V., Sharath Chandra
(National Institute of Technology, Tiruchirappalli - 620015, Tamil Nadu, India)
,
Selvakumar, S.
(National Institute of Technology, Tiruchirappalli - 620015, Tamil Nadu, India)
Proliferation of social networking sites, and web applications which deliver dynamic content to the clients have increased the user created HTML content in the World Wide Web. This user-created HTML content can be a notorious vector for Cross-Site Scripting,(XSS) attacks. XSS attacks have the abilit...
Proliferation of social networking sites, and web applications which deliver dynamic content to the clients have increased the user created HTML content in the World Wide Web. This user-created HTML content can be a notorious vector for Cross-Site Scripting,(XSS) attacks. XSS attacks have the ability to target websites, steal confidential information of the users, and hijack their accounts, etc. XSS attacks are launched to exploit the vulnerabilities of the poorly developed application code and data processing systems. In particular, improper validation of user created content and un-sanitized custom error messages introduce vulnerability for XSS attacks. It is a challenging task for any security mechanism to filter out only the harmful HTML content and retain safe content with high fidelity and robustness. This has motivated us to develop a mechanism that filters out the harmful HTML content, and allows safe HTML. The existing solutions to XSS attack include use of regular expressions to detect the presence of dynamic content and client side filtering mechanisms such as Noscript and Noxes tool. The drawbacks of these solutions are low fidelity and disallowing of benign HTML. In order to overcome these drawbacks BIXSAN, a Browser Independent XSS SANitizer for prevention of XSS attacks is proposed in this paper. BIXSAN includes the proposition of three pronged strategy. These strategies are as follows: Firstly the use of complete HTML parser is proposed rather than approximating the behavior of parser. The advantage of using complete HTML parser is that it offers high fidelity. Secondly the use of modified browser, viz., JavaScript Tester is proposed to detect the presence of JavaScript for filtering it out. Thirdly, identification of static tags is proposed for allowing the benign HTML. Further, BIXSAN includes the proposition of a parse tree generator at client side browser to reduce the anomalous behavior of browsers. BIXSAN was experimented in various browsers such as Opera, Netscape, Internet Explorer (IE), and Firefox and found to work for all the browsers. From the experiments conducted it has been found that the proposed BIXSAN prevents the injection of XSS attack code successfully. Further, it has been verified that BIXSAN reduces the anomalous behavior of browse.
Proliferation of social networking sites, and web applications which deliver dynamic content to the clients have increased the user created HTML content in the World Wide Web. This user-created HTML content can be a notorious vector for Cross-Site Scripting,(XSS) attacks. XSS attacks have the ability to target websites, steal confidential information of the users, and hijack their accounts, etc. XSS attacks are launched to exploit the vulnerabilities of the poorly developed application code and data processing systems. In particular, improper validation of user created content and un-sanitized custom error messages introduce vulnerability for XSS attacks. It is a challenging task for any security mechanism to filter out only the harmful HTML content and retain safe content with high fidelity and robustness. This has motivated us to develop a mechanism that filters out the harmful HTML content, and allows safe HTML. The existing solutions to XSS attack include use of regular expressions to detect the presence of dynamic content and client side filtering mechanisms such as Noscript and Noxes tool. The drawbacks of these solutions are low fidelity and disallowing of benign HTML. In order to overcome these drawbacks BIXSAN, a Browser Independent XSS SANitizer for prevention of XSS attacks is proposed in this paper. BIXSAN includes the proposition of three pronged strategy. These strategies are as follows: Firstly the use of complete HTML parser is proposed rather than approximating the behavior of parser. The advantage of using complete HTML parser is that it offers high fidelity. Secondly the use of modified browser, viz., JavaScript Tester is proposed to detect the presence of JavaScript for filtering it out. Thirdly, identification of static tags is proposed for allowing the benign HTML. Further, BIXSAN includes the proposition of a parse tree generator at client side browser to reduce the anomalous behavior of browsers. BIXSAN was experimented in various browsers such as Opera, Netscape, Internet Explorer (IE), and Firefox and found to work for all the browsers. From the experiments conducted it has been found that the proposed BIXSAN prevents the injection of XSS attack code successfully. Further, it has been verified that BIXSAN reduces the anomalous behavior of browse.
참고문헌 (16)
Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking Science OECD 19 2007 10.1787/9789264037472-en OECD Directorate for Science , Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking . OECD Publishing , Oct. 2007 Ch. 2, pp. 19 -- 25 . OECD Directorate for Science, Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking. OECD Publishing, Oct. 2007 Ch. 2, pp.19--25.
Open Web Application Security Project "OWASP Top ten web vulnerabilities "https://www.owasp.org/index.php/Top_10_2007 Open Web Application Security Project "OWASP Top ten web vulnerabilities "https://www.owasp.org/index.php/Top_10_2007
"XSSed | Cross Site Scripting (XSS) attacks information and archive" www.xssed.com "XSSed | Cross Site Scripting (XSS) attacks information and archive" www.xssed.com
J. Open Problems Compt. Math. Shanmugam Jayamsakthi 8 1 2 2008 Cross Site Scripting-Latest developments and solutions: A survey Int Jayamsakthi Shanmugam and M. Ponnavaikko " Cross Site Scripting-Latest developments and solutions: A survey Int . J. Open Problems Compt. Math. , Vol. 1 , No. 2 , pp. 8 -- 28 , September 2008 Jayamsakthi Shanmugam and M. Ponnavaikko "Cross Site Scripting-Latest developments and solutions: A survey Int. J. Open Problems Compt. Math., Vol. 1, No. 2, pp. 8--28, September 2008
D. Ross "IE 8 XSS filter architecture / implementation " http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filterarchitecture-implementation.asp D. Ross "IE 8 XSS filter architecture / implementation " http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filterarchitecture-implementation.asp
10.1145/1772690.1772701
for filter evasion Hansen R. 2008 R. Hansen , " XSS (cross site scripting) cheat sheet esp : for filter evasion ," 2008 . http://ha.ckers.org/xss.html R. Hansen, "XSS (cross site scripting) cheat sheet esp: for filter evasion," 2008. http://ha.ckers.org/xss.html
World Wide Web consortium "Document Object Model level 2 core specification "http://www.w3c.org/TR/DOM-level-2-core/ World Wide Web consortium "Document Object Model level 2 core specification "http://www.w3c.org/TR/DOM-level-2-core/
Conceptual architecture of firefox. http://web.uvic.ca/~hitchner/assign1.pdf Conceptual architecture of firefox. http://web.uvic.ca/~hitchner/assign1.pdf
M. wallent "about Dynamic properties". http://msdn.microsoft.com/en-us/library/ms537634.aspx M. wallent "about Dynamic properties". http://msdn.microsoft.com/en-us/library/ms537634.aspx
XSS(cross site scsripting ) prevention cheat sheet OWASP http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet XSS(cross site scsripting ) prevention cheat sheet OWASP http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
※ AI-Helper는 부적절한 답변을 할 수 있습니다.