xJS: practical XSS prevention for web application development
作者: Antonis Krithinakis , Spyros Ligouras , Evangelos P. Markatos , Thomas Karagiannis , Vasilis Pappas
DOI:
关键词:
摘要: We present xJS, a practical framework for preventing code-injections in the web environment and thus assisting development of XSS-free applications. xJS aims on being fast, developer-friendly providing backwards compatibility. We implement evaluate our solution three leading browsers Apache server. show that can successfully prevent all 1,380 real-world attacks were collected from well-known XSS attack repository. Furthermore, imposes negligible computational overhead both server client side, has no negative side-effects overall user's browsing experience.
columbia.edu 参考文章(30)
R. Sekar, An Efficient Black-box Technique for Defeating Web Application Attacks. network and distributed system security symposium. ,(2009)
Jesse James Garrett, Ajax: A New Approach to Web Applications ,(2007)
Chris Anley, Advanced SQL Injection In SQL Server Applications ,(2002)
Michael Martin, Monica S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking usenix security symposium. pp. 31- 43 ,(2008)
Giovanni Vigna, William Robertson, Static enforcement of web application integrity through strong typing usenix security symposium. pp. 283- 298 ,(2009)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Matthew Van Gundy, Hao Chen, Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. network and distributed system security symposium. ,(2009)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
Joel Weinberger, Dawn Song, Adam Barth, Cross-origin javascript capability leaks: detection, exploitation, and defense usenix security symposium. pp. 187- 198 ,(2009)
Yacin Nadji, Prateek Saxena, Dawn Song, Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. network and distributed system security symposium. ,(2009)