Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

2009 30th IEEE Symposium on Security and Privacy Pub Date : 2009-05-17 DOI:10.1109/SP.2009.33

M. Louw, V. Venkatakrishnan

{"title":"Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers","authors":"M. Louw, V. Venkatakrishnan","doi":"10.1109/SP.2009.33","DOIUrl":null,"url":null,"abstract":"As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data. In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest.A challenge for these security mechanisms is enabling web applications to accept complex HTML input from users, while disallowing malicious script content. This challenge is made difficult by anomalous web browser behaviors, which are often used as vectors for successful XSS attacks.Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing web browsers, despite anomalous browser behavior. Our approach seeks to minimize trust placed on browsers for interpreting untrusted content. We implemented this approach in a tool called Blueprint that was integrated with several popular web applications. We evaluated Blueprint against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with web browsers and reasonable performance overheads.","PeriodicalId":161757,"journal":{"name":"2009 30th IEEE Symposium on Security and Privacy","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"232","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 30th IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2009.33","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 232

Abstract

As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data. In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest.A challenge for these security mechanisms is enabling web applications to accept complex HTML input from users, while disallowing malicious script content. This challenge is made difficult by anomalous web browser behaviors, which are often used as vectors for successful XSS attacks.Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing web browsers, despite anomalous browser behavior. Our approach seeks to minimize trust placed on browsers for interpreting untrusted content. We implemented this approach in a tool called Blueprint that was integrated with several popular web applications. We evaluated Blueprint against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with web browsers and reasonable performance overheads.

查看原文本刊更多论文

蓝图:针对现有浏览器的跨站点脚本攻击的健壮预防

随着社交网站在万维网上的激增，复杂的用户创建的HTML内容正迅速成为常态，而不是例外。用户创建的web内容是针对网站和机密用户数据的跨站点脚本(XSS)攻击的臭名昭著的载体。在这种威胁环境下，使web应用程序免受XSS攻击的机制最近引起了人们的研究兴趣。这些安全机制面临的一个挑战是使web应用程序能够接受来自用户的复杂HTML输入，同时不允许恶意脚本内容。异常的web浏览器行为使这种挑战变得困难，这些行为通常被用作成功的跨站攻击的载体。受此问题的启发，我们提出了一种新的XSS防御策略，旨在有效地在广泛部署的现有web浏览器中，尽管浏览器行为异常。我们的方法是尽量减少浏览器对不可信内容的信任。我们在一个名为Blueprint的工具中实现了这种方法，该工具与几个流行的web应用程序集成在一起。我们针对一系列压力测试对Blueprint进行了评估，结果显示Blueprint具有很强的抗攻击能力、与web浏览器的出色兼容性以及合理的性能开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2009 30th IEEE Symposium on Security and Privacy

自引率

0.00%

发文量