Abstract
Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advantages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seamlessly integrated in generic web applications by relaying in the SSL and secure redirect calls.
This work has been supported by funding from the SpanishMinistry of Science and Education, under the projects CONSOLIDER CSD2007-00004 “ARES” and TSI2006-03481.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alcorna, W.: Cross-site scripting viruses and worms – a new attack vector. Journal of Network Security 7, 7–8 (2006)
Anderson, A., Lockhart, H.: SAML 2.0 profile of XACML v2.0. Standard, OASIS (February 2005)
Amit, Y.: XSS vulnerabilities in Google.com (November 2005), http://www.watchfire.com/securityzone/advisories/12-21-05.aspx
Anupam, V., Mayer, A.: Secure Web scripting. IEEE Journal of Internet Computing 2(6), 46–55 (1998)
Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: IEEE Symposium on Security and Privacy, pp. 143–159 (2002)
Cary, C., Wen, H.J., Mahatanankoon, P.: A viable solution to enterprise development and systems integration: a case study of web services implementation. International Journal of Management and Enterprise Development, Inderscience 1(2), 164–175 (2004)
Crane, D., Pascarello, E., James, D.: Ajax in Action. Manning Publications (2005)
Forrest, S., Hofmeyr, A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–129 (1996)
Ginda, R.: Writing a Mozilla Application with XUL and Javascript. In: O’Reilly Open Source Software Convention, USA (2000)
Godik, S., Moses, T., et al.: eXtensible Access Control Markup Language (XACML) Version 2. Standard, OASIS (February 2005)
Google. Docs & Spreadsheets. http://docs.google.com/
Google. Orkut: Internet social network service. http://www.orkut.com/
Grossman, J., Hansen, R., Petkov, P., Rager, A., Fogie, S.: Cross site scripting attacks: XSS Exploits and defense. In: Syngress, Elsevier, Amsterdam (2007)
Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: ICECCS 2005. 10th IEEE International Conference on Engineering of Complex Computer Systems, pp. 85–94 (2005)
Hansen, R.: Cross Site Scripting Vulnerability in Google (July 2006), http://ha.ckers.org/blog/20060704/cross-site-scripting-vulne-rability-in-google/
Hansen, R.: XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html
Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. Microsoft Press, Redmond (2003)
InformAction. Noscript firefox extension. Software (2006), http://www.noscript.net/
Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In: AINA 2004. 18th Int. Conf. on Advanced Information Networking and Applications (2004)
Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social Phishing. Communications of the ACM (to appear)
Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: WWW 2007. International World Wide Web Conferencem (May 2007)
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: 2006 Workshop on Programming Languages and Analysis for Security, USA, pp. 27–36 (2006)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross-site scripting attacks. In: 21st ACM Symposium on Applied Computing (2006)
Larson, E., Austin, T.: High coverage detection of input-related security faults. In: 12 USENIX Security Simposium, pp. 121–136 (2003)
Livshits, B., Erlingsson, U.: Using web application construction frameworks to protect against code injection attacks. In: 2007 workshop on Programming languages and analysis for security, pp. 95–104 (2007)
Mcfarlane, N.: Rapid Application Development with Mozilla. Prentice-Hall, Englewood Cliffs (2004)
Microsoft. HotMail: The World’s FREE Web-based E-mail. http://hotmail.com/
MySpace. Online Community. http://www.myspace.com/
Mutton, P: PayPal Security Flaw allows Identity Theft (June 2006), http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html
Mutton, P.: PayPal XSS Exploit available for two years? (July 2006), http://news.netcraft.com/archives/2006/07/20/paypal_xss_exploit_available_for_two_years.html
Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., Evans, D.: Automatically hardering web applications using precise tainting. In: 20th IFIP International Information Security Conference (2005)
Obscure. Bypassing JavaScript Filters – the Flash! Attack (2002), http://www.cgisecurity.com/lib/flash-xss.htm
PayPal Inc. PayPal Web Site. http://paypal.com
Pietraszeck, T., Vanden-Berghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Ruderman, J.: The same origin policy. http://www.mozilla.org/projects/security/components/same-origin.html
Samy. Technical explanation of The MySpace Worm http://namb.la/popular/tech.html
Sethumadhavan, R.: Orkut Vulnerabilities. http://xdisclose.com/XD100092.txt
Scott, D., Sharp, R.: Abstracting application-level web security. In: 11th Internation Conference on the World Wide Web, pp. 396–407 (2002)
Su, Z., Wasserman, G.: The essence of command injections attacks in web applications. In: 33rd ACM Symposium on Principles of Programming Languages, pp. 372–382 (2006)
Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing Web Services. White Paper, Computer Associates (2005)
Wordpress. Blog Tool and Weblog Platform. http://wordpress.org/
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: 15th USENIX Security Symposium (2006)
Zero. Historic Lessons From Marc Slemko – Exploit number 3: Steal hotmail account. http://0x000000.com/index.php?i=270&bin=100001110
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Garcia-Alfaro, J., Navarro-Arribas, G. (2007). Prevention of Cross-Site Scripting Attacks on Current Web Applications. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. OTM 2007. Lecture Notes in Computer Science, vol 4804. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76843-2_45
Download citation
DOI: https://doi.org/10.1007/978-3-540-76843-2_45
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76835-7
Online ISBN: 978-3-540-76843-2
eBook Packages: Computer ScienceComputer Science (R0)