Script-Free HTML: Preventing Cross-Site Scripting While Permitting HTML-Rich Content
Loading...
Date
2013-05
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
The Ohio State University
Abstract
When someone visits a web site, the site's server uses input from the person's web browser to dynamically generate the webpage returned to the user. If hackers can find a weakness in the site's code and control how webpages are generated, they can insert their own scripts into the webpage returned to visitors. These scripts run in the visitor's browser and can compromise the visitor's personal information. The injection of scripts into a webpage by means of evading input filtering is called a cross-site scripting (XSS) attack. Even popular websites, such as Google, Facebook, and YouTube, have been exploited by XSS attacks (KF & DP, 2012). In 2010, XSS attacks were ranked the 2nd-leading source of web security risk (OWASP, 2010).
XSS attacks, by their very nature, are not detectable client-side (e.g., by web browsers or antivirus programs). Current methods to prevent XSS exploits are either ineffective (allowing some attacks to succeed) or overly prohibitive (preventing legitimate HTML-rich content). This project describes a new approach: The structure of safe input is rigorously defined and a server-side tool is implemented to detect the presence of a potential XSS attack. This tool prevents XSS attacks while still permitting HTML-rich content. We define a new context-free grammar (Script-Free HTML 4) that precisely characterizes safe input. Our approach is evaluated by applying it to a benchmark of known XSS vulnerabilities. We also consider the future evolution of this approach in the ever-changing world of web standards.
Description
Keywords
XSS, Web Applications, Security, Cross Site Scripting