Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing BrowsersMike Ter Louw and V.N. Venkatakrishnan
|
|
Abstract
As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception.
User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data.
In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest.
A challenge for these security mechanisms is enabling web applications to accept complex HTML input from users, while disallowing malicious script content.
This challenge is made difficult by anomalous web browser behaviors, which are often used as vectors for successful XSS attacks.
Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing web browsers, despite anomalous browser behavior.
Our approach seeks to minimize trust placed on browsers for interpreting untrusted content.
We implemented this approach in a tool called Blueprint that was integrated with several popular web applications.
We evaluated Blueprint against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with web browsers and reasonable performance overheads.
PublicationIn 30th IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2009The acceptance rate was 10.2% (26/254). BibTeX BibTeX  @inproceedings{
TerLouw:09a,
author = {Ter~Louw, Mike and V.N. Venkatakrishnan},
crossref = {SP:2009},
title = {Blueprint: Precise Browser-neutral Prevention of Cross-site Scripting Attacks}
}
@proceedings{
SP:2009,
location = {Oakland, CA, USA},
booktitle = {30th IEEE Symposium on Security and Privacy},
month = may,
year = {2009}
} Project websiteFurther information about this publication is available at this website. | ||
