Abstract
Cross-Site Scripting (XSS) is one of the most common web application vulnerabilities. It is therefore sometimes referred to as the “buffer overflow of the web.” Drawing a parallel from the current state of practice in preventing unauthorized native code execution (the typical goal in a code injection), we propose a script whitelisting approach to tame JavaScript-driven XSS attacks. Our scheme involves a transparent script interception layer placed in the browser’s JavaScript engine. This layer is designed to detect every script that reaches the browser, from every possible route, and compare it to a list of valid scripts for the site or page being accessed; scripts not on the list are prevented from executing. To avoid the false positives caused by minor syntactic changes (e.g., due to dynamic code generation), our layer uses the concept of contextual fingerprints when comparing scripts.
Contextual fingerprints are identifiers that represent specific elements of a script and its execution context. Fingerprints can be easily enriched with new elements, if needed, to enhance the proposed method’s robustness. The list can be populated by the website’s administrators or a trusted third party. To verify our approach, we have developed a prototype and tested it successfully against an extensive array of attacks that were performed on more than 50 real-world vulnerable web applications. We measured the browsing performance overhead of the proposed solution on eight websites that make heavy use of JavaScript. Our mechanism imposed an average overhead of 11.1% on the execution time of the JavaScript engine. When measured as part of a full browsing session, and for all tested websites, the overhead introduced by our layer was less than 0.05%. When script elements are altered or new scripts are added on the server side, a new fingerprint generation phase is required. To examine the temporal aspect of contextual fingerprints, we performed a short-term and a long-term experiment based on the same websites. The former, showed that in a short period of time (10 days), for seven of eight websites, the majority of valid fingerprints stay the same (more than 92% on average). The latter, though, indicated that, in the long run, the number of fingerprints that do not change is reduced. Both experiments can be seen as one of the first attempts to study the feasibility of a whitelisting approach for the web.
- Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 1--10. Google Scholar
Digital Library
- Shay Artzi, Julian Dolby, Simon Holm Jensen, Anders Møller, and Frank Tip. 2011. A framework for automated testing of JavaScript web applications. In Proceedings of the 33rd International Conference on Software Engineering (ICSE’11). ACM, New York, NY, 571--580. Google Scholar
Digital Library
- Elias Athanasopoulos, Vasilis Pappas, Antonis Krithinakis, Spyros Ligouras, Evangelos P. Markatos, and Thomas Karagiannis. 2010. xjs: Practical xss prevention for web application development. In Proceedings of the 2010 USENIX Conference on Web Application Development (WebApps’10). USENIX Association, Berkeley, CA, 13--13. Google Scholar
Digital Library
- Elias Athanasopoulos, Vasilis Pappas, and Evangelos Markatos. 2009. Code-injection attacks in browsers supporting policies. In Proceedings of the 2nd Workshop on Web 2.0 Security & Privacy (W2SP).Google Scholar
- Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure content sniffing for web browsers, or how to stop articles from reviewing themselves. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, 360--371. Google Scholar
Digital Library
- Daniel Bates, Adam Barth, and Collin Jackson. 2010. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th International Conference on World Wide Web (WWW’10). ACM, New York, NY, 91--100. Google Scholar
Digital Library
- Jim Beechey. 2010. Application Whitelisting: Panacea or Propaganda. http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599. (2010).Google Scholar
- Cor-Paul Bezemer, Ali Mesbah, and Arie van Deursen. 2009. Automated security testing of web widget interactions. In Proceedings of the the 7th Joint Meeting of the European Software Engineering Conference and the ACM Symposium on The Foundations of Software Engineering (ESEC/FSE’09). ACM, New York, NY, 81--90. Google Scholar
Digital Library
- Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-guard: Precise dynamic prevention of cross-site scripting attacks. In DIMVA’08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, Berlin, 23--43. Google Scholar
Digital Library
- Hristo Bojinov, Elie Bursztein, and Dan Boneh. 2009. XCS: Cross channel scripting and its impact on web applications. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 420--431. Google Scholar
Digital Library
- Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: A web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 748--759. Google Scholar
Digital Library
- Dorothy Elizabeth Robling Denning. 1987. An intrusion detection model. 13, 2 (Feb. 1987), 222--232. Google Scholar
Digital Library
- Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing information flow in JavaScript-based browser extensions. In Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC’09). IEEE Computer Society, Washington, DC, 382--391. Google Scholar
Digital Library
- Adam Doupé, Weidong Cui, Mariusz H. Jakubowski, Marcus Peinado, Christopher Kruegel, and Giovanni Vigna. 2013. deDacota: Toward preventing server-side XSS via automatic code and data separation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer &##38; Communications Security (CCS’13). ACM, New York, NY, 1205--1216. Google Scholar
Digital Library
- Mattia Fazzini, Prateek Saxena, and Alessandro Orso. 2015. AutoCSP: Automatically retrofitting CSP to web applications. In Proceedings of the 37th IEEE and ACM SIGSOFT International Conference on Software Engineering (ICSE’15). ACM, New York, NY. Google Scholar
Digital Library
- Andy Georges, Dries Buytaert, and Lieven Eeckhout. 2007. Adding rigorous statistics to the java benchmarker’s toolbox. In Companion to the 22nd ACM SIGPLAN Conference on Object-Oriented Programming Systems and Applications Companion (OOPSLA’07). ACM, New York, NY, 793--794. Google Scholar
Digital Library
- Matthew Van Gundy and Hao Chen. 2009. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.Google Scholar
- Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2012. Scriptless attacks: Stealing the pie without touching the sill. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 760--771. Google Scholar
Digital Library
- Lon Ingram and Michael Walfish. 2012. TreeHouse: JavaScript sandboxes to helpweb developers help themselves. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference (USENIX ATC’12). USENIX Association, Berkeley, CA, 13--13. Google Scholar
Digital Library
- Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th International Conference on World Wide Web (WWW’07). ACM, New York, NY, 601--610. Google Scholar
Digital Library
- Xing Jin, Xuchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. 2014. Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 66--77. Google Scholar
Digital Library
- Martin Johns and Christian Beyerlein. 2007. Smask: Preventing injection attacks in web applications by approximating automatic data/code separation. In Proceedings of the 2007 ACM Symposium on Applied Computing (SAC’07). ACM, New York, NY, 284--291. Google Scholar
Digital Library
- Martin Johns, Björn Engelmann, and Joachim Posegga. 2008. XSSDS: Server-side detection of cross-site scripting attacks. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC’08). IEEE Computer Society, Washington, DC, 335--344. Google Scholar
Digital Library
- David Johnson, Alexei White, and Andre Charland. 2007. Enterprise AJAX: Strategies for Building High Performance Web Applications. Prentice Hall PTR, Upper Saddle River, NJ. Google Scholar
Digital Library
- Sammy Kamkar. 2005. Technical Explanation of The MySpace Worm. (2005). http://namb.la/popular/tech.html.Google Scholar
- Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. 2011. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6th February - 9th February 2011.Google Scholar
- Angelos D. Keromytis. 2009. Randomized instruction sets and runtime environments: Past research and future directions. IEEE Security and Privacy 7, 1 (Jan. 2009), 18--25. Google Scholar
Digital Library
- Sebastian Lekies, Ben Stock, and Martin Johns. 2014. A tale of the weaknesses of current client-side xss filtering. Presented at Black Hat Europe 2014.Google Scholar
- Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (SP’09). IEEE Computer Society, Washington, DC, 331--346. Google Scholar
Digital Library
- Mozilla Developer Network (MDN). 2015. JavaScript Reference and Global Objects. (2015). https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference.Google Scholar
- Ali Mesbah and Mukul R. Prasad. 2011. Automated cross-browser compatibility testing. In Proceedings of the 33rd International Conference on Software Engineering (ICSE’11). New York, NY, 561--570. Google Scholar
Digital Library
- Ali Mesbah and Arie van Deursen. 2009. Invariant-based automatic testing of AJAX user interfaces. In Proceedings of the 31st International Conference on Software Engineering (ICSE’09). IEEE Computer Society, Washington, DC, 210--220. Google Scholar
Digital Library
- Ali Mesbah, Arie van Deursen, and Stefan Lenselink. 2012. Crawling Ajax-based web applications through dynamic analysis of user interface state changes. ACM Transactions on the Web (TWEB) 6, 1 (2012), 3:1--3:30. Google Scholar
Digital Library
- Leo A. Meyerovich and Benjamin Livshits. 2010. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP’10). IEEE Computer Society, Washington, DC, 481--496. Google Scholar
Digital Library
- Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Johns Hopkins University, Baltimore, Maryland, USA.Google Scholar
- Abbas Naderi, Mandana Bagheri, and Shahin Ramezany. 2014. Taintless: Defeating taint-powered protection tachniques. Presented at Black Hat usa 2014.Google Scholar
- Yacin Nadji, Prateek Saxena, and Dawn Song. 2006. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC'06). IEEE Computer Society, Washington, DC, 463--472.Google Scholar
- Susanta Nanda, Lap-Chung Lam, and Tzi-cker Chiueh. 2007. Dynamic multi-process information flow tracking for web application security. In Proceedings of the 2007 ACM/IFIP/USENIX International Conference on Middleware Companion (MC’07). ACM, New York, NY, Article 19, 20 pages. Google Scholar
Digital Library
- Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012). 736--747. Google Scholar
Digital Library
- Terri Oda, Glenn Wurster, P. C. van Oorschot, and Anil Somayaji. 2008. Soma: Mutual approval for included content in web pages. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, NY, 89--98. Google Scholar
Digital Library
- Carlos Pacheco, Shuvendu K. Lahiri, Michael D. Ernst, and Thomas Ball. 2007. Feedback-directed random test generation. In Proceedings of the 29th International Conference on Software Engineering (ICSE’07). IEEE Computer Society, Washington, DC, 75--84. Google Scholar
Digital Library
- Ioannis Papagiannis, Matteo Migliavacca, and Peter Pietzuch. 2011. PHP aspis: Using partial taint tracking to protect against injection attacks. In Proceedings of the 2nd USENIX Conference on Web Application Development (WebApps’11). USENIX Association, Berkeley, CA, 2--2. Google Scholar
Digital Library
- Phu H. Phung, David Sands, and Andrey Chudnov. 2009. Lightweight self-protecting JavaScript. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS’09). ACM, New York, NY, 47--60. Google Scholar
Digital Library
- Tadeusz Pietraszek and Chris Vanden Berghe. 2006. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection (RAID’05). Springer-Verlag, Berlin, 124--145. Google Scholar
Digital Library
- Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. 2007. BrowserShield: Vulnerability-driven filtering of dynamic html. ACM Trans. Web 1, Article 11, issue 3 (September 2007). Google Scholar
Digital Library
- Leonard Richardson and Sam Ruby. 2007. Restful Web Services (first ed.). O’Reilly. Google Scholar
Digital Library
- Danny Roest, Ali Mesbah, and Arie van Deursen. 2010. Regression testing ajax applications: Coping with dynamism. In Proceedings of the 2010 Third International Conference on Software Testing, Verification and Validation (ICST’10). IEEE Computer Society, Washington, DC, 127--136. Google Scholar
Digital Library
- Hossein Saiedian and Dan Broyle. 2011. Security vulnerabilities in the same-origin policy: Implications and alternatives. Computer 44, 9 (Sept. 2011), 29--36. Google Scholar
Digital Library
- Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A symbolic execution framework for JavaScript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP’10). IEEE Computer Society, Washington, DC, 513--528. Google Scholar
Digital Library
- Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. ScriptGard: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 601--614. Google Scholar
Digital Library
- Ana Nora Sovarel, David Evans, and Nathanael Paul. 2005. Where’s the FEEB? The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium (SSYM’05). USENIX Association, Berkeley, CA, 10--10. Google Scholar
Digital Library
- Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th International Conference on World Wide Web (WWW’10). ACM, New York, NY, 921--930. Google Scholar
Digital Library
- Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise client-side protection against DOM-based cross-site scripting. In 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, 655--670. Google Scholar
Digital Library
- D. Stuttard and M. Pinto. 2011. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. Wiley, New York, NY.Google Scholar
- Steven Van Acker, Philippe De Ryck, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2011. WebJail: Least-privilege integration of third-party components in web mashups. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC’11). ACM, New York, NY, 307--316. Google Scholar
Digital Library
- P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS). San Diego, CA.Google Scholar
- David Wagner and Paolo Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM conference on Computer and Communications Security (CCS’02). ACM, New York, NY, 255--264. Google Scholar
Digital Library
- Michael Weissbacher, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2015. ZigZag: Automatically hardening web applications against client-side validation vulnerabilities. In 24th USENIX Security Symposium. USENIX Association, Washington, DC, 737--752. Google Scholar
Digital Library
- P. Wurzinger, C. Platzer, C. Ludl, E. Kirda, and C. Kruegel. 2009. Swap: Mitigating xss attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (IWSESS’09). IEEE Computer Society, Washington, DC, 33--39. Google Scholar
Digital Library
- Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’07). ACM, New York, NY, 237--249. Google Scholar
Digital Library
Index Terms
How to Train Your Browser: Preventing XSS Attacks Using Contextual Script Fingerprints
Recommendations
On Security Issues in Web Applications through Cross Site Scripting (XSS)
APSEC '13: Proceedings of the 2013 20th Asia-Pacific Software Engineering Conference (APSEC) - Volume 01Web applications have become a very popular means of developing software. This is because of many advantages of web applications like no need of installation on each client machine, centralized data, reduction in business cost etc. With the increase in ...
Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityCross-Site Scripting (XSS) is an unremitting problem for the Web. Since its initial public documentation in 2000 until now, XSS has been continuously on top of the vulnerability statistics. Even though there has been a considerable amount of research ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...






Comments