- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- XSnare : application-specific, cross-site scripting...
Open Collections
UBC Theses and Dissertations
UBC Theses and Dissertations
XSnare : application-specific, cross-site scripting protection Pazos, Jose Carlos
Abstract
We present XSnare, a fully client-side Cross-site Scripting (xss) solution, implemented as a Firefox extension. Our approach takes advantage of available previous knowledge of a web application’s Hypertext Markup Language (html) template content, as well as the rich context available in the Document Object Model (dom) to block xss attacks. XSnare prevents xss exploits by using a database of exploit descriptions, which are written with the help of previously recorded Common Vulnerabilities and Exposuress (cves). cves for xss are widely available and are one of the main ways to tackle zero-day exploits. XSnare effectively singles out potential injection points for exploits in the html and sanitizes content to prevent malicious payloads from appearing in the dom. XSnare can protect application users before application developers release patches and before server operators apply them. We evaluate our approach by studying 105 recent cves related to xss attacks, and find that our tool defends against 94.2% of these exploits. To the best of our knowledge, XSnare is the first protection mechanism for xss that is application-specific, and based on publicly available cve information. We show that XSnare’s specificity protects users against exploits which evade other, more generic, anti-xss approaches. Our performance evaluation shows that our extension’s overhead on web page loading time is less than 10% for 72.6% of the sites in the Moz Top 500 list.
Item Metadata
Title |
XSnare : application-specific, cross-site scripting protection
|
Creator | |
Publisher |
University of British Columbia
|
Date Issued |
2019
|
Description |
We present XSnare, a fully client-side Cross-site Scripting (xss) solution,
implemented as a Firefox extension. Our approach takes advantage of available
previous knowledge of a web application’s Hypertext Markup Language
(html) template content, as well as the rich context available in
the Document Object Model (dom) to block xss attacks. XSnare prevents
xss exploits by using a database of exploit descriptions, which are written
with the help of previously recorded Common Vulnerabilities and Exposuress
(cves). cves for xss are widely available and are one of the main
ways to tackle zero-day exploits. XSnare effectively singles out potential
injection points for exploits in the html and sanitizes content to prevent
malicious payloads from appearing in the dom.
XSnare can protect application users before application developers release
patches and before server operators apply them.
We evaluate our approach by studying 105 recent cves related to xss attacks,
and find that our tool defends against 94.2% of these exploits. To the
best of our knowledge, XSnare is the first protection mechanism for xss that
is application-specific, and based on publicly available cve information. We
show that XSnare’s specificity protects users against exploits which evade
other, more generic, anti-xss approaches.
Our performance evaluation shows that our extension’s overhead on web
page loading time is less than 10% for 72.6% of the sites in the Moz Top
500 list.
|
Genre | |
Type | |
Language |
eng
|
Date Available |
2020-10-31
|
Provider |
Vancouver : University of British Columbia Library
|
Rights |
Attribution-NonCommercial-NoDerivatives 4.0 International
|
DOI |
10.14288/1.0384040
|
URI | |
Degree | |
Program | |
Affiliation | |
Degree Grantor |
University of British Columbia
|
Graduation Date |
2019-11
|
Campus | |
Scholarly Level |
Graduate
|
Rights URI | |
Aggregated Source Repository |
DSpace
|
Item Media
Item Citations and Data
Rights
Attribution-NonCommercial-NoDerivatives 4.0 International