Abstract
We present a new method to defend against cross-site scripting (XSS) attacks. Our approach is based on mutating symbols in the JavaScript language and leveraging commonly used load-balancing mechanisms to deliver multiple copies of a website using different versions of the JavaScript language. A XSS attack that injects unauthorized JavaScript code can thus be easily detected. Our solution achieves similar benefits in XSS protection as Content Security Policy (CSP), a leading web standard to prevent cross site scripting, but can be much more easily adopted because refactoring of websites is not required.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet, 12 April 2014. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Web Application Security Working Group: Content Security Policy 1.1, 11 February 2014. http://www.w3.org/TR/2014/WD-CSP11-20140211/
Dawson, I.: Security Headers on the Top 1,000,000 Websites: March 2014 Report, 19 March 2014. http://blog.veracode.com/2014/03/security-headers-on-the-top-1000000-websites-march-2014-report/
OWASP: XSS Filter Evasion Cheat Sheet, 26 April 2014. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_sheet
Xie, J., Chu, B., Lipford, H.R., Melton, J.T.: ASIDE, p. 267. ACM Press, New York (2011)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: 14th Annual Network & Distributed System Security Symposium, 28 February 2007
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities, p. 171. ACM Press, New York (2008)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization, p. 272. ACM Press, New York (2003)
Krithinakis, A., Athanasopoulos, E., Markatos, E.P.: Isolating javascript in dynamic code environments, pp. 45–49. ACM Press, New York (2010)
Athanasopoulos, E., Krithinakis, A., Markatos, E.P.: An architecture for enforcing javascript randomization in web 2.0 applications. In: 13th Information Security Conference, USA, 25–28 October 2010
MIT Lincoln Lab: Survey of Cyber Moving Targets. Technical Report 1166, September 2013
Acknowledgment
This work is funded in part by NSF Grant 1129190.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Portner, J., Kerr, J., Chu, B. (2015). Moving Target Defense Against Cross-Site Scripting Attacks (Position Paper). In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-17040-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)