More Web Proxy on the site http://driver.im/

article

Client-side cross-site scripting protection

Authors:

Nenad Jovanovic,

Christopher Kruegel,

Giovanni VignaAuthors Info & Claims

Computers and Security, Volume 28, Issue 7

Pages 592 - 604

https://doi.org/10.1016/j.cose.2009.04.008

Published: 01 October 2009 Publication History

Abstract

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is embedded into web pages to support dynamic client-side behavior. This script code is executed in the context of the user's web browser. To protect the user's environment from malicious JavaScript code, browsers use a sand-boxing mechanism that limits a script to access only resources associated with its origin site. Unfortunately, these security mechanisms fail if a user can be lured into downloading malicious JavaScript code from an intermediate, trusted site. In this case, the malicious script is granted full access to all resources (e.g., authentication tokens and cookies) that belong to the trusted site. Such attacks are called cross-site scripting (XSS) attacks. In general, XSS attacks are easy to execute, but difficult to detect and prevent. One reason is the high flexibility of HTML encoding schemes, offering the attacker many possibilities for circumventing server-side input filters that should prevent malicious scripts from being injected into trusted sites. Also, devising a client-side solution is not easy because of the difficulty of identifying JavaScript code as being malicious. This paper presents Noxes, which is, to the best of our knowledge, the first client-side solution to mitigate cross-site scripting attacks. Noxes acts as a web proxy and uses both manual and automatically generated rules to mitigate possible cross-site scripting attempts. Noxes effectively protects against information leakage from the user's environment while requiring minimal user interaction and customization effort.

References

[1]

<http://www.securityfocus.com/bid/10493>

[2]

<http://www.phpnuke.org

[3]

<http://www.cert.org/advisories/CA-2000-02.html>

[4]

<http://www.cert.org/tech_tips/malicious_code_mitigation.html>

[5]

<http://jpcap.sourceforge.net>

[6]

S. Cook. A web developer's guide to cross-site scripting. Technical report, SANS Institute, 2003.

[7]

<http://www.cve.mitre.org>

[8]

ECMA-262, ECMAScript language specification, 1999.

[9]

D. Endler. The Evolution of Cross Site Scripting Attacks. Technical report, iDEFENSE Labs, 2002.

[10]

D. Flanagan. JavaScript: The Definitive Guide. December 2001. 4th ed.

[11]

<http://www.google.com/webhp?complete=1&hl=en>

[12]

Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International World Wide Web Conference (WWW 2003), May 2003.

Digital Library

[13]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In: Proceedings of the 13th International World Wide Web Conference (WWW 2004), May 2004.

Digital Library

[14]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy, 2006a.

Digital Library

[15]

N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for static detection of web application vulnerabilities. In: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, 2006b.

Digital Library

[16]

<http://www.kerio.com>

[17]

E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks. In: The 21st ACM Symposium on Applied Computing (SAC 2006), 2006.

Digital Library

[18]

<http://www.heise.de/security/result.xhtml?url=/security/artikel/54271&words=eBay>

[19]

<http://htmlparser.sourceforge.net>

[20]

<http://sanctuminc.com>

[21]

D. Scott and R. Sharp. Abstracting Application-Level Web Security. In Proceedings of the 11th International World Wide Web Conference (WWW 2002), May 2002.

Digital Library

[22]

<http://www.securityfocus.com>

[23]

<http://www.symantec.com/sabu/nis/npf>

[24]

<http://www. tinysoftware.com/home/tiny2>

[25]

H. von Hatzfeld. Javascript-Wertuebergabe zwischen verschiedenen HTML-Dokumenten. <http://aktuell.de.selfhtml.org/artikel/javascript/wertuebergabe>, 1999.

[26]

<http://www.zonelabs.com/store/content/home.jsp>

Cited By

Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100634
Pazos JLégaré JBeschastnikh I(2023)XSnare: application-specific client-side cross-site scripting protectionEmpirical Software Engineering10.1007/s10664-023-10323-w28:5Online publication date: 17-Aug-2023
https://dl.acm.org/doi/10.1007/s10664-023-10323-w
Pradhan P(2019)A Literature Survey on Risk Assessment for Unix Operating SystemInternational Journal of Advanced Pervasive and Ubiquitous Computing10.4018/IJAPUC.201907010211:3(13-32)Online publication date: 1-Jul-2019
https://dl.acm.org/doi/10.4018/IJAPUC.2019070102
Show More Cited By

Client-side cross-site scripting protection
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine Learning

Cross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a ...
Defending against Cross-Site Scripting Attacks

Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers' lack of understanding of the problem and their unfamiliarity with current defenses' strengths and ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 28, Issue 7

October, 2009

240 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © Elsevier Ltd © 2009.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 October 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hannousse AYahiouche SNait-Hamoud M(2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100634
Pazos JLégaré JBeschastnikh I(2023)XSnare: application-specific client-side cross-site scripting protectionEmpirical Software Engineering10.1007/s10664-023-10323-w28:5Online publication date: 17-Aug-2023
https://dl.acm.org/doi/10.1007/s10664-023-10323-w
Pradhan P(2019)A Literature Survey on Risk Assessment for Unix Operating SystemInternational Journal of Advanced Pervasive and Ubiquitous Computing10.4018/IJAPUC.201907010211:3(13-32)Online publication date: 1-Jul-2019
https://dl.acm.org/doi/10.4018/IJAPUC.2019070102
Wadkar HMishra ADixit A(2017)Framework to Secure Browser Using Configuration AnalysisInternational Journal of Information Security and Privacy10.4018/IJISP.201704010511:2(49-63)Online publication date: 1-Apr-2017
https://dl.acm.org/doi/10.4018/IJISP.2017040105
Rao GPrasad RRamesh M(2016)Neutralizing Cross-Site Scripting Attacks Using Open Source TechnologiesProceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies10.1145/2905055.2905230(1-6)Online publication date: 4-Mar-2016
https://dl.acm.org/doi/10.1145/2905055.2905230
Mansoori MWelch IHashemi S(2016)Measurement of IP and network tracking behaviour of malicious websitesProceedings of the Australasian Computer Science Week Multiconference10.1145/2843043.2843358(1-8)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1145/2843043.2843358
Deepa GThilagam P(2016)Securing web applications from injection and logic vulnerabilitiesInformation and Software Technology10.1016/j.infsof.2016.02.00574:C(160-180)Online publication date: 1-Jun-2016
https://dl.acm.org/doi/10.1016/j.infsof.2016.02.005
Yue CWang H(2013)A measurement study of insecure javascript practices on the webACM Transactions on the Web10.1145/2460383.24603867:2(1-39)Online publication date: 29-May-2013
https://dl.acm.org/doi/10.1145/2460383.2460386
Choukse DKanellopoulos DSingh U(2012)Developing secure web applicationsInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2012.0479694:2/3(221-236)Online publication date: 1-Jul-2012
https://dl.acm.org/doi/10.1504/IJITST.2012.047969

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents