Client-side cross-site scripting protection
作者: Engin Kirda , Nenad Jovanovic , Christopher Kruegel , Giovanni Vigna
DOI: 10.1016/J.COSE.2009.04.008
关键词:
摘要: Web applications are becoming the dominant way to provide access online services. At same time, web application vulnerabilities being discovered and disclosed at an alarming rate. often make use of JavaScript code that is embedded into pages support dynamic client-side behavior. This script executed in context user's browser. To protect environment from malicious code, browsers a sand-boxing mechanism limits only resources associated with its origin site. Unfortunately, these security mechanisms fail if user can be lured downloading intermediate, trusted In this case, granted full all (e.g., authentication tokens cookies) belong Such attacks called cross-site scripting (XSS) attacks. general, XSS easy execute, but difficult detect prevent. One reason high flexibility HTML encoding schemes, offering attacker many possibilities for circumventing server-side input filters should prevent scripts injected sites. Also, devising solution not because difficulty identifying as malicious. paper presents Noxes, which is, best our knowledge, first mitigate Noxes acts proxy uses both manual automatically generated rules possible attempts. effectively protects against information leakage while requiring minimal interaction customization effort.
core.ac.uk
ucsb.edu
elsevier.com
sci-hub.se 参考文章(8)
Steven Cook, A Web Developer's Guide to Cross-Site Scripting ,(2003)
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo, Securing web application code by static analysis and runtime protection Proceedings of the 13th conference on World Wide Web - WWW '04. pp. 40- 52 ,(2004) , 10.1145/988672.988679
Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, Chung-Hung Tsai, Web application security assessment by fault injection and behavior monitoring Proceedings of the twelfth international conference on World Wide Web - WWW '03. pp. 148- 159 ,(2003) , 10.1145/775152.775174
David Scott, Richard Sharp, Abstracting application-level web security the web conference. pp. 396- 407 ,(2002) , 10.1145/511446.511498
N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting Web application vulnerabilities ieee symposium on security and privacy. pp. 258- 263 ,(2006) , 10.1109/SP.2006.29
Nenad Jovanovic, Christopher Kruegel, Engin Kirda, Precise alias analysis for static detection of web application vulnerabilities Proceedings of the 2006 workshop on Programming languages and analysis for security - PLAS '06. pp. 27- 36 ,(2006) , 10.1145/1134744.1134751
David Flanagan, Paula Ferguson, JavaScript: The Definitive Guide ,(1996)
Engin Kirda, Christopher Kruegel, Giovanni Vigna, Nenad Jovanovic, Noxes: a client-side solution for mitigating cross-site scripting attacks acm symposium on applied computing. pp. 330- 337 ,(2006) , 10.1145/1141277.1141357