XSS-Guard: Precise Dynamic Detection of Cross-Site Scripting AttacksPrithvi Bisht and V.N. Venkatakrishnan
|
|
Abstract
This paper focuses on defense mechanisms for cross-site scripting at-
tacks, the top threat on web applications today. It is believed that input validation
(or filtering) can effectively prevent XSS attacks on the server side. In this pa-
per, we discuss several recent real-world XSS attacks and analyze the reasons
for the failure of filtering mechanisms in defending these attacks. We conclude
that while filtering is useful as a first level of defense against XSS attacks, it is
ineffective in preventing several instances of attack, especially when user input
includes content-rich HTML. We then propose XSS-GUARD, a new framework
that is designed to be a prevention mechanism against XSS attacks on the server
side. XSS-GUARD works by dynamically learning the set of scripts that a web
application intends to create for any HTML request. Our approach also includes a
robust mechanism for identifying scripts at the server side and removes any script
in the output that is not intended by the web application. We discuss extensive ex-
perimental results that demonstrate the resilience of XSS-GUARD in preventing
a number of real-world XSS exploits.
PublicationIn 5th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Paris, France, July, 2008The acceptance rate was 31.1% (14/45). BibTeX BibTeX  @inproceedings{
DIMVA08:Injection,
author = {Prithvi Bisht and V. N. Venkatakrishnan},
crossref = {DIMVA08},
title = {{XSS-GUARD}: Precise Dynamic Detection of Cross-Site Scripting Attacks}
}
@proceedings{
DIMVA08,
booktitle = {5th GI International Conference on Detection of Intrusions \&
Malware, and Vulnerability Assesment},
location = {Paris, France},
month = Jul,
year = {2008}
} Project websiteFurther information about this publication is available at this website. | ||
