A New Practical and Collaborative Defense Against XSS Attacks
نویسندگان
چکیده
Several remote attacks on the web today exploit the insecurity that comes with embedding untrusted data in trusted content. A specific type of cross site scripting (XSS) attack – reflected XSS attacks – are the most common of these, and plague even the most popular web sites today. Traditional defenses against these attacks rely on filtering user input, which was been shown to be quite difficult in practice. Filtering is entirely reactive to security threats, and more often than not, reacting to new exploits doesn’t happen. Current approaches are effective, but are often difficult to perform widespread implementation. We propose the concept of client-side tainting of user generated information. Tainted data is quarantined by a novel delimiter scheme which allows for flexible policy enforcement. We confirm that our approach, in addition to being simple to implement, requires only changes to the client browser and defends against over 2000 XSS attacks. We also analyze stored XSS attacks, and what we would need to alter in our approach to combat them as well.
منابع مشابه
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
This paper focuses on defense mechanisms for cross-site scripting attacks, the top threat on web applications today. It is believed that input validation (or filtering) can effectively prevent XSS attacks on the server side. In this paper, we discuss several recent real-world XSS attacks and analyze the reasons for the failure of filtering mechanisms in defending these attacks. We conclude that...
متن کاملA Pragmatic Policy-driven Xss Protection Framework
2011 ii Specially dedicated to my beloved family and to information security researchers and practitioners iii Acknowledgments I would like to heartily thank Dr. Geraint Price, my research supervisor, for his invaluable advice, guidance and understanding throughout the development of the research. In addition, I would love to convey my special thanks to my company, RS2, for sponsoring part of m...
متن کاملAuror: defending against poisoning attacks in collaborative deep learning systems
Deep learning in a collaborative setting is emerging as a cornerstone of many upcoming applications, wherein untrusted users collaborate to generate more accurate models. From the security perspective, this opens collaborative deep learning to poisoning attacks, wherein adversarial users deliberately alter their inputs to mis-train the model. These attacks are known for machine learning systems...
متن کامل⊕JS: Lightweight Cross-Site Scripting Prevention Using Isolation Operators
Cross-site scripting (XSS) attacks constitute one of the major threats for today’s web sites. Recently reported numbers on XSS vulnerabilities, coupled with the increasing complexity of modern web browsers, clearly highlight the need for effective mitigation mechanisms. However, despite the significance of these attacks, a definitive approach against any type of XSS vulnerability sill remains e...
متن کاملCode Injection Vulnerabilities in Web Applications: Exemplified at Cross-site Scripting
The majority of all security problems in today’s Web applications is caused by stringbased code injection, with Cross-site Scripting (XSS) being the dominant representative of this vulnerability class. This thesis discusses XSS and suggests defense mechanisms. We do so in three stages: First, we conduct a thorough analysis of JavaScript’s capabilities and explain how these capabilities are util...
متن کامل