Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009

Volumn , Issue , 2009, Pages

  Gundy, Matthew Van ^a   Chen, Hao ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CROSS SITE SCRIPTING; CROSS SITE SCRIPTING ATTACKS; INFORMATION FLOW TRACKING; NAMESPACES; RANDOMISATION; USER INPUT; WEB APPLICATION; WEB APPLICATION VULNERABILITY; WEB APPLICATIONS; WEB CLIENTS;

EID: 84928407537     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (23)

1. ab - Apache HTTP server benchmarking tool. http://httpd.apache.org/docs/2.2/programs/ab.html.
2. D. Austin, S. Peruvemba, S. McCarron, M. Ishikawa, and M. Birbeck. XHTML Modularization 1.1. Technical report, W3C, Oct. 2008. http://www.w3.org/TR/xhtml-modularization/.
3. BBCode. http://www.phpbb.com/community/faq.php?mode=bbcode.
4. T. Bray, D. Hollander, A. Layman, and R. Tobin. Namespaces in XML 1.0 (Second Edition). Technical report, W3C, Aug. 2006. http://www.w3.org/TR/REC-xml-names/.
5. T. Bray, J. Paoli, C. M. Sperberg-McQueen, E. Maler, and F. Yergeau. Extensible Markup Language (XML) 1.0 (Fourth Edition). Technical report, W3C, Sept. 2006. http://www.w3.org/TR/REC-xml/.
6. S. Burbeck. How to use Model-View-Controller (MVC), 1992. http://st-www.cs.uiuc.edu/users/smarch/st-docs/mvc.html.
7. Genshi: Python toolkit for generation of output for the web, 2008. http://genshi.edgewall.org/.
8. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW’07: Proceedings of the 16th international conference on World Wide Web, pages 601–610, New York, NY, USA, 2007. ACM.
9. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In CCS’03: Proceedings of the 10th ACM conference on Computer and communications security, pages 272–280, New York, NY, USA, 2003. ACM.
10. E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks. In Proceedings of the ACM Symposium on Applied Computing (SAC), Dijon, France, April 2006.
11. C. Kirkegaard and A. Møller. Static analysis for Java Servlets and JSP. In Proc. 13th International Static Analysis Symposium, SAS’06, volume 4134 of LNCS. Springer-Verlag, August 2006. Full version available as BRICS RS-06-10.
12. G. Markham. Script Keys, Apr. 2005. http://www.gerv.net/security/script-keys/.
13. G. Markham. Content Restrictions, Mar. 2007. http://www.gerv.net/security/content-restrictions/.
14. MITRE Corporation. Vulnerability Type Distributions in CVE, May 2007. http://cwe.mitre.org/documents/vuln-trends/index.html.
15. Opera Browser, Dec. 2008. http://www.opera.com/browser/.
16. RSnake. XSS (Cross Site Scripting) Cheat Sheet, June 2008. http://ha.ckers.org/xss.html.
17. O. Shezaf. The Universal XSS PDF Vulnerability, Jan. 2007. http://www.owasp.org/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf.
18. Smarty Template Engine, June 2008. http://www.smarty.net/.
19. Technical explanation of the MySpace worm, Feb. 2006. http://web.archive.org/web/20060208182348/namb.la/popular/tech.html.
20. TikiWiki CMS/Groupware. http://info.tikiwiki.org/tiki-index.php.
21. Úlfar Erlingsson, B. Livshits, and Y. Xie. End-to-end web application security. In HOTOS’07: Proceedings of the 11th USENIX workshop on Hot topics in operating systems, pages 1–6, Berkeley, CA, USA, 2007. USENIX Association.
22. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2007.
23. G. Wassermann and Z. Su. Static Detection of Cross-Site Scripting Vulnerabilities. In Proceedings of ICSE 2008, Leipzig, Germany, May 2008.