Affiliation:
1. National Institute of Technology, Tiruchirappalli - 620015, Tamil Nadu, India
Abstract
Proliferation of social networking sites, and web applications which deliver dynamic content to the clients have increased the user created HTML content in the World Wide Web. This user-created HTML content can be a notorious vector for Cross-Site Scripting,(XSS) attacks. XSS attacks have the ability to target websites, steal confidential information of the users, and hijack their accounts, etc. XSS attacks are launched to exploit the vulnerabilities of the poorly developed application code and data processing systems. In particular, improper validation of user created content and un-sanitized custom error messages introduce vulnerability for XSS attacks. It is a challenging task for any security mechanism to filter out only the harmful HTML content and retain safe content with high fidelity and robustness. This has motivated us to develop a mechanism that filters out the harmful HTML content, and allows safe HTML. The existing solutions to XSS attack include use of regular expressions to detect the presence of dynamic content and client side filtering mechanisms such as Noscript and Noxes tool. The drawbacks of these solutions are low fidelity and disallowing of benign HTML. In order to overcome these drawbacks BIXSAN, a Browser Independent XSS SANitizer for prevention of XSS attacks is proposed in this paper. BIXSAN includes the proposition of three pronged strategy. These strategies are as follows: Firstly the use of complete HTML parser is proposed rather than approximating the behavior of parser. The advantage of using complete HTML parser is that it offers high fidelity. Secondly the use of modified browser, viz., JavaScript Tester is proposed to detect the presence of JavaScript for filtering it out. Thirdly, identification of static tags is proposed for allowing the benign HTML. Further, BIXSAN includes the proposition of a parse tree generator at client side browser to reduce the anomalous behavior of browsers. BIXSAN was experimented in various browsers such as Opera, Netscape, Internet Explorer (IE), and Firefox and found to work for all the browsers. From the experiments conducted it has been found that the proposed BIXSAN prevents the injection of XSS attack code successfully. Further, it has been verified that BIXSAN reduces the anomalous behavior of browse.
Publisher
Association for Computing Machinery (ACM)
Reference16 articles.
1. Participative Web and User-Created Content
2. Open Web Application Security Project "OWASP Top ten web vulnerabilities "https://www.owasp.org/index.php/Top_10_2007 Open Web Application Security Project "OWASP Top ten web vulnerabilities "https://www.owasp.org/index.php/Top_10_2007
3. "XSSed | Cross Site Scripting (XSS) attacks information and archive" www.xssed.com "XSSed | Cross Site Scripting (XSS) attacks information and archive" www.xssed.com
4. Cross Site Scripting-Latest developments and solutions: A survey Int;Shanmugam Jayamsakthi;J. Open Problems Compt. Math.,2008
5. "Cross-site scripting -- Wikipedia" http://en.wikipedia.org/wiki/Cross-site_scripting. "Cross-site scripting -- Wikipedia" http://en.wikipedia.org/wiki/Cross-site_scripting.
Cited by
6 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献