SIACHEN: A fine-grained policy language for the mitigation of cross-site scripting attacks

Abstract

Cross-Site Scripting (XSS) attacks are at number three in the OWASP Top 10 2013 list [1] and according to a recent report by WhiteHat, 53% of the web applications are vulnerable to XSS attacks [2]. In this paper, we propose SIACHEN, a fine-grained, white-list and browser-enforced security policy language for the mitigation of XSS attacks. SIACHEN’s syntax is similar to Cascading Style Sheets (CSS) and its semantics is based on Content Security Policy (CSP) directives. CSP is a coarse-grained policy language and gives web site administrators a page-level control. Our policy language operates on per-id or per-class of web page’s HTML elements. SIACHEN also supports input validation and output encoding, which is missing in case of CSP. At the same time, SIACHEN leverages ECMAScript’s object freezing feature from the earlier work done by Heiderich et al. in [3]. SIACHEN glues together a number of disparate technologies into a single framework. We implemented our proposal in the form of a client-side JavaScript library. Web site administrators can deliver the SIACHEN policy to the browser via a new header named “X-Siachen-Policy”. To show the applicability of our solution, we have added support of SIACHEN policy language in three open source web applications (i.e., PHPBB, PHPList&Damn Vulnerable Web App). Our evaluation shows reasonably low overhead is incurred by web applications and requires less amount of effort from developers’ side. We have tested our prototype against a large number of state-of-the-art, obfuscated and unobfuscated XSS attack vectors and found no bypass. To assist web site administrators, we present SIACHEN AiDer, an online service for the automated recommendation of policies. Further, this paper also presents results of a short survey of fifty popular desktop web applications and their mobile versions (100 in total).We have found an XSS in all surveyed sites but the main purpose of the survey is to find suitable venues for our prototype.