Xilara: An XSS filter based on HTML template restoration

Abstract

Cross Site Scripting (XSS) is one of the most fearful attacks against web applications because of its potential damage to users. XSS filter is one of existing mitigation technologies against XSS by monitoring communication between servers and clients to find attack codes in HTTP requests. However, some complicated attacks can bypass such XSS filters, e.g., attack codes are encoded with base64 or others, and attacks may not include attack codes in HTTP requests, such as Stored XSS. This paper proposes a new XSS filter, Xilara, to detect XSS attacks including such complicated ones by a new approach: monitoring HTML document structures in HTTP responses instead of the requests. A key idea is that normal responses have very similar HTML document structures because they are usually generated by the same program (HTML template) and some parameters (untrusted data), but once an XSS attack succeeds, the structure of an HTML document changes due to the attack codes in the untrusted data. As a preparation, Xilara collects normal HTTP responses, and restores HTML templates. To detect XSS attacks, Xilara regards the response is harmful if an HTML document in the response is not an instance of the restored template. Our evaluation using XSS vulnerabilities reported in the real world shows that Xilara can detect XSS attacks whose attack codes are difficult to be detected by existing XSS filters, as well as performance comparison between Xilara and existing XSS filters.