Skip to main content
SpringerLink
Log in

Moving Target Defense Against Cross-Site Scripting Attacks (Position Paper)

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8930))

Included in the following conference series:

Abstract

We present a new method to defend against cross-site scripting (XSS) attacks. Our approach is based on mutating symbols in the JavaScript language and leveraging commonly used load-balancing mechanisms to deliver multiple copies of a website using different versions of the JavaScript language. A XSS attack that injects unauthorized JavaScript code can thus be easily detected. Our solution achieves similar benefits in XSS protection as Content Security Policy (CSP), a leading web standard to prevent cross site scripting, but can be much more easily adopted because refactoring of websites is not required.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet, 12 April 2014. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

  2. Web Application Security Working Group: Content Security Policy 1.1, 11 February 2014. http://www.w3.org/TR/2014/WD-CSP11-20140211/

  3. Dawson, I.: Security Headers on the Top 1,000,000 Websites: March 2014 Report, 19 March 2014. http://blog.veracode.com/2014/03/security-headers-on-the-top-1000000-websites-march-2014-report/

  4. OWASP: XSS Filter Evasion Cheat Sheet, 26 April 2014. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_sheet

  5. Xie, J., Chu, B., Lipford, H.R., Melton, J.T.: ASIDE, p. 267. ACM Press, New York (2011)

    Google Scholar 

  6. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: 14th Annual Network & Distributed System Security Symposium, 28 February 2007

    Google Scholar 

  7. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities, p. 171. ACM Press, New York (2008)

    Google Scholar 

  8. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization, p. 272. ACM Press, New York (2003)

    Google Scholar 

  9. Krithinakis, A., Athanasopoulos, E., Markatos, E.P.: Isolating javascript in dynamic code environments, pp. 45–49. ACM Press, New York (2010)

    Google Scholar 

  10. Athanasopoulos, E., Krithinakis, A., Markatos, E.P.: An architecture for enforcing javascript randomization in web 2.0 applications. In: 13th Information Security Conference, USA, 25–28 October 2010

    Google Scholar 

  11. MIT Lincoln Lab: Survey of Cyber Moving Targets. Technical Report 1166, September 2013

    Google Scholar 

Download references

Acknowledgment

This work is funded in part by NSF Grant 1129190.

Author information

Authors and Affiliations

  1. Department of Software and Information Systems, University of North Carolina, Charlotte, NC, 28223, USA

    Joe Portner, Joel Kerr & Bill Chu

Authors
  1. Joe Portner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joel Kerr
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bill Chu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bill Chu .

Editor information

Editors and Affiliations

  1. TELECOM Bretagne, Cesson Sévigné, France

    Frédéric Cuppens

  2. TELECOM SudParis, Evry, France

    Joaquin Garcia-Alfaro

  3. Dalhousie University, Halifax, Nova Scotia, Canada

    Nur Zincir Heywood

  4. University of Calgary, Calgary, Canada

    Philip W. L. Fong

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Portner, J., Kerr, J., Chu, B. (2015). Moving Target Defense Against Cross-Site Scripting Attacks (Position Paper). In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17040-4_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17039-8

  • Online ISBN: 978-3-319-17040-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation