(2014) Precise Client-side Protection against DOM-based Cross-Site Scripting.
|
Text
usenix2014-xssfilter.pdf - Published Version Download (178kB) | Preview |
Abstract
The current generation of client-side Cross-Site Scripting filters rely on string comparison to detect request values that are reflected in the corresponding response’s HTML. This coarse approximation of occurring data flows is incapable of reliably stopping attacks which leverage nontrivial injection contexts. To demonstrate this, we conduct a thorough analysis of the current state-of-the-art in browser-based XSS filtering and uncover a set of conceptual shortcomings, that allow efficient creation of filter evasions, especially in the case of DOM-based XSS. To validate our findings, we report on practical experiments using a set of 1,602 real-world vulnerabilities, achieving a rate of 73% successful filter bypasses. Motivated by our findings, we propose an alternative filter design for DOM-based XSS, that utilizes runtime taint tracking and taint-aware parsers to stop the parsing of attacker-controlled syntactic content. To examine the efficiency and feasibility of our approach, we present a practical implementation based on the open source browser Chromium. Our proposed approach has a low false positive rate and robustly protects against DOM-based XSS exploits.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Additional Information: | pub_id: 1052 Bibtex: stock2014precise URL date: None |
| Divisions: | Ben Stock (Secure Web Applications Group, SWAG) |
| Conference: | USENIX-Security Usenix Security Symposium |
| Depositing User: | Sebastian Weisgerber |
| Date Deposited: | 26 Jul 2017 10:31 |
| Last Modified: | 18 Jul 2019 12:12 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/729 |
Actions
Actions (login required)
 |
View Item |