Document structure integrity: A robust basis for cross-site scripting defense

  • Nadji Y
  • Saxena P
  • Song D
  • 82

    Readers

    Mendeley users who have this article in their library.
  • N/A

    Citations

    Citations of this article.

Abstract

Cross-site scripting (or XSS) has been the most domi- nant class of web vulnerabilities in 2007. The main under- lying reason for XSS vulnerabilities is that web markup and client-side languages do not provide principledmechanisms to ensure secure, ground-up isolation of user-generated data in web application code. In this paper, we develop a new approach that combines randomization of web ap- plication code and runtime tracking of untrusted data both on the server and the browser to combat XSS attacks. Our technique ensures a fundamental integrity property that pre- vents untrusted data from altering the structure of trusted code throughout the execution lifetime of the web applica- tion. We call this property document structure integrity (or DSI). Similar to prepared statements in SQL, DSI enforce- ment ensures automatic syntactic isolation of inline user- generated data at the parser-level. This forms the basis for confinement of untrusted data in the web browser based on a server-specified policy. We propose a client-server architecture that enforces document structure integrity in a way that can be imple- mented in current browsers with a minimal impact to com- patibility and that requires minimal effort from the web de- veloper. We implemented a proof-of-concept and demon- strated that suchDSI enforcement with a simple default pol- icy is sufficient to defeat over 98% of 5,328 real-world re- flected XSS vulnerabilities documented in 2007, with very low performance overhead both on the client and server.

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document

There are no full text links

Authors

  • Yacin Nadji

  • Prateek Saxena

  • Dawn Song

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free