Proceedings of the 2009 workshop on Re-architecting the internet
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
Protecting browsers from cross-origin CSS attacks
Proceedings of the 17th ACM conference on Computer and communications security
Trust and protection in the Illinois browser operating system
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Designing and Implementing the OP and OP2 Web Browsers
ACM Transactions on the Web (TWEB)
A systematic analysis of XSS sanitization in web application frameworks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Crouching tiger - hidden payload: security risks of scalable vectors graphics
Proceedings of the 18th ACM conference on Computer and communications security
ARC: protecting against HTTP parameter pollution attacks using application request caches
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
Proceedings of the 2012 ACM conference on Computer and communications security
Detecting and analyzing insecure component usage
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
The bug that made me president a browser- and web-security case study on helios voting
VoteID'11 Proceedings of the Third international conference on E-Voting and Identity
AUTOCRYPT: enabling homomorphic computation on servers to protect sensitive web content
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Polyglots: crossing origins by crossing formats
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
mXSS attacks: attacking well-secured web-applications by using innerHTML mutations
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Building web applications on top of encrypted data using Mylar
NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation
Hi-index | 0.00 |
Cross-site scripting defenses often focus on HTML documents, neglecting attacks involving the browser's content-sniffing algorithm, which can treat non-HTML content as HTML.Web applications, such as the one that manages this conference, must defend themselves against these attacks or risk authors uploading malicious papers that automatically submit stellar self-reviews.In this paper, we formulate content-sniffing XSS attacks and defenses.We study content-sniffing XSS attacks systematically by constructing high-fidelity models of the content-sniffing algorithms used by four major browsers.We compare these models with Web site content filtering policies to construct attacks.To defend against these attacks, we propose and implement a principled content-sniffing algorithm that provides security while maintaining compatibility.Our principles have been adopted, in part, by Internet Explorer 8 and, in full, by Google Chrome and the HTML 5 working group.