Online citations, reference lists, and bibliographies.

Regular Expressions Considered Harmful In Client-side XSS Filters

Daniel Bates, A. Barth, C. Jackson
Published 2010 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Cross-site scripting flaws have now surpassed buffer overflows as the world's most common publicly-reported security vulnerability. In recent years, browser vendors and researchers have tried to develop client-side filters to mitigate these attacks. We analyze the best existing filters and find them to be either unacceptably slow or easily circumvented. Worse, some of these filters could introduce vulnerabilities into sites that were previously bug-free. We propose a new filter design that achieves both high performance and high precision by blocking scripts after HTML parsing but before execution. Compared to previous approaches, our approach is faster, protects against more vulnerabilities, and is harder for attackers to abuse. We have contributed an implementation of our filter design to the WebKit open source rendering engine, and the filter is now enabled by default in the Google Chrome browser.
This paper references
WWW 2010 @BULLET Full Paper
Internals of noXSS
Jeremias Reith (2008)
10.1145/1141277.1141357
Noxes: a client-side solution for mitigating cross-site scripting attacks
E. Kirda (2006)
The " data " URL scheme. IETF RFC 2397
Larry Masinter (1998)
Chrome gets XSS filters
David Lindsay (2009)
Our favorite XSS filters/IDS and how to attack
Eduardo Vela Nava (2009)
JavaScript: The Definitive Guide, chapter 20.4 The Data-Tainting
David Flanagan (1997)
IE 8 XSS filter architecture/implementation
David Ross (2008)
Browser Security Handbook, volume 2
Michal Zalewski
Preventing frame busting and click jacking, Februrary 2009. http://coderrr.wordpress.com/2009/02/13/ preventing-frame-busting-and-click-jacking- ui-redressing
Steve
IE8 security part VII: Clickjacking defenses. http://blogs.msdn.com/ie/archive/2009/01/27/ ie8-security-part-vii-clickjacking-defenses
Eric Lawrence (2009)
10.17487/RFC1866
Hypertext Markup Language - 2.0
Hu Cao (1995)
Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis
P. Vogt (2007)
10.17487/RFC2397
The "data" URL scheme
L. Masinter (1998)
Preventing frame busting and click jacking
Steve. (2009)
IE8 security part VII: Clickjacking defenses. http://blogs.msdn.com/ie/archive
Eric Lawrence (2009)
Browser Security Handbook, volume 2. http://code.google.com/p/browsersec/wiki/ Part2#Arbitrary_page_mashups_(UI_redressing)
Michal Zalewski (2010)
About dynamic properties
Microsoft
Preventing frame busting and click jacking , Februrary
Steve. (2009)
JavaScript: The Definitive Guide, chapter 20.4 The Data-Tainting Security Model
David Flanagan
XSS (cross site scripting) cheat sheet
Robert Hansen
Exploiting IE8 UTF-7 XSS vulnerability using local redirection http://securethoughts.com/2009/05/ exploiting-ie8-utf-7-xss-vulnerability-using- local-redirection
Inferno (2009)
V8 benchmark suite
Google
Vulnerability Type Distributions in CVE
S. Christey (2007)
Our favorite XSS filters/IDS and how to attack them
Eduardo Vela Nava (2009)
IE8 security part VII: Clickjacking defenses. http://blogs.msdn.com/ie/archive/2009/01/27/ ie8-security-part-vii-clickjacking-defenses. aspx
Eric Lawrence (2009)
Caja: A source-to-source translator for securing JavaScript-based web content
Google
Mitre. CVE-2009-4074



This paper is referenced by
10.1109/CAIPT.2017.8320672
HXD: Hybrid XSS detection by using a headless browser
Hyunsang Choi (2017)
10.1016/j.giq.2014.01.012
Web application vulnerability assessment and policy direction towards a secure smart government
O. M. Awoleye (2014)
10.1109/SP.2016.14
Back in Black: Towards Formal, Black Box Analysis of Sanitizers and Filters
George Argyros (2016)
10.1002/cpe.4646
A client‐server JavaScript code rewriting‐based framework to detect the XSS worms from online social network
S. Gupta (2019)
10.1145/2557547.2557550
KameleonFuzz: evolutionary fuzzing for black-box XSS detection
F. Duchene (2014)
Dynamic Information Flow Analysis for JavaScript in a Web Browser
Thomas H. Austin (2013)
10.14311/NNW.2017.27.001
A Novel Framework to Alleviate Dissemination of XSS Worms in Online Social Network (OSN) using View Segregation
Pooja Chaudhary (2017)
10.1007/978-3-642-23822-2_9
A Systematic Analysis of XSS Sanitization in Web Application Frameworks
J. Weinberger (2011)
IDS and IPS System in Multi-Tier Web Applications
Jayant Kulkarni (2015)
10.1007/978-981-10-3376-6_25
XSS Attack Prevention Using DOM-Based Filter
Asish Kumar Dalai (2018)
Detecting Intrusions in Multitier Web Applications
N. Saware (2013)
10.1145/2046707.2046776
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
P. Saxena (2011)
10.1145/2771783.2771787
Experience report: an empirical study of PHP security mechanism usage
Johannes Dahse (2015)
Security and Privacy of Augmented Reality Browsers
Richard McPherson (2015)
10.1109/APSEC48747.2019.00018
Adaptive Random Testing for XSS Vulnerability
Chengcheng Lv (2019)
10.24251/hicss.2019.877
Fighting Against XSS Attacks: A Usability Evaluation of OWASP ESAPI Output Encoding
Chamila Wijayarathna (2019)
Hunting Cross-Site Scripting Attacks in the Network
E. Athanasopoulos (2010)
Parameter Pollution Vulnerabilities in Web Applications
Marco embyte’Balduzzi (2011)
SCRIPTGARD: Preventing Script Injection Attacks in Legacy Web Applications with Automatic Sanitization
Prateek Saxena (2010)
Control + Data Flow Model Directed Inputs Generation B . Approximate Taint Flow Inference
Fabien Duchene (2014)
A PROFICIENT APPROACH TOWARDS THE DETECTION OF INTRUSIONS IN MULTI-TIER APPLICATIONS
K. Mona Chary (2013)
10.1007/978-3-642-39235-1_6
PreparedJS: Secure Script-Templates for JavaScript
Martin Johns (2013)
Large-Scale , Automatic XSS Detection using Google Dorks
Riccardo Pelizzi (2011)
Moving towards Positive Security Model for Web Application Firewall
Asrul H. Yaacob (2012)
10.1145/2046707.2046775
Context-sensitive auto-sanitization in web templating languages using type qualifiers
Mike Samuel (2011)
10.1016/j.cose.2011.12.013
Have things changed now? An empirical study on input validation vulnerabilities in web applications
Theodoor Scholte (2012)
10.4018/IJSITA.2015010105
Countering Cross-Site Scripting in Web-based Applications
Loye Lynn Ray (2015)
10.1145/2976749.2978363
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
Lukas Weichselbaum (2016)
Audit for web application MSc Research Project Cloud Computing
Ramyabharathi Duraichamy (2017)
10.1109/ICSPCT.2014.6884928
Browser's defenses against reflected cross-site scripting attacks
B. Mewara (2014)
Web Vulnerabilities and Defenses Reseach Proficiency Exam
Riccardo Pelizzi (2011)
10.1007/978-3-030-01704-0_18
Xilara: An XSS Filter Based on HTML Template Restoration
Keitaro Yamazaki (2018)
See more
Semantic Scholar Logo Some data provided by SemanticScholar