File Download
There are no files associated with this item.
Supplementary
-
Citations:
- Scopus: 0
- Appears in Collections:
Conference Paper: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks
| Title | Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks |
|---|---|
| Authors | |
| Issue Date | 2009 |
| Citation | Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009, 2009 How to Cite? |
| Abstract | Cross-site scripting (XSS) vulnerabilities are among the most common and serious web application vulnerabilities. Eliminating XSS is challenging because it is difficult for web applications to sanitize all user inputs appropriately. We present Noncespaces, a technique that enables web clients to distinguish between trusted and untrusted content to prevent exploitation of XSS vulnerabilities. Using Noncespaces, a web application randomizes the XML namespace prefixes of tags in each document before delivering it to the client. As long as the attacker is unable to predict the randomized prefixes, the client can distinguish between trusted content created by the web application and untrusted content provided by an attacker. To implement Noncespaces with minimal changes to web applications, we leverage a popular web application architecture to automatically apply Noncespaces to static content processed through a popular PHP template engine. We show that with simple policies Noncespaces thwarts popular XSS attack vectors. |
| Persistent Identifier | http://hdl.handle.net/10722/346602 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Gundy, Matthew Van | - |
| dc.contributor.author | Chen, Hao | - |
| dc.date.accessioned | 2024-09-17T04:11:58Z | - |
| dc.date.available | 2024-09-17T04:11:58Z | - |
| dc.date.issued | 2009 | - |
| dc.identifier.citation | Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009, 2009 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/346602 | - |
| dc.description.abstract | Cross-site scripting (XSS) vulnerabilities are among the most common and serious web application vulnerabilities. Eliminating XSS is challenging because it is difficult for web applications to sanitize all user inputs appropriately. We present Noncespaces, a technique that enables web clients to distinguish between trusted and untrusted content to prevent exploitation of XSS vulnerabilities. Using Noncespaces, a web application randomizes the XML namespace prefixes of tags in each document before delivering it to the client. As long as the attacker is unable to predict the randomized prefixes, the client can distinguish between trusted content created by the web application and untrusted content provided by an attacker. To implement Noncespaces with minimal changes to web applications, we leverage a popular web application architecture to automatically apply Noncespaces to static content processed through a popular PHP template engine. We show that with simple policies Noncespaces thwarts popular XSS attack vectors. | - |
| dc.language | eng | - |
| dc.relation.ispartof | Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009 | - |
| dc.title | Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks | - |
| dc.type | Conference_Paper | - |
| dc.description.nature | link_to_subscribed_fulltext | - |
| dc.identifier.scopus | eid_2-s2.0-84928407537 | - |