Cross-site scripting (or XSS) has been the most domi- nant class of web vulnerabilities in 2007. The main under- lying reason for XSS vulnerabilities is that web markup and client-side languages do not provide principledmechanisms to ensure secure, ground-up isolation of user-generated data in web application code. In this paper, we develop a new approach that combines randomization of web ap- plication code and runtime tracking of untrusted data both on the server and the browser to combat XSS attacks. Our technique ensures a fundamental integrity property that pre- vents untrusted data from altering the structure of trusted code throughout the execution lifetime of the web applica- tion. We call this property document structure integrity (or DSI). Similar to prepared statements in SQL, DSI enforce- ment ensures automatic syntactic isolation of inline user- generated data at the parser-level. This forms the basis for confinement of untrusted data in the web browser based on a server-specified policy. We propose a client-server architecture that enforces document structure integrity in a way that can be imple- mented in current browsers with a minimal impact to com- patibility and that requires minimal effort from the web de- veloper. We implemented a proof-of-concept and demon- strated that suchDSI enforcement with a simple default pol- icy is sufficient to defeat over 98% of 5,328 real-world re- flected XSS vulnerabilities documented in 2007, with very low performance overhead both on the client and server.
Mendeley saves you time finding and organizing research
There are no full text links
Choose a citation style from the tabs below