Prevention of cross-site scripting attacks on current web applications

Authors:
Joaquin Garcia-Alfaro;Guillermo Navarro-Arribas
Affiliations:
Universitat Oberta de Catalunya, Barcelona, Spain;Universitat Autònoma de Barcelona, Bellaterra, Spain
Venue:
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Year:
2007

Citing 19
Cited 0

Abstracting application-level web security

Proceedings of the 11th international conference on World Wide Web
Writing Secure Code

Writing Secure Code
Secure Web Scripting

IEEE Internet Computing
Using Programmer-Written Compiler Extensions to Catch Security Holes

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability

AINA '04 Proceedings of the 18th International Conference on Advanced Information Networking and Applications - Volume 2
Detecting Malicious JavaScript Code in Mozilla

ICECCS '05 Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems
Ajax in Action

Ajax in Action
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Precise alias analysis for static detection of web application vulnerabilities

Proceedings of the 2006 workshop on Programming languages and analysis for security
Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
Rapid Application Development with Mozilla

Rapid Application Development with Mozilla
Defeating script injection attacks with browser-enforced embedded policies

Proceedings of the 16th international conference on World Wide Web
High coverage detection of input-related security facults

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Using web application construction frameworks to protect against code injection attacks

Proceedings of the 2007 workshop on Programming languages and analysis for security
Static detection of security vulnerabilities in scripting languages

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Social phishing

Communications of the ACM
Defending against injection attacks through context-sensitive string evaluation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
XSS Viruses: Cross-site scripting viruses and worms - a new attack vector

Network Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advantages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seamlessly integrated in generic web applications by relaying in the SSL and secure redirect calls.