Sciweavers

NDSS
2009
IEEE

Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense

14 years 6 months ago
Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
Cross-site scripting (or XSS) has been the most dominant class of web vulnerabilities in 2007. The main underlying reason for XSS vulnerabilities is that web markup and client-side languages do not provide principled mechanisms to ensure secure, ground-up isolation of user-generated data in web application code. In this paper, we develop a new approach that combines randomization of web application code and runtime tracking of untrusted data both on the server and the browser to combat XSS attacks. Our technique ensures a fundamental integrity property that prevents untrusted data from altering the structure of trusted code throughout the execution lifetime of the web application. We call this property document structure integrity (or DSI). Similar to prepared statements in SQL, DSI enforcement ensures automatic syntactic isolation of inline usergenerated data at the parser-level. This forms the basis for confinement of untrusted data in the web browser based on a server-specified p...
Yacin Nadji, Prateek Saxena, Dawn Song
Added 21 May 2010
Updated 21 May 2010
Type Conference
Year 2009
Where NDSS
Authors Yacin Nadji, Prateek Saxena, Dawn Song
Comments (0)