The Research Of XSS Detection And Defense Based Server-Client Cooperation

Cross-site scripting (XSS) attacks inject evil contained user-input content to the web sites with XSS vulnerabilities. When the victim accesses the injected web page, the malicious JavaScript code in the received page will be executed silently by web browser and steal sensitive information from the victim. According to the flaws of pure sever side of and pure client side of XSS defense, study Server-Client Cooperation based XSS defense to utilize both sever-side advantages and client-side advantages. Web application developers exactly know the set of permitted script codes and allowed inserted region in a particular web page. Web browser can precisely detect the execution of JavaScript code. When browser parses a web paper, the attack will fail if the content containing malicious codes is detected and prevented.In order to escape detecting system, most part of XSS attacks are using the forged HTML start and end tag to break up initial benign web page structure. Server-Client Cooperation based XSS defense ensures to keep consistent of web pages' document object model in both server-side and client-side. Through isolating all untruested content of a web page on the server, before web browser updates or changes the web page's DOM structure, our validating model will checks if the executed code comes from untrusted content, then prevent executing all potential evil script codes.System architecture is build by four major models. Isolating untrusted content module is completed by web developer to identify origins of the untrusted content in a web page. Tainting page document uses a pair of randomized delimiters to taint untrusted content with a flexible policy file by implementing the extension of a php template engine. Decoding tainted web page makes a little modification to Firefox parser module and implements a validating plug-in. When parsing the tainted web page, indentify and track the node containing untrusted content. Dynamic validating untrusted content module is checking the execution code from untrusted content before it is performed to change DOM structure. If is is either conflict with terminal confinement constraint or demand of the policy file, the code will be transformed to a string literal in order to prevent it breaking up the benign document structure. Meanwhile the dynamic and static methods are used to analyze obfuscation content (encoded by several character codes). This paper illustrates the ways of isolating untrusted content, tainting web page algorithm, decoding tainted web page algorithm, dynamic validating mechanism and code obfuscation detection. Based on above research, we implemented a useful XSS detection and prevention system.