Regular expressions considered harmful in client-side XSS filters

Proceedings of the 19th International Conference on World Wide Web, WWW '10

Volumn , Issue , 2010, Pages 91-99

  Bates, Daniel ^a   Barth, Adam ^a   Jackson, Collin ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

browser; cross site scripting; filter; web; XSS

Indexed keywords

BUFFER OVERFLOWS; BUG-FREE; CROSS SITE SCRIPTING; FILTER DESIGNS; HIGH PRECISION; OPEN SOURCES; REGULAR EXPRESSIONS; RENDERING ENGINE; SECURITY VULNERABILITIES;

FILTER BANKS; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 77954612255     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1772690.1772701     Document Type: Conference Paper

References (24)

1. Tim Berners-Lee and Dan Connolly. Hypertext Markup Language - 2.0. IETF RFC 1866, November 1995.
2. Steve Christey and Robert A. Martin. Vulnerability type distributions in cve, 2007. http://cwe.mitre.org/documents/vuln-trends/.
3. Douglas Crockford. ADsafe.
4. Facebook. Fbjs. http://wiki.developers.facebook.com/index.php/FBJS.
5. David Flanagan. JavaScript: The Definitive Guide, chapter 20.4 The Data-Tainting Security Model. O'Reilly & Associates, Inc., second edition, January 1997.
6. Google. Caja: A source-to-source translator for securing JavaScript-based web content. http://code.google.com/p/google-caja/.
7. Google. V8 benchmark suite. http://v8.googlecode.com/svn/data/benchmarks/ v5/run.html.
8. Robert Hansen. XSS (cross site scripting) cheat sheet. http://ha.ckers.org/xss.html.
9. Apple Inc. Sunspider. http://www2.webkit.org/perf/sunspider-0.9/ sunspider.html.
10. Inferno. Exploiting IE8 UTF-7 XSS vulnerability using local redirection, May 2009. http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss- vulnerability-using-local-redirection/.
11. Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proceedings of the 21st ACM Symposium on Applied Computing (SAC), 2006.
12. Eric Lawrence. IE8 security part VII: Clickjacking defenses. http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking- defenses.aspx.
13. David Lindsay et al. Chrome gets XSS filters, September 2009. http://sla.ckers.org/forum/read.php?13,31377.
14. Giorgio Maone. NoScript. http://www.noscript.net.
15. Larry Masinter. The "data" URL scheme. IETF RFC 2397, August 1998.
16. Microsoft. About dynamic properties. http://msdn.microsoft.com/en-us/ library/ms537634(VS.85).aspx.
17. Mitre. CVE-2009-4074.
18. Eduardo Vela Nava and David Lindsay. Our favorite XSS filters/IDS and how to attack them, 2009. Black Hat USA presentation.
19. Jeremias Reith. Internals of noXSS, October 2008. http://www.noxss.org/ wiki/Internals.
20. David Ross. IE 8 XSS filter architecture/implementation, August 2008. http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture- implementation.aspx.
21. Steve. Preventing frame busting and click jacking, Februrary 2009. http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click- jacking-ui-redressing/.
22. Andrew van der Stock, Jeff Williams, and Dave Wichers. OWASP top 10, 2007. http://www.owasp.org/index.php/Top-10-2007.
23. Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2007.
24. Michal Zalewski. Browser Security Handbook, volume 2. http://code.google.com/p/browsersec/wiki/Part2#Arbitrary-page-mashups-(UI- redressing).