Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense

93Citations
Citations of this article
113Readers
Mendeley users who have this article in their library.

Abstract

Cross-site scripting (or XSS) has been the most dominant class of web vulnerabilities in 2007. The main underlying reason for XSS vulnerabilities is that web markup and client-side languages do not provide principled mechanisms to ensure secure, ground-up isolation of user-generated data in web application code. In this paper, we develop a new approach that combines randomization of web application code and runtime tracking of untrusted data both on the server and the browser to combat XSS attacks. Our technique ensures a fundamental integrity property that prevents untrusted data from altering the structure of trusted code throughout the execution lifetime of the web application. We call this property document structure integrity (or DSI). Similar to prepared statements in SQL, DSI enforcement ensures automatic syntactic isolation of inline user-generated data at the parser-level. This forms the basis for confinement of untrusted data in the web browser based on a server-specified policy. We propose a client-server architecture that enforces document structure integrity in a way that can be implemented in current browsers with a minimal impact to compatibility and that requires minimal effort from the web developer. We implemented a proof-of-concept and demonstrated that such DSI enforcement with a simple default policy is sufficient to defeat over 98% of the 5,328 real-world reflected XSS vulnerabilities documented in 2007, with very low performance overhead both on the client and server.

Cite

CITATION STYLE

APA

Nadji, Y., Saxena, P., & Song, D. (2009). Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009. The Internet Society.

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free