XSS-Dec: a hybrid solution to mitigate cross-site scripting attacks

Authors:
Smitha Sundareswaran;Anna Cinzia Squicciarini
Affiliations:
College of Information Sciences and Technology, The Pennsylvania State University;College of Information Sciences and Technology, The Pennsylvania State University
Venue:
DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy
Year:
2012

Citing 11
Cited 0

Abstracting application-level web security

Proceedings of the 11th international conference on World Wide Web
Steering Clear of Triples: Deriving the Control Flow Graph Directly from the Abstract Syntax Tree in C Programs

Steering Clear of Triples: Deriving the Control Flow Graph Directly from the Abstract Syntax Tree in C Programs
Certificate revocation system implementation based on the Merkle hash tree

International Journal of Information Security
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
A Systematic Approach to Uncover Security Flaws in GUI Logic

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Static detection of cross-site scripting vulnerabilities

Proceedings of the 30th international conference on Software engineering
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
SWAP: Mitigating XSS attacks using a reverse proxy

IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
Regular expressions considered harmful in client-side XSS filters

Proceedings of the 19th international conference on World wide web
Swaddler: an approach for the anomaly-based detection of state violations in web applications

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Cross-site scripting attacks represent one of the major security threats in today's Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.