Unmasking Web Vulnerabilities: Philip Okhonko on Combatting XSS and CSP Vulnerabilities

0 6 8 minutes read

unmasking-web-vulnerabilities:-philip-okhonko-on-combatting-xss-and-csp-vulnerabilities

An inside look at CSPStealer and why browser security is essential for protecting businesses and users alike

The number of attacks on web applications is increasing every year. According to a report by Akamai Technologies, the number of attacks will increase by 112% in 2023. Attackers are constantly looking for vulnerabilities to bypass defenses and harm corporate systems and users. Therefore, as threats increase, so does the demand for advanced defense methods. Such as the development of Philip Ochonko, a leading IT specialist at a key organization in the U.S. financial industry. He created CSPStealer, a tool that can detect dangerous blind XSS vulnerabilities that are invisible to most traditional defenses, even under strict Content Security Policy (CSP) conditions. This is especially important when it comes to online financial transactions. Hear from an expert on how machine learning can help secure transactions and how cyberattacks will be protected in the near future.

Philipp, you are involved in vulnerability research and data protection in browsers. Why does browser security today play a key role in protecting both companies and private users?

Browser security is crucial today because browsers serve as the gateway between users and the internet. Whether it’s individuals or large corporations, nearly all sensitive activities—like online banking, communication, and data exchange—are conducted through browsers. This makes them an attractive target for cybercriminals.

For companies, a security breach in a browser can lead to massive data leaks, financial loss, and damage to their reputation. For individual users, it can result in identity theft, financial fraud, or even having their devices compromised. The complexity and widespread use of modern browsers create many entry points for attacks, including vulnerabilities like use-after-free, heap overflow, and other high-risk vulnerabilities. These issues can be exploited by attackers to compromise both individual devices and entire corporate networks.

As a researcher, my focus is on identifying and mitigating these risks to protect users at every level. By finding and reporting vulnerabilities, particularly high-risk ones, we can ensure that companies like Mozilla, for example, are able to patch these issues before they can be exploited on a large scale. In a world that is becoming increasingly dependent on the web for both personal and professional activities, ensuring browser security has become one of the cornerstones of modern cybersecurity.

You were inducted into Mozilla’s Hall of Fame for discovering a high-risk vulnerability in the Firefox browser. Can you tell us more about this process?

Being included in Mozilla’s Hall of Fame for discovering a high-risk vulnerability in Firefox was a significant milestone in my career. The process itself was both challenging and rewarding. It started with deep analysis of the browser’s architecture, looking for potential weak points that could be exploited by attackers. Specifically, I was focused on how certain inputs could lead to unintended behavior in the browser without requiring user interaction—something that can be highly dangerous.

In this case, the vulnerability I discovered had the potential to allow a hacker to compromise a user’s system simply by getting them to visit a malicious link. What made it particularly dangerous was the fact that no additional actions were needed from the user—just visiting the link would trigger the exploit. This kind of attack vector is especially alarming because it bypasses traditional security measures that rely on user awareness or interaction.

Once I identified the vulnerability, I documented it thoroughly and reported it to Mozilla through their Bug Bounty program. The security team at Mozilla responded quickly, confirming the issue and working on a patch to address it before it could be exploited in the wild.

The inclusion in Mozilla’s Hall of Fame is not only an honor but also a testament to the importance of community-driven efforts in making widely-used software like Firefox more secure. It demonstrates how crucial it is to have researchers constantly probing for weaknesses, as even well-maintained systems can have vulnerabilities that go unnoticed. My role in this process was to ensure that users around the world remain safe while using one of the most popular browsers.

Which browser vulnerabilities are most often exploited by attackers to attack companies and individuals?

The most commonly exploited vulnerabilities in browsers include cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure browser extensions. XSS allows attackers to inject malicious scripts into web pages, which can steal sensitive data like login credentials or session tokens. CSRF tricks users into executing unauthorized actions, such as transferring funds or changing account details, without their knowledge. Additionally, vulnerabilities in browser extensions are often used to compromise systems, as they can provide attackers with a backdoor to access sensitive information or run malicious code. Keeping browsers and extensions updated, alongside implementing security best practices, is key to defending against these types of attacks

Do you think machine learning can play a key role in protecting online transactions, especially in the financial sector? What prospects do you see for the use of this technology in cybersecurity?

There is no doubt that machine learning can play a key role in protecting online transactions, especially in the financial sector. One of its advantages is its ability to detect anomalies in real-time – for example, suspicious transaction patterns or user behavior that may indicate fraud. Unlike traditional methods based on static rules, machine learning algorithms can adapt and learn from new threats, which is especially important in a rapidly changing cyber threat landscape.

Financial services companies are already actively using such technologies to prevent fraudulent transactions and data theft. For example, machine learning models can analyze multidimensional data including geolocation, transaction time, and device and user behavior to block suspicious activity in time. This is especially important for preventing attacks using compromised credentials or phishing.

However, machine learning does not solve all problems. Algorithms are susceptible to attacks, such as data poisoning, when attackers modify training data. Therefore, it is important to use machine learning in conjunction with other security measures such as multi-factor authentication and data encryption.

Your research related to the Content Security Policy (CSP) bypass was presented at the VolgaCTF international conference. What was the essence of this research and how does it help to detect vulnerabilities?

My research on bypassing Content Security Policy (CSP), which I presented at the VolgaCTF conference, focused on exposing a method that attackers can use to bypass one of the web’s key security mechanisms. CSP is designed to prevent the execution of malicious scripts on websites by controlling which sources are allowed to load content. However, my research identified a specific vulnerability where this protection could be circumvented.

I developed a tool called CSPStealer, which leverages this bypass technique to detect Blind Stored XSS vulnerabilities—ones that traditional security scanners often miss. The tool exploits a flaw in how browsers handle redirects and interactions with external hosts allowed by the CSP. This bypass allows an attacker to execute scripts that are normally blocked by the policy, leading to data theft or manipulation.

This research is valuable because it provides both offensive and defensive cybersecurity teams with a way to identify vulnerabilities that could otherwise go undetected. Penetration testers can use it to simulate real-world attacks, while security teams can apply it to better protect their systems by adjusting their CSP configurations. The technique demonstrates that even well-established security policies like CSP can have gaps, and my work helps fill those gaps by offering a deeper understanding of how to strengthen web application security.

Your research into a vulnerability in the Plesk control panel, which is used by major hosting providers around the world, has also generated a lot of interest. Can you tell us about this vulnerability and how it may have compromised millions of websites?

The vulnerability I discovered in the Plesk control panel was severe because of the widespread use of Plesk by major hosting providers globally, including companies like GoDaddy. The core issue was a local privilege escalation vulnerability that allowed an attacker to elevate their access on a shared hosting server. In simpler terms, this meant that by exploiting the flaw, an attacker with limited permissions could gain full control over the entire server.

The attack was executed through a technique involving a rogue MySQL server. By exploiting the way Plesk handled database connections, I was able to read sensitive files and escalate privileges. This opened the door for attackers to access all websites hosted on the same server, regardless of the security measures in place for individual sites. In essence, even if a specific website was secure, this vulnerability would still allow an attacker to compromise it because they could take control of the entire server.

The potential scale of the impact was enormous, as millions of websites are hosted on shared servers managed via Plesk. A successful attack could lead to data breaches, site defacement, or even full shutdowns of critical websites. After identifying this issue, I reported it to Plesk, and they quickly released patches to address the vulnerability. My research underscored how a single vulnerability in a widely-used platform can have far-reaching consequences, affecting both small businesses and large enterprises alike.

What are the main challenges you face in finding and fixing software vulnerabilities, and what technologies or processes help you do so?

One of the main challenges in finding and fixing vulnerabilities is the ever-increasing complexity of modern software systems. Applications today are built on multiple layers of technology—different programming languages, frameworks, third-party libraries, and cloud environments. Each of these layers can introduce its own set of potential vulnerabilities, making the task of securing an application much more difficult.

Another challenge is keeping up with the evolving tactics of attackers. Cyber threats are constantly changing, and attackers often find creative ways to exploit even minor flaws. This means that security researchers must stay ahead by continuously learning and adapting their methods.

To overcome these challenges, I rely on a combination of automated tools and manual testing. For example, static application security testing (SAST) and dynamic application security testing (DAST) tools help identify common vulnerabilities early in the development process. Additionally, I use tools like Burp Suite, OWASP ZAP, and custom scripts for more targeted testing, such as finding business logic flaws or bypassing security mechanisms like CSP, as I demonstrated with my CSPStealer tool.

At the process level, integrating security into the software development lifecycle (SDLC) is essential. Implementing secure coding standards, performing regular code reviews, and conducting thorough penetration testing before release all play a significant role in preventing vulnerabilities. Additionally, having a strong CI/CD pipeline with security tools integrated allows teams to catch issues early and fix them before they reach production.

Ultimately, it’s a combination of the right technologies, a proactive approach to learning, and close collaboration with development teams that helps me successfully identify and mitigate security vulnerabilities in software.

You are also actively involved in bug bounty programs. How has participation in these programs influenced your career and what results have you achieved thanks to them?

These programs offer a unique opportunity to work with real-world systems and identify vulnerabilities that could affect millions of users. Through my involvement, I’ve developed a deeper understanding of security beyond theoretical knowledge and gained practical experience in finding and exploiting complex vulnerabilities.

Bug bounty programs have also helped me stay sharp and up-to-date with the latest attack techniques. By participating in these programs, I’ve learned to think like an attacker and anticipate how vulnerabilities might be exploited. This mindset is invaluable in my day-to-day work as a security engineer, where I apply the same skills to secure enterprise systems.

In terms of results, aside from recognition, I’ve been able to contribute to improving the security of numerous platforms by identifying critical vulnerabilities. These efforts have led to real-world fixes that protect both individual users and large organizations. Financial rewards are part of the process, but the main benefit for me has been the experience and exposure gained through tackling challenging security issues in bug bounty programs.