[논문]BIXSAN : browser independent XSS sanitizer for prevention of XSS attacks

V., Sharath Chandra; Selvakumar, S.

doi:10.1145/2020976.2020996

BIXSAN : browser independent XSS sanitizer for prevention of XSS attacks

Software engineering notes : an informal newsletter of the Special Interest Committee on Software Engineering, v.36 no.5, 2011년, pp.1 - 7

V., Sharath Chandra (National Institute of Technology, Tiruchirappalli - 620015, Tamil Nadu, India) , Selvakumar, S. (National Institute of Technology, Tiruchirappalli - 620015, Tamil Nadu, India)

Abstract ▼ AI-Helper

Proliferation of social networking sites, and web applications which deliver dynamic content to the clients have increased the user created HTML content in the World Wide Web. This user-created HTML content can be a notorious vector for Cross-Site Scripting,(XSS) attacks. XSS attacks have the ability to target websites, steal confidential information of the users, and hijack their accounts, etc. XSS attacks are launched to exploit the vulnerabilities of the poorly developed application code and data processing systems. In particular, improper validation of user created content and un-sanitized custom error messages introduce vulnerability for XSS attacks. It is a challenging task for any security mechanism to filter out only the harmful HTML content and retain safe content with high fidelity and robustness. This has motivated us to develop a mechanism that filters out the harmful HTML content, and allows safe HTML. The existing solutions to XSS attack include use of regular expressions to detect the presence of dynamic content and client side filtering mechanisms such as Noscript and Noxes tool. The drawbacks of these solutions are low fidelity and disallowing of benign HTML. In order to overcome these drawbacks BIXSAN, a Browser Independent XSS SANitizer for prevention of XSS attacks is proposed in this paper. BIXSAN includes the proposition of three pronged strategy. These strategies are as follows: Firstly the use of complete HTML parser is proposed rather than approximating the behavior of parser. The advantage of using complete HTML parser is that it offers high fidelity. Secondly the use of modified browser, viz., JavaScript Tester is proposed to detect the presence of JavaScript for filtering it out. Thirdly, identification of static tags is proposed for allowing the benign HTML. Further, BIXSAN includes the proposition of a parse tree generator at client side browser to reduce the anomalous behavior of browsers. BIXSAN was experimented in various browsers such as Opera, Netscape, Internet Explorer (IE), and Firefox and found to work for all the browsers. From the experiments conducted it has been found that the proposed BIXSAN prevents the injection of XSS attack code successfully. Further, it has been verified that BIXSAN reduces the anomalous behavior of browse.

참고문헌 (16)

Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking Science OECD 19 2007 10.1787/9789264037472-en OECD Directorate for Science , Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking . OECD Publishing , Oct. 2007 Ch. 2, pp. 19 -- 25 . OECD Directorate for Science, Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking. OECD Publishing, Oct. 2007 Ch. 2, pp.19--25.
Open Web Application Security Project "OWASP Top ten web vulnerabilities "https://www.owasp.org/index.php/Top_10_2007 Open Web Application Security Project "OWASP Top ten web vulnerabilities "https://www.owasp.org/index.php/Top_10_2007
"XSSed | Cross Site Scripting (XSS) attacks information and archive" www.xssed.com "XSSed | Cross Site Scripting (XSS) attacks information and archive" www.xssed.com
J. Open Problems Compt. Math. Shanmugam Jayamsakthi 8 1 2 2008 Cross Site Scripting-Latest developments and solutions: A survey Int Jayamsakthi Shanmugam and M. Ponnavaikko " Cross Site Scripting-Latest developments and solutions: A survey Int . J. Open Problems Compt. Math. , Vol. 1 , No. 2 , pp. 8 -- 28 , September 2008 Jayamsakthi Shanmugam and M. Ponnavaikko "Cross Site Scripting-Latest developments and solutions: A survey Int. J. Open Problems Compt. Math., Vol. 1, No. 2, pp. 8--28, September 2008
"Cross-site scripting -- Wikipedia" http://en.wikipedia.org/wiki/Cross-site_scripting. "Cross-site scripting -- Wikipedia" http://en.wikipedia.org/wiki/Cross-site_scripting.
"Same origin policy" http://en.wikipedia.org/w/index.php?title=Same originpolicy&oldid=190222964 "Same origin policy" http://en.wikipedia.org/w/index.php?title=Same originpolicy&oldid=190222964
"HTTP cookie -- Wikipedia" http://en.wikipedia.org/wiki/HttpOnly#cookie_theft. "HTTP cookie -- Wikipedia" http://en.wikipedia.org/wiki/HttpOnly#cookie_theft.
10.1145/1141277.1141357
D. Ross "IE 8 XSS filter architecture / implementation " http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filterarchitecture-implementation.asp D. Ross "IE 8 XSS filter architecture / implementation " http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filterarchitecture-implementation.asp
10.1145/1772690.1772701
for filter evasion Hansen R. 2008 R. Hansen , " XSS (cross site scripting) cheat sheet esp : for filter evasion ," 2008 . http://ha.ckers.org/xss.html R. Hansen, "XSS (cross site scripting) cheat sheet esp: for filter evasion," 2008. http://ha.ckers.org/xss.html
E.Z. zang "HTML purifier: default whitelist" available: http://htmlpurifier.org/live/smoketests/printDefinition.php E.Z. zang "HTML purifier: default whitelist" available: http://htmlpurifier.org/live/smoketests/printDefinition.php
World Wide Web consortium "Document Object Model level 2 core specification "http://www.w3c.org/TR/DOM-level-2-core/ World Wide Web consortium "Document Object Model level 2 core specification "http://www.w3c.org/TR/DOM-level-2-core/
Conceptual architecture of firefox. http://web.uvic.ca/~hitchner/assign1.pdf Conceptual architecture of firefox. http://web.uvic.ca/~hitchner/assign1.pdf
M. wallent "about Dynamic properties". http://msdn.microsoft.com/en-us/library/ms537634.aspx M. wallent "about Dynamic properties". http://msdn.microsoft.com/en-us/library/ms537634.aspx
XSS(cross site scsripting ) prevention cheat sheet OWASP http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet XSS(cross site scsripting ) prevention cheat sheet OWASP http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 논문명, 저널/프로시딩명, 저자 , 발행년, 권, 호, 시작페이지, 끝페이지, 발행기관 관리번호, 논문명, 대등논문명, 저자 , 저널/프로시딩명, 발행기관, 발행년, 발행언어, 권, 호, 시작페이지, 끝페이지, ISBN, ISSN, 주제분야, 키워드, 초록(한글), 초록(영문), 저자(소속기관)
저장형식	Text(ASCII format) Excel format RefWorks Direct Export RIS format (for Reference Manager, ProCite, EndNote), Scholar's Aids, Mendeley
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

BIXSAN : browser independent XSS sanitizer for prevention of XSS attacks

Abstract ▼ AI-Helper

참고문헌 (16)

이 논문을 인용한 문헌

관련 콘텐츠

원문 URL 링크

이 논문과 함께 이용한 콘텐츠

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트