Alhambra: a system for creating, enforcing, and testing browser security policies
Proceedings of the 19th international conference on World wide web
Client-side detection of XSS worms by monitoring payload propagation
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
Proceedings of the 17th ACM conference on Computer and communications security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Towards revealing JavaScript program intents using abstract interpretation
Proceedings of the Sixth Asian Internet Engineering Conference
WebAppArmor: a framework for robust prevention of attacks on web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
SessionShield: lightweight protection against session hijacking
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Towards client-side HTML security policies
HotSec'11 Proceedings of the 6th USENIX conference on Hot topics in security
Preventing web application injections with complementary character coding
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A systematic analysis of XSS sanitization in web application frameworks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
ZDVUE: prioritization of javascript attacks to discover new vulnerabilities
Proceedings of the 4th ACM workshop on Security and artificial intelligence
Context-sensitive auto-sanitization in web templating languages using type qualifiers
Proceedings of the 18th ACM conference on Computer and communications security
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
Proceedings of the 18th ACM conference on Computer and communications security
Fortifying web-based applications automatically
Proceedings of the 18th ACM conference on Computer and communications security
AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements
Proceedings of the 27th Annual Computer Security Applications Conference
Automated code injection prevention for web applications
TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
ARC: protecting against HTTP parameter pollution attacks using application request caches
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Enhancing javascript with transactions
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Exploiting split browsers for efficiently protecting user data
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
Proceedings of the 2012 ACM conference on Computer and communications security
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
BetterAuth: web authentication revisited
Proceedings of the 28th Annual Computer Security Applications Conference
Path sensitive static analysis of web applications for remote code execution vulnerability detection
Proceedings of the 2013 International Conference on Software Engineering
deDacota: toward preventing server-side XSS via automatic code and data separation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
mXSS attacks: attacking well-secured web-applications by using innerHTML mutations
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
PreparedJS: secure script-templates for javascript
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
| Hi-index | 0.00 |
As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception.User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data.In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest.A challenge for these security mechanisms is enabling web applications to accept complex HTML input from users, while disallowing malicious script content.This challenge is made difficult by anomalous web browser behaviors, which are often used as vectors for successful XSS attacks.Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing web browsers, despite anomalous browser behavior.Our approach seeks to minimize trust placed on browsers for interpreting untrusted content.We implemented this approach in a tool called Blueprint that was integrated with several popular web applications.We evaluated Blueprint against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with web browsers and reasonable performance overheads.