Noncespaces: Using randomization to defeat cross-site scripting attacks

Computers and Security

Volumn 31, Issue 4, 2012, Pages 612-628

  Van Gundy, Matthew ^a   Chen, Hao ^a  

^a University of California   (United States)

Author keywords

Client side policy enforcement; Cross site scripting; Defense; Information flow tracking; Security; Web application; World wide web

Indexed keywords

CROSS SITE SCRIPTING; DEFENSE; INFORMATION FLOWS; POLICY ENFORCEMENT; SECURITY; WEB APPLICATION;

COMPUTER SCIENCE; SECURITY OF DATA;

WORLD WIDE WEB;

EID: 84861099922     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2011.12.004     Document Type: Article

References (50)

1. ab - Apache HTTP server benchmarking tool. http://httpd.apache.org/docs/ 2.2/programs/ab.html; 2010. [accessed 20.03.11].
2. D. Austin, S. Peruvemba, S. McCarron, M. Ishikawa, and M. Birbeck XHTML modularization 1.1 [accessed 20.03.11] 2008 W3C Technical Report
3. E.G. Barrantes, D.H. Ackley, S. Forrest, T.S. Palmer, D. Stefanović, and D.D. Zovi Randomized instruction set emulation to disrupt binary code injection attacks Proceedings of the 10th ACM conference on computer and communications security (CCS 2003) 2003 ACM Washington D.C., USA 281 289 (Pubitemid 40673810)
4. S.W. Boyd, and A.D. Keromytis SQLrand: preventing SQL injection attacks Proceedings of the 2nd applied cryptography and network security (ACNS) conference 2004 292 302
5. T. Bray, D. Hollander, A. Layman, and R. Tobin Namespaces in XML 1.0 [accessed 20.03.11] 2nd ed. 2006 W3C Technical Report
6. T. Bray, J. Paoli, C.M. Sperberg-McQueen, E. Maler, and F. Yergeau Extensible markup language (XML) 1.0 [accessed 20.03.11] 4th ed. 2006 W3C Technical Report
7. S. Burbeck How to use model-view-controller (MVC) [accessed 20.03.11] 1992 http://st-www.cs.uiuc.edu/users/smarch/st-docs/mvc.html
8. CERT Coordination Center CERT advisory CA-2000-02 malicious HTML tags embedded in client web requests [accessed 20.03.11] 2000 http://www.cert.org/ advisories/CA-2000-02.html
9. S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer Non-control-data attacks are realistic Threats USENIX security symposium. USENIX the advanced computing systems association 2005 USENIX Association Baltimore, MD, USA 177 192
10. CWE/SANS Top 25 most dangerous software errors [accessed 20.03.11] 2010 http://cwe.mitre.org/top25/
11. B. Eich JavaScript: mobility & ubiquity G. Barthe, Y. Mantel, P. Müller, A.C. Myers, A. Sabelfeld, Mobility, ubiquity and security. Dagstuhl, Germany: Internationales Begegnungs-und Forschungszentrum für Informatik (IBFI); number 07091 in Dagstuhl seminar proceedings 2007
12. Ú Erlingsson, B. Livshits, and Y. Xie End-to-end web application security Proceedings of the 11th USENIX workshop on hot topics in operating systems. USENIX the advanced computing systems association 2007 USENIX Association San Diego, CA 1 6
13. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, and P. Leach Hypertext Transfer Protocol - HTTP/1.1 1999
14. Genshi Python toolkit for generation of output for the web [accessed 20.03.11] 2008 http://genshi.edgewall.org/
15. T. Jim, N. Swamy, and M. Hicks Defeating scripting attacks with browser-enforced embedded policies Proceedings of the international World Wide Web conference (WWW) 2007 ACM Banff, Alberta, Canada 601 610 (Pubitemid 47582289)
16. G.S. Kc, A.D. Keromytis, and V. Prevelakis Countering code-injection attacks with instruction-set randomization CCS '03: Proceedings of the 10th ACM conference on computer and communications security 2003 ACM Washington D.C., USA 272 280 (Pubitemid 40673809)
17. E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic Noxes: a client-side solution for mitigating cross site scripting attacks Proceedings of the ACM symposium on applied computing (SAC) 2006 330 337 Dijon, France (Pubitemid 44758802)
18. C. Kirkegaard, and A. Mřller Static analysis for Java Servlets and JSP Proceedings of the 13th international static analysis Symposium, SAS '06 LNCS vol. 4134 2006 Springer-Verlag 336 352 Full version available as BRICS RS-06-10 (Pubitemid 44561983)
19. V.B. Livshits, and M.S. Lam Finding security vulnerabilities in Java applications with static analysis USENIX security symposium. USENIX the advanced computing systems association 2005 USENIX Association Baltimore, MD, USA 271 286
20. G. Markham Script Keys Last accessed: Mar 20, 2011 2005 http://www.gerv.net/security/script-keys/
21. G. Markham Content restrictions Last accessed: Mar 20, 2011 2007 http://www.gerv.net/security/content-restrictions/
22. L.A. Meyerovich, and B. Livshits ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser IEEE Symposium on security and privacy 2010 IEEE Computer Society Berkeley, CA, USA 481 496
23. Microsoft Developer Network (MSDN) About conditional comments Last accessed: Mar 20, 2011 2007 http://msdn.microsoft.com/en-us/library/ms537512. aspx
24. MITRE Corporation Vulnerability type distributions in CVE [accessed 20.03.11] 2007 http://cwe.mitre.org/documents/vuln-trends/index.html
25. San Diego, CA Y. Nadji, P. Saxena, and D. Song Document structure integrity: a robust basis for cross-site scripting Defense Proceedings of the 16th annual network and distributed system security symposium (NDSS) 2009 17 36
26. E.V. Nava, and D. Lindsay Abusing Internet Explorer 8's XSS filters [accessed 20.03.11] 2010 http://p42.us/ie8xss/Abusing-IE8s-XSS-Filters.pdf
27. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans Automatically hardening web applications using precise tainting Proceedings of the 20th IFIP international information security conference (SEC 2005) 2005 372 382 Chiba, Japan
28. Opera Browser. http://www.opera.com/browser/; 2008. [accessed 20.03.11].
29. W. Robertson, and G. Vigna Static enforcement of web application integrity through strong typing USENIX security Symposium. USENIX the advanced computing systems Association 2009 USENIX Association Montreal, Canada 283 298
30. D. Ross IE8 security part IV: the XSS filter [accessed 20.03.11] 2008 http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss- filter.aspx
31. RSnake XSS (cross site scripting) cheat sheet [accessed 20.03.11] 2008 http://ha.ckers.org/xss.html
32. Sahi http://sahi.co.in/; 2011. [accessed 20.03.11].
33. Samy Technical explanation of the MySpace worm [accessed 20.03.11] 2006 http://web.archive.org/web/20060208182348/namb.la/popular/tech.html
34. Selenium IDE. http://seleniumhq.org/projects/ide/; 2011. [accessed 20.03.11].
35. O. Shezaf The universal XSS PDF vulnerability [accessed 20.03.11] 2007 http://www.owasp.org/images/4/4b/OWASP-IL-The-Universal-XSS-PDF-Vulnerability
36. Smarty Template Engine. http://www.smarty.net/; 2008. [accessed 20.03.11].
37. S. Stamm, B. Sterne, and G. Markham Reining in the web with content security policy Proceedings of the 19th international World Wide Web conference (WWW) 2010 ACM Raleigh, North Carolina, USA 921 930
38. Z. Su, and G. Wassermann The Essence of command injection attacks in web applications Proceedings of the 33rd ACM SIGPLAN-SIGACT symposium on principles of programming languages 2006 ACM Charleston, South Carolina, USA 372 382
39. S. Tang, C. Grier, O. Aciicmez, and S.T. King Alhambra: a system for creating, enforcing, and testing browser security policies Proceedings of the 19th International World Wide Web conference (WWW) 2010 ACM Raleigh, North Carolina, USA 941 950
40. M. Ter Louw, and V.N. Venkatakrishnan Blueprint: robust prevention of cross-site scripting attacks for existing browsers IEEE symposium on security and privacy 2009 IEEE Computer Society Berkeley, CA, USA 331 346
41. The Open Web Application Security Project Cross-site scripting (XSS) [accessed 20.03.11] 2010 http://www.owasp.org/index.php/Cross-site-Scripting- %2528xSS%2529
42. TikiWiki CMS/groupware. http://info.tikiwiki.org/tiki-index.php; 2010. [accessed 20.03.11].
43. San Diego, CA M. Van Gundy, and H. Chen Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks Proceedings of the 16th Annual network and distributed system security symposium (NDSS) 2009 55 67
44. W. Venema Taint support for PHP [accessed 20.03.11] 2008 http://wiki.php.net/rfc/taint
45. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, and C. Kruegel Vigna G cross-site scripting prevention with dynamic data tainting and static analysis Proceedings of the network and distributed system security symposium (NDSS) 2007 San Diego, CA
46. G. Wassermann, and Z. Su Sound and precise analysis of web applications for injection vulnerabilities Proceedings of the ACM SIGPLAN 2007 conference on programming language design and implementation 2007 ACM Press San Diego, CA 32 41 New York, NY, USA (Pubitemid 47630673)
47. G. Wassermann, and Z. Su Static detection of cross-site scripting vulnerabilities Proceedings of the 30th international conference on software engineering 2008 ACM Leipzig, Germany 171 180
48. P. Wurzinger, C. Platzer, C. Ludl, E. Kirda, and C. Kruegel SWAP: mitigating XSS attacks using a reverse proxy Proceedings of the 2009 ICSE workshop on software engineering for secure systems 2009 IEEE Computer Society Washington, DC, USA 33 39
49. Y. Xie, and A. Aiken Static Detection of security vulnerabilities in scripting languages USENIX security symposium. USENIX the advanced computing systems association 2006 USENIX Association Vancouver, B.C., Canada 179 192
50. W. Xu, S. Bhatkar, and R. Sekar Taint-Enhanced policy enforcement: a Practical approach to defeat a wide range of attacks USENIX security symposium. USENIX the advanced computing systems Association 2006 USENIX Association Vancouver, B.C., Canada 121 136