An Execution-flow Based Method for Detecting Cross-Site Scripting of Ajax Applications
نویسندگان
چکیده
We present an execution-flow analysis for JavaScript programs running in a web browser to prevent Cross-site Scripting (XSS) attacks. We construct finite-state automata (FSA) to model the client-side behavior of Ajax applications under normal execution. Our system is deployed in proxy mode. The proxy analyzes the execution flow of client-side JavaScript before the requested web pages arrive at the browser to prevent potentially malicious scripts, which do not conform to the FSA. We evaluate our technique against several real-world applications and the result shows that it protects against a variety of XSS attacks with an acceptable performance overhead.
منابع مشابه
Subverting Ajax for Fun and Profit
The ability of modern browsers to use asynchronous requests introduces a new type of attack vectors. In particular, an attacker can inject client side code to totally subvert the communication flow between client and server. In fact, advanced features of Ajax framework build up a new transparent layer not controlled by the user. This paper will focus on security aspects of Ajax technology and o...
متن کاملWeb 2 . 0 Security Position Paper : “ JavaScript Breaks Free ”
The web has become richer with content, and a host of technologies are in place to improve interactivity – whether between the web browser and web server or between the browser and other desktop applications and network devices. Consequently, there is a greater burden on Web scripting languages to not only support this flexibility, but to do so in a way that does not increase new security risks...
متن کاملeingereicht an der
During the last years, the web has evolved into an integral part of our daily lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting security vulnerabilities in web applications. This thesis presents novel approaches aimed at the detection of such vulnerabilities, and at the protection of clients against web-based attacks. Vulnerability Det...
متن کاملPixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Technical Report)
The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable Web applications ...
متن کاملPixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable Web applications ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Int. J. Adv. Comp. Techn.
دوره 2 شماره
صفحات -
تاریخ انتشار 2010