| ABSTRACT:Cross-site scripting is among the most serious and common threat in Web applications today. XSS is resulting from the weakness inherent in many Web applications’security mechanisms:the absence or insufficient sanitization of users’ inputs. The optimal approach to prevent XSS attacks would be to eliminate the vulnerabilities in the affected web applications. To this end, a web application must properly validate all input, and in particular, remove malicious scripts. Unfortunately, it is often the case that vulnerable applications are not fixed for a considerable amount of time, leaving the users vulnerable to attacks. Hence, one promising approach for protecting users against XSS attacks is to deploy the necessary security mechanisms on the client side.This paper first discusses the status of web application security, analyzes the existing security mechanisms and security risk tolerance clients.Secondly, the paper studies the cause, classification and implementation of cross-site scripting attacks in depth, and summarizes the general process and techniques of vulnerability discovery and excavation. Relevant examples have also been carried out to implement different attacks.At last, this paper proposes a novel client-side approach, which combines the dynamic tainting and static analysis, to prevent XSS attacks. The Defense System is able to tracking the flow of sensitive values dynamically on the client side. Whenever a sensitive value is going to be transferred to a third party, i.e. the adversary, the user will have the possibility to stop the connection. Then we extend the Mozilla Firefox web browser with a plugin-xssCleaner. The results of this large-scale evaluation demonstrate that only a small number of false positives are generated, and that our underlying concepts are feasible in practice. As a result, the user has an additional protection layer when surfing the web, without solely depending on the security of the web application. |
PDF Full Text Request