Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Louw, Mike Ter; Venkatakrishnan, V.

doi:10.1109/sp.2009.33

Cited by 139 publications

(72 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…BrowserShield [25], for instance, rewrites dynamic scripts into safe equivalents before sending them to the clients. BLUEPRINT [26], on the other hand, integrates with web applications to encode user-generated HTML content into a syntactically inert format and decodes it at the client. This allows them to bypass the anomalous parsing behaviors from client web browsers.…”

Section: Protectionmentioning

confidence: 99%

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tran

Dong

Liang

et al. 2012

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. JavaScript-based applications are very popular on the web today. However, the lack of effective protection makes various kinds of privacy violation attack possible, including cookie stealing, history sniffing and behavior tracking. There have been studies of the prevalence of such attacks, but the dynamic nature of the JavaScript language makes reasoning about the information flows in a web application a challenging task. Previous small-scale studies do not present a complete picture of privacy violations of today's web, especially in the context of Internet advertisements and web analytics. In this paper we present a novel, fast and scalable architecture to address the shortcomings of previous work. Specifically, we have developed a novel technique called principal-based tainting that allows us to perform dynamic analysis of JavaScript execution with lowered performance overhead. We have crawled and measured more than one million websites. Our findings show that privacy attacks are more prevalent and serious than previously known.

show abstract

Section: Protectionmentioning

confidence: 99%

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tran

Dong

Liang

et al. 2012

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

“…A blueprint based methodology that minimizes the reliance on web browsers towards recognizing untrusted content over the internet has been proposed in [26].…”

Section: Defending Cross Site Scripting (Xss) Attacksmentioning

confidence: 99%

Cloud Computing Security Aspects, Vulnerabilities and Countermeasures

Hatwar¹,

Chavan²

2015

IJCA

View full text Add to dashboard Cite

Security issue in cloud computing is an active area of research. Thousands of users are connecting to a cloud daily for their day to day work. Unfortunately they are ignorant about the risk involved while doing transactions on the internet. End user systems as well as cloud based data centers must be able to overcome the threats due to Viruses, Trojan and Malware etc. This paper highlights the major security threats in cloud computing system and introduce the most suitable countermeasures for these threats. Threats are classified according to different perspectives, providing a list of threats. In this article some effective countermeasures are enlisted and discussed. General TermsNetwork security, Cloud security.

show abstract

“…Blueprint [13] is a server side defense which converts the untrusted HTML embedded in a page into JavaScript code. The purpose of this transformation is to fix the browser's interpretation of the page at the server-side, adding JavaScript code to reliably reconstruct the parse tree once the page is rendered by the browser.…”

Section: Related Workmentioning

confidence: 99%

“…Many of these efforts [12,13,15,27,11,28,3,23] have focused on the server-side, and attempt to detect (or prevent) unauthorized scripts from being included in the server output. Modern web-browsers incorporate very complex logic to "fix" HTML syntax errors and hence provide an acceptable rendering of syntactically incorrect pages.…”

Section: Introductionmentioning

confidence: 99%

“…Modern web-browsers incorporate very complex logic to "fix" HTML syntax errors and hence provide an acceptable rendering of syntactically incorrect pages. Several researchers [11,15,27,13] have eloquently argued that no server-side logic can accurately account for all such "browser quirks." As a result, hybrid approaches that combine client-side support with a primarily server-side XSS defense have been developed [27,15,23].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Protection, usability and improvements in reflected XSS filters

Pelizzi

Sekar

2012

Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security

View full text Add to dashboard Cite

Due to the high popularity of Cross-Site Scripting (XSS) attacks, most major browsers now include or support filters to protect against reflected XSS attacks. Internet Explorer and Google Chrome provide built-in filters, while Firefox supports extensions that provide this functionality. In this paper, we analyze the two most popular open-source XSS filters, XSSAuditor for Google Chrome and NoScript for Firefox. We point out their weaknesses, and present a new browser-resident defense called XSSFilt. In contrast with previous browser defenses that were focused on the detection of whole new scripts, XSSFilt can also detect partial script injections, i.e., alterations of existing scripts by injecting malicious parameter values. Our evaluation shows that a significant fraction of sites vulnerable to reflected XSS can be exploited using partial injections. A second strength of XSSFilt is its use of approximate rather than exact string matching to detect reflected content, which makes it more robust for web sites that employ custom input sanitizations. We provide a detailed experimental evaluation to compare the three filters with respect to their usability and protection.

show abstract

Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Cited by 139 publications

References 18 publications

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Cloud Computing Security Aspects, Vulnerabilities and Countermeasures

Protection, usability and improvements in reflected XSS filters

Contact Info

Product

Resources

About