xJS: practical XSS prevention for web application development

  • Authors:
  • Elias Athanasopoulos;Vasilis Pappas;Antonis Krithinakis;Spyros Ligouras;Evangelos P. Markatos;Thomas Karagiannis

  • Affiliations:
  • Institute of Computer Science, Foundation for Research and Technology - Hellas;Institute of Computer Science, Foundation for Research and Technology - Hellas;Institute of Computer Science, Foundation for Research and Technology - Hellas;Institute of Computer Science, Foundation for Research and Technology - Hellas;Institute of Computer Science, Foundation for Research and Technology - Hellas;Microsoft Research, Cambridge, United Kingdom

  • Venue:
  • WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

We present xJS, a practical framework for preventing code-injections in the web environment and thus assisting for the development of XSS-free web applications. xJS aims on being fast, developer-friendly and providing backwards compatibility. We implement and evaluate our solution in three leading web browsers and in the Apache web server. We show that our framework can successfully prevent all 1,380 real-world attacks that were collected from a well-known XSS attack repository. Furthermore, our framework imposes negligible computational overhead in both the server and the client side, and has no negative side-effects in the overall user's browsing experience.