Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
JavaScript: The Definitive Guide
JavaScript: The Definitive Guide
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Precise alias analysis for static detection of web application vulnerabilities
Proceedings of the 2006 workshop on Programming languages and analysis for security
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Using web application construction frameworks to protect against code injection attacks
Proceedings of the 2007 workshop on Programming languages and analysis for security
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
End-to-end web application security
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
SQL-IDS: a specification-based approach for SQL-injection detection
Proceedings of the 2008 ACM symposium on Applied computing
Forcehttps: protecting high-security web sites from network attacks
Proceedings of the 17th international conference on World Wide Web
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Detecting in-flight page changes with web tripwires
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Spectator: detection and containment of JavaScript worms
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Protecting the Intranet Against "JavaScript Malware" and Related Attacks
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
SOMA: mutual approval for included content in web pages
Proceedings of the 15th ACM conference on Computer and communications security
A Browser-Based Kerberos Authentication Scheme
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
JavaScript Instrumentation in Practice
APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
Automated security testing of web widget interactions
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Risks of the CardSpace Protocol
ISC '09 Proceedings of the 12th International Conference on Information Security
A speech mashup framework for multimodal mobile services
Proceedings of the 2009 international conference on Multimodal interfaces
XCS: cross channel scripting and its impact on web applications
Proceedings of the 16th ACM conference on Computer and communications security
TruWallet: trustworthy and migratable wallet-based web authentication
Proceedings of the 2009 ACM workshop on Scalable trusted computing
MUTEC: Mutation-based testing of Cross Site Scripting
IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
SWAP: Mitigating XSS attacks using a reverse proxy
IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
Using an Evolutionary Neural Network for web intrusion detection
AIA '08 Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications
Regular expressions considered harmful in client-side XSS filters
Proceedings of the 19th international conference on World wide web
Alhambra: a system for creating, enforcing, and testing browser security policies
Proceedings of the 19th international conference on World wide web
Prevention of cross-site scripting attacks on current web applications
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Client-side detection of XSS worms by monitoring payload propagation
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
An automatic HTTP cookie management system
Computer Networks: The International Journal of Computer and Telecommunications Networking
Static analysis for detecting taint-style vulnerabilities in web applications
Journal of Computer Security
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Cujo: efficient detection and prevention of drive-by-download attacks
Proceedings of the 26th Annual Computer Security Applications Conference
FIRM: capability-based inline mediation of Flash behaviors
Proceedings of the 26th Annual Computer Security Applications Conference
Taxonomy and classification of automatic monitoring of program security vulnerability exploitations
Journal of Systems and Software
WebAppArmor: a framework for robust prevention of attacks on web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
SessionShield: lightweight protection against session hijacking
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Reliable protection against session fixation attacks
Proceedings of the 2011 ACM Symposium on Applied Computing
BIXSAN: browser independent XSS sanitizer for prevention of XSS attacks
ACM SIGSOFT Software Engineering Notes
Toward secure embedded web interfaces
SEC'11 Proceedings of the 20th USENIX conference on Security
Preventing web application injections with complementary character coding
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A systematic analysis of XSS sanitization in web application frameworks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Crouching tiger - hidden payload: security risks of scalable vectors graphics
Proceedings of the 18th ACM conference on Computer and communications security
On automatic detection of SQL injection attacks by the feature extraction of the single character
Proceedings of the 4th international conference on Security of information and networks
Position paper: why are there so many vulnerabilities in web applications?
Proceedings of the 2011 workshop on New security paradigms workshop
SessionSafe: implementing XSS immune session handling
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
A survey on detection techniques to prevent cross-site scripting attacks on current web applications
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
IceShield: detection and mitigation of malicious websites with a frozen DOM
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Automated code injection prevention for web applications
TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
An empirical analysis of input validation mechanisms in web applications and languages
Proceedings of the 27th Annual ACM Symposium on Applied Computing
XSS-Dec: a hybrid solution to mitigate cross-site scripting attacks
DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy
Serene: self-reliant client-side protection against session fixation
DAIS'12 Proceedings of the 12th IFIP WG 6.1 international conference on Distributed Applications and Interoperable Systems
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
Variability in software architecture: views and beyond
ACM SIGSOFT Software Engineering Notes
DEMACRO: defense against malicious cross-domain requests
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Analyzing and defending against web-based malware
ACM Computing Surveys (CSUR)
deDacota: toward preventing server-side XSS via automatic code and data separation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Hi-index | 0.00 |
Web applications are becoming the dominant way to provide access to on-line services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is embedded into web pages to support dynamic client-side behavior. This script code is executed in the context of the user's web browser. To protect the user's environment from malicious JavaScript code, a sand-boxing mechanism is used that limits a program to access only resources associated with its origin site. Unfortunately, these security mechanisms fail if a user can be lured into downloading malicious JavaScript code from an intermediate, trusted site. In this case, the malicious script is granted full access to all resources (e.g., authentication tokens and cookies) that belong to the trusted site. Such attacks are called cross-site scripting (XSS) attacks.In general, XSS attacks are easy to execute, but difficult to detect and prevent. One reason is the high flexibility of HTML encoding schemes, offering the attacker many possibilities for circumventing server-side input filters that should prevent malicious scripts from being injected into trusted sites. Also, devising a client-side solution is not easy because of the difficulty of identifying JavaScript code as being malicious. This paper presents Noxes, which is, to the best of our knowledge, the first client-side solution to mitigate cross-site scripting attacks. Noxes acts as a web proxy and uses both manual and automatically generated rules to mitigate possible cross-site scripting attempts. Noxes effectively protects against information leakage from the user's environment while requiring minimal user interaction and customization effort.