Slovenia, Apr. 2021. [15] M. W. Aldrich, A. Turcotte, M. Blanco, and F. Tip, \"Augur: Dynamic taint analysis for asynchronous JavaScript,\" in Proc. 37th IEEE/ACM Int. Conf. Automated Software Engineering (ASE), Michigan, USA, Oct. 2022. [16] Y. W. Chow, M. Schäfer, and M. Pradel, \"Beware of the unexpected: Bimodal taint analysis,\" in Proc. 32nd ACM SIGSOFT Int. Symp. Software Testing and Analysis (ISSTA), Seattle, WA, USA, Jul. 2023. [17] H. Su, F. Li, L. Xu et al., \"Splendor: Static detection of stored XSS in modern web applications,\" in Proc. 32nd ACM SIGSOFT Int. Symp. Software Testing and Analysis (ISSTA), Seattle, WA, USA, Jul. 2023. [18] R. Kanyal and S. R. Sarangi, \"PanoptiChrome: A modern in-browser taint analysis framework,\" in Proc. ACM Web Conf. (WWW), Singapore, May 2024. [19] S. Park, J. Kim, S. Keum, H. Lee, and S. Son, \"TrustyMon: Practical detection of DOM-based XSS attacks using trusted types,\" in Proc. ACM Asia Conf. Computer and Communications Security (ASIA CCS), Taipei, Taiwan, Apr. 2025. [20] S. D. B. Effendi, X. Pinho, A. M. Dreyer, and F. Yamaguchi, \"Scalable language agnostic taint tracking using explicit data dependencies,\" in Proc. 14th ACM SIGPLAN Int. Workshop on the State Of the Art in Program Analysis (SOAP), 2025. [21] D. She, Y. Chen, A. Shah, B. Ray, and S. Jana, \"NEUTAINT: Efficient dynamic taint analysis with neural networks,\" in Proc. IEEE Symp. Security and Privacy (S&P), San Francisco, CA, USA, May 2020. [22] Q. Sang, Y. Wang, Y. Liu, X. Jia, T. Bao, and P. Su, \"AirTaint: Making dynamic taint analysis faster and easier,\" in Proc. IEEE Symp. Security and Privacy (S&P), San Francisco, CA, USA, May 2024. [23] K. Hough and J. Bell, \"A practical approach for dynamic taint tracking with control-flow relationships,\" ACM Trans. Softw. Eng. Methodol. (TOSEM), vol. 31, no. 2, 2021. [24] J. Kreindl, D. Bonetta, and H. Mössenböck, \"Towards efficient, multi-language dynamic taint analysis,\" in Proc. 16th ACM SIGPLAN Int. Conf. Managed Programming Languages and Runtimes (MPLR), Athens, Greece, Oct. 2019. [25] K. Hough and J. Bell, \"Dynamic taint tracking for modern Java virtual machines,\" Proc. ACM Softw. Eng., vol. 2, 2025. [26] A. Steinhauser and P. T?ma, \"Database traffic interception for graybox detection of stored and context-sensitive XSS,\" Charles University, Prague, Tech. Rep, 2020. [27] D. T. Noß, L. Knittel, C. Mainka, M. Niemietz, and J. Schwenk, \"Finding all cross-site needles in the DOM stack: A comprehensive methodology for the automatic XSS detection in complex web applications,\" in Proc. ACM SIGSAC Conf. Computer and Communications Security (CCS), Copenhagen, Denmark, Nov. 2023. [28] J. Kaur, U. Garg, and G. Bathla, \"Detection of cross-site scripting (XSS) attacks using machine learning techniques: A review,\" Artif. Intell. Rev., 2023, doi: 10.1007/s10462-023-10433-3. [29] I. K. Thajeel et al., \"Machine and deep learning-based XSS detection approaches: A systematic literature review,\" J. King Saud Univ. – Comput. Inf. Sci., 2023, doi: 10.1016/j.jksuci.2023.101628. [30] Z. Liu et al., \"MFXSS: An effective XSS vulnerability detection method based on multi-features of JavaScript programs,\" Comput. Secur., 2023, doi: 10.1016/j.cose.2022.102890. [31] M. Al-Kasassbeh et al., \"An efficient artificial intelligence approach for early detection of cross-site scripting attacks,\" Results Eng., 2024, doi: 10.1016/j.rineng.2024.102134. [32] A. R. Ibrahimzada et al., \"Leveraging large language models to strengthen machine learning-based cross-site scripting detection,\" arXiv:2504.21045, Apr. 2025. [33] P. M. D. Nagarjun and S. S. Ahamad, \"Ensemble methods to detect XSS attacks,\" Int. J. Adv. Comput. Sci. Appl. (IJACSA), vol. 11, no. 5, 2020. [34] G. Harshavardhan et al., \"XSS attack detection using machine learning algorithms,\" Int. J. Sci. Res. Eng. Manage. (IJSREM), vol. 7, no. 12, Dec. 2023, doi: 10.55041/IJSREM27487. [35] OWASP Foundation, \"OWASP Top 10 Web Application Security Risks,\" 2021. [Online]. Available: https://owasp.org/Top10/

Copyright

Copyright © 2026 Shriya Bhatia, Pooja Tupe. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.