Sciweavers

WWW
2010
ACM

Regular expressions considered harmful in client-side XSS filters

14 years 6 months ago
Regular expressions considered harmful in client-side XSS filters
Cross-site scripting flaws have now surpassed buffer overflows as the world’s most common publicly-reported security vulnerability. In recent years, browser vendors and researchers have tried to develop client-side filters to mitigate these attacks. We analyze the best existing filters and find them to be either unacceptably slow or easily circumvented. Worse, some of these filters could introduce vulnerabilities into sites that were previously bug-free. We propose a new filter design that achieves both high performance and high precision by blocking scripts after HTML parsing but before execution. Compared to previous approaches, our approach is faster, protects against more vulnerabilities, and is harder for attackers to abuse. We have contributed an implementation of our filter design to the WebKit open source rendering engine, and the filter is now enabled by default in the Google Chrome browser. Categories and Subject Descriptors K.6.5 [Management of Computing and Inf...
Daniel Bates, Adam Barth, Collin Jackson
Added 14 May 2010
Updated 14 May 2010
Type Conference
Year 2010
Where WWW
Authors Daniel Bates, Adam Barth, Collin Jackson
Comments (0)