Daniel Bates
ABSTRACT
Cross-site scripting flaws have now surpassed buffer overflows as the world's most common publicly-reported security vulnerability. In recent years, browser vendors and researchers have tried to develop client-side filters to mitigate these attacks. We analyze the best existing filters and find them to be either unacceptably slow or easily circumvented. Worse, some of these filters could introduce vulnerabilities into sites that were previously bug-free. We propose a new filter design that achieves both high performance and high precision by blocking scripts after HTML parsing but before execution. Compared to previous approaches, our approach is faster, protects against more vulnerabilities, and is harder for attackers to abuse. We have contributed an implementation of our filter design to the WebKit open source rendering engine, and the filter is now enabled by default in the Google Chrome browser.
- Tim Berners-Lee and Dan Connolly. Hypertext Markup Language - 2.0. IETF RFC 1866, November 1995. Google Scholar
Digital Library
- Steve Christey and Robert A. Martin. Vulnerability type distributions in cve, 2007. http://cwe.mitre.org/documents/vuln-trends/.Google Scholar
- Douglas Crockford. ADsafe.Google Scholar
- Facebook. Fbjs. http: //wiki.developers.facebook.com/index.php/FBJS.Google Scholar
- David Flanagan. JavaScript: The Definitive Guide, chapter 20.4 The Data-Tainting Security Model. O'Reilly & Associates, Inc., second edition, January 1997.Google Scholar
- Google. Caja: A source-to-source translator for securing JavaScript-based web content. http://code.google.com/p/google-caja/.Google Scholar
- Google. V8 benchmark suite. http://v8.googlecode. com/svn/data/benchmarks/v5/run.html.Google Scholar
- Robert Hansen. XSS (cross site scripting) cheat sheet. http://ha.ckers.org/xss.html.Google Scholar
- Apple Inc. Sunspider. http://www2.webkit.org/perf/sunspider-0.9/sunspider.html.Google Scholar
- Inferno. Exploiting IE8 UTF-7 XSS vulnerability using local redirection, May 2009. http://securethoughts.com/2009/05/ exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/.Google Scholar
- Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proceedings of the 21st ACM Symposium on Applied Computing (SAC), 2006. Google ScholarDigital Library
- Eric Lawrence. IE8 security part VII: Clickjacking defenses. http://blogs.msdn.com/ie/archive/2009/01/27/ ie8-security-part-vii-clickjacking-defenses. aspx.Google Scholar
- David Lindsay et al. Chrome gets XSS filters, September 2009. http://sla.ckers.org/forum/read.php?13,31377.Google Scholar
- Giorgio Maone. NoScript. http://www.noscript.net.Google Scholar
- Larry Masinter. The "data" URL scheme. IETF RFC 2397, August 1998. Google ScholarDigital Library
- Microsoft. About dynamic properties. http://msdn.microsoft.com/en-us/library/ms537634(VS.85).aspx.Google Scholar
- Mitre. CVE-2009-4074.Google Scholar
- Eduardo Vela Nava and David Lindsay. Our favorite XSS filters/IDS and how to attack them, 2009. Black Hat USA presentation.Google Scholar
- Jeremias Reith. Internals of noXSS, October 2008. http://www.noxss.org/wiki/Internals.Google Scholar
- David Ross. IE 8 XSS filter architecture/implementation, August 2008. http: //blogs.technet.com/srd/archive/2008/08/18/ ie-8-xss-filter-architecture-implementation. aspx.Google Scholar
- Steve. Preventing frame busting and click jacking, Februrary 2009. http://coderrr.wordpress.com/2009/02/13/ preventing-frame-busting-and-click-jacking-ui-redressing/.Google Scholar
- Andrew van der Stock, Jeff Williams, and Dave Wichers. OWASP top 10, 2007. http://www.owasp.org/index.php/Top_10_2007.Google Scholar
- Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2007.Google Scholar
- Michal Zalewski. Browser Security Handbook, volume 2.Google Scholar
- http://code.google.com/p/browsersec/wiki/ Part2#Arbitrary_page_mashups_(UI_redressing).Google Scholar
Index Terms
- Regular expressions considered harmful in client-side XSS filters
Recommendations
A Survey on XSS Attack Detection and Prevention in Web Applications
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and ComputingWith the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may ...
XSnare: application-specific client-side cross-site scripting protection
AbstractWe present XSnare, a client-side Cross-Site Scripting (XSS) solution implemented as a Firefox extension. The client-side design of XSnare can protect users before application developers release patches and before server operators apply them. ...
SecuBat: a web vulnerability scanner
WWW '06: Proceedings of the 15th international conference on World Wide WebAs the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, ...
Comments