BIXSAN: browser independent XSS sanitizer for prevention of XSS attacks

Proliferation of social networking sites, and web applications which deliver dynamic content to the clients have increased the user created HTML content in the World Wide Web. This user-created HTML content can be a notorious vector for Cross-Site Scripting,(XSS) attacks. XSS attacks have the ability to target websites, steal confidential information of the users, and hijack their accounts, etc. XSS attacks are launched to exploit the vulnerabilities of the poorly developed application code and data processing systems. In particular, improper validation of user created content and un-sanitized custom error messages introduce vulnerability for XSS attacks. It is a challenging task for any security mechanism to filter out only the harmful HTML content and retain safe content with high fidelity and robustness. This has motivated us to develop a mechanism that filters out the harmful HTML content, and allows safe HTML. The existing solutions to XSS attack include use of regular expressions to detect the presence of dynamic content and client side filtering mechanisms such as Noscript and Noxes tool. The drawbacks of these solutions are low fidelity and disallowing of benign HTML. In order to overcome these drawbacks BIXSAN, a Browser Independent XSS SANitizer for prevention of XSS attacks is proposed in this paper. BIXSAN includes the proposition of three pronged strategy. These strategies are as follows: Firstly the use of complete HTML parser is proposed rather than approximating the behavior of parser. The advantage of using complete HTML parser is that it offers high fidelity. Secondly the use of modified browser, viz., JavaScript Tester is proposed to detect the presence of JavaScript for filtering it out. Thirdly, identification of static tags is proposed for allowing the benign HTML. Further, BIXSAN includes the proposition of a parse tree generator at client side browser to reduce the anomalous behavior of browsers. BIXSAN was experimented in various browsers such as Opera, Netscape, Internet Explorer (IE), and Firefox and found to work for all the browsers. From the experiments conducted it has been found that the proposed BIXSAN prevents the injection of XSS attack code successfully. Further, it has been verified that BIXSAN reduces the anomalous behavior of browse.