Abstract
Cross Site Scripting (XSS) is one of the most fearful attacks against web applications because of its potential damage to users. XSS filter is one of existing mitigation technologies against XSS by monitoring communication between servers and clients to find attack codes in HTTP requests. However, some complicated attacks can bypass such XSS filters, e.g., attack codes are encoded with base64 or others, and attacks may not include attack codes in HTTP requests, such as Stored XSS. This paper proposes a new XSS filter, Xilara, to detect XSS attacks including such complicated ones by a new approach: monitoring HTML document structures in HTTP responses instead of the requests. A key idea is that normal responses have very similar HTML document structures because they are usually generated by the same program (HTML template) and some parameters (untrusted data), but once an XSS attack succeeds, the structure of an HTML document changes due to the attack codes in the untrusted data. As a preparation, Xilara collects normal HTTP responses, and restores HTML templates. To detect XSS attacks, Xilara regards the response is harmful if an HTML document in the response is not an instance of the restored template. Our evaluation using XSS vulnerabilities reported in the real world shows that Xilara can detect XSS attacks whose attack codes are difficult to be detected by existing XSS filters, as well as performance comparison between Xilara and existing XSS filters.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
This example comes from a real application that converts the external input value by calling the function (utf8HexDecode) in the following URL. https://sourceforge.net/p/subsonic/code/4715/tree/trunk/subsonic-main/src/main/java/net/sourceforge/subsonic/util/StringUtil.java#l410.
- 3.
- 4.
This is an base64 encoded attack code of "\(> <svg/onload=prompt(/xssposed/)\).
- 5.
We found these attributes in https://html5sec.org/ have the same characteristics. formaction attribute in button element/poster attribute in video element/href attribute in math, a, base, go, line element/xlink:href attribute in any element/background attribute in table element/value attribute in param element/src attribute in embed, img, image, script element/action attribute in form element/to, from attribute in set, animate element/folder attribute in a element.
- 6.
In this case, injected data should not be malicious.
- 7.
- 8.
REQUEST-941-APPLICATION-ATTACK-XSS.conf and REQUEST-949-BLOCKING-EVALUATION.conf.
References
Wichers, D.: OWASP top-10 2013. OWASP Foundation, February 2013
Ross, D.: IE 8 XSS filter architecture/implementation (2008). https://blogs.technet.microsoft.com/srd/2008/08/19/ie-8-xss-filter-architecture-implementation/
Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM (2010)
Trustwave: Modsecurity: open source web application firewall (2004). https://www.modsecurity.org/
Wichers, D.: Types of cross-site scripting. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting
Dave, T., David Heinemeier, H.: Agile web development with rails. Citeseer (2005)
Lokhande, P., Aslam, F., Hawa, N., Munir, J., Gulamgaus, M.: Efficient way of web development using Python and Flask (2015)
Arasu, A., Garcia-Molina, H.: Extracting structured data from web pages. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, pp. 337–348. ACM (2003)
Crescenzi, V., Mecca, G., Merialdo, P., et al.: RoadRunner: towards automatic data extraction from large web sites. VLDB 1, 109–118 (2001)
Zhai, Y., Liu, B.: Structured data extraction from the web based on partial tree alignment. IEEE Trans. Knowl. Data Eng. 18(12), 1614–1628 (2006)
Javed, A., Schwenk, J.: Towards elimination of cross-site scripting on mobile versions of web applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 103–123. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05149-9_7
Kettle, J.: When security features collide (2017). http://blog.portswigger.net/2017/10/when-security-features-collide.html
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930. ACM (2010)
Van Gundy, M., Chen, H.: Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: NDSS (2009)
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS, vol. 2009, p. 20 (2009)
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development, p. 13. USENIX Association (2010)
Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1376–1387. ACM (2016)
Heydon, A., Najork, M.: Mercator: a scalable, extensible web crawler. World Wide Web 2(4), 219–229 (1999)
Galán, E., Alcaide, A., Orfila, A., Blasco, J.: A multi-agent scanner to detect stored-XSS vulnerabilities. In: 2010 International Conference for Internet Technology and Secured Transactions (ICITST), pp. 1–6. IEEE (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Yamazaki, K., Kotani, D., Okabe, Y. (2018). Xilara: An XSS Filter Based on HTML Template Restoration. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-01704-0_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01703-3
Online ISBN: 978-3-030-01704-0
eBook Packages: Computer ScienceComputer Science (R0)