Prevention Of DOM Based XSS Attacks Using A White List Framework

Abstract

Web applications are not guaranteed to be safe for both clients and servers since many vulnerabilities can be exploited in a web application to reach a malicious goal. One such vulnerability is Cross Site Scripting or XSS that has many types but in general is aimed at executing malicious scripts at the client’s machine when exploiting vulnerabilities in the server side. Another type of client side XSS vulnerability is called DOM (Document Object Model) Based XSS which can be achieved at client side only without putting any script in the server side. In this paper, we propose a DOM XSS prevention technique that protects the clients from web pages that contain such scripts in the HTML DOM tree source. This is an anti-DOM XSS framework that stops DOM XSS scripts and prevents it at client side. In addition, a prototype tool was implemented which has demonstrated the validity and viability of the proposed framework