UBC Theses and Dissertations
XSnare : application-specific, cross-site scripting protection Pazos, Jose Carlos
We present XSnare, a fully client-side Cross-site Scripting (xss) solution, implemented as a Firefox extension. Our approach takes advantage of available previous knowledge of a web application’s Hypertext Markup Language (html) template content, as well as the rich context available in the Document Object Model (dom) to block xss attacks. XSnare prevents xss exploits by using a database of exploit descriptions, which are written with the help of previously recorded Common Vulnerabilities and Exposuress (cves). cves for xss are widely available and are one of the main ways to tackle zero-day exploits. XSnare effectively singles out potential injection points for exploits in the html and sanitizes content to prevent malicious payloads from appearing in the dom. XSnare can protect application users before application developers release patches and before server operators apply them. We evaluate our approach by studying 105 recent cves related to xss attacks, and find that our tool defends against 94.2% of these exploits. To the best of our knowledge, XSnare is the first protection mechanism for xss that is application-specific, and based on publicly available cve information. We show that XSnare’s specificity protects users against exploits which evade other, more generic, anti-xss approaches. Our performance evaluation shows that our extension’s overhead on web page loading time is less than 10% for 72.6% of the sites in the Moz Top 500 list.
Item Citations and Data
Attribution-NonCommercial-NoDerivatives 4.0 International