| Web2.0 applications'friendly interface, plenty of functions and high practicality endear it to developers and users. The characteristics of Web2.0 applications is that they allow to accept an untrusted source and put plenty of computing works in the client side. AJAX (Asynchronous JavaScript and XML) is the most typical application of this technology. Cross-site scripting (XSS) attack is the most common uses of these characteristics to inject malicious content into Web pages, steal a victim user's private data or take unauthorized actions without user's permission. But the current development of security technology has lagged far behind the applied technology, it makes attacks on AJAX applications.JavaScript is the cornerstone of AJAX. The normal Web applications need it to make the program more interactive. At the same time, XSS attackers also use it to achieve a variety of attacks. How to distinguish authorized from unauthorized scripts of pages becomes the key to detecting XSS attacks. In this paper we present a method based on execution flow of JavaScript analysis to detect XSS attacks. We build up the finite-state automata (FSA) by analyzing the client side JavaScript of AJAX to model the normal program behavior as status. This tool is deployed in a proxy without having to modify the source code of Web application and the user's browser. It can analyze the execution flow of JavaScript in the client side before the page which user requests arrives at the browser. If the flow doesn't match the pre-built FSA, it would be an XSS attack. Then the system removes the cross-site scripting and sends harmless page to users. Finally, we evaluate our technique against several real applications, show that it protects against a variety of XSS attacks, and has an acceptable performance overhead. |
PDF Full Text Request