Abstract
We present XSnare, a client-side Cross-Site Scripting (XSS) solution implemented as a Firefox extension. The client-side design of XSnare can protect users before application developers release patches and before server operators apply them. XSnare blocks XSS attacks by using previous knowledge of a web application’s HTML template content and the rich DOM context. XSnare uses a database of exploit descriptions, which are written with the help of previously recorded CVEs. It singles out injection points for exploits in the HTML and dynamically sanitizes content to prevent malicious payloads from appearing in the DOM. XSnare displays a secured version of the site, even if is exploited. We evaluated XSnare on 81 recent CVEs related to XSS attacks, and found that it defends against 93.8% of these exploits. We compared XSnare’s funcitonality and protection with two well known content filtering extensions: NoScript and uBlockOrigin. To the best of our knowledge, XSnare is the first protection mechanism for XSS that is application-specific, and based on publicly available CVE information. We show that XSnare’s specificity protects users against exploits which evade other, more generic, XSS defenses. Our performance evaluation shows that our extension’s overhead on web page loading time is less than 10% for 72.6% of the sites in the Moz Top 500 list. We also show that XSnare has as a slowdown of less than 10% on 60% of the vulnerable sites that we considered. XSnare has a false positive rate of 1/4876 (0.0205%) on the Alexa top 5000 sites.
Similar content being viewed by others
Data Availability
The datasets for this paper, including the XSnare artifact, are available from the corresponding author on reasonable request.
Notes
As early as 2012, JavaScript was used by almost 100% of the Alexa top 500 sites (Stock et al. 2017)
In these cases, the signature developer can weigh the trade-offs and decide whether the added cost is worth it.
This image was taken from the w3 spec: https://www.w3.org/TR/navigation-timing-2/
The Spearman’s correlation coefficient measures the strength and direction of association between two ranked variables: https://statistics.laerd.com/statistical-guides/spearmans-rank-order-correlation-statistical-guide.php
There are 15,303 CVEs related to XSS in CVE Details (xss 2020).
References
Abgrall E, Traon YL, Gombault S, et al (2014) Empirical investigation of the web browser attack surface under cross-site scripting: An urgent need for systematic security regression testing. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops. pp 34–41. https://doi.org/10.1109/ICSTW.2014.63
Acu (2021) Acunetix web vulnerability testing report 2021. https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2021/
adb (2018) How does adblock work? https://help.getadblock.com/support/solutions/articles/6000087914-how-does-adblock-work-
Artzi S, Kiezun A, Dolby J et al (2010) Finding bugs in web applications using dynamic test generation and explicit-state model checking. IEEE Trans Softw Eng 36(4):474–494. https://doi.org/10.1109/TSE.2010.31
Bezemer CP, Mesbah A, van Deursen A (2009) Automated security testing of web widget interactions. In: Proceedings of the 7th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, ESEC/FSE ’09. pp 81-90. https://doi.org/10.1145/1595696.1595711
Bisht P, Venkatakrishnan VN (2008) XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, Berlin, Heidelberg, DIMVA ’08. pp 23–43. https://doi.org/10.1007/978-3-540-70542-0_2
CSP (2019) Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
cve (2019a) Wordpress cves. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
cve (2019b) Wordpress: Vulnerability statistics. https://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337
dep (2019) Intent to deprecate and remove: XSSAuditor. https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TuYw-EZhO9g/blGViehIAwAJ
exa (2018) Wordpress plugin responsive cookie consent 1.7 / 1.6 / 1.5 - (authenticated) persistent cross-site scripting. https://www.exploit-db.com/exploits/44563
exp (2019) Exploit database. https://www.exploit-db.com/
Hallaraker O, Vigna G (2005) Detecting malicious javascript code in mozilla. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems. IEEE Computer Society, Washington, DC, USA, ICECCS ’05, pp 85–94. https://doi.org/10.1109/ICECCS.2005.35
Heiderich M, Späth C, Schwenk J (2017) Dompurify: Client-side protection against XSS and markup injection. In: Foley SN, Gollmann D, Snekkenes E (eds) Computer Security - ESORICS 2017. Springer International Publishing, Cham, pp 116–134
Jim T, Swamy N, Hicks M (2007) Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web. ACM, New York, NY, USA, WWW ’07, pp 601–610. https://doi.org/10.1145/1242572.1242654
Kieyzun A, Guo PJ, Jayaraman K, et al (2009) Automatic creation of sql injection and cross-site scripting attacks. In: 2009 IEEE 31st International Conference on Software Engineering. pp 199–209. https://doi.org/10.1109/ICSE.2009.5070521
Kirda E, Jovanovic N, Kruegel C et al (2009) Client-side cross-site scripting protection. Comput Secur 28(7):592–604. https://doi.org/10.1016/j.cose.2009.04.008
Kocher P, Genkin D, Gruss D, et al (2018) Spectre attacks: Exploiting speculative execution. CoRR arXiv:1801.01203
Moz (2022) Moz top 500 websites. https://moz.com/top500
Nadji Y, Saxena P, Song D (2009) Document structure integrity: A robust basis for cross-site scripting defense. In: NDSS
nav (2019) Navigation timing level 2. https://www.w3.org/TR/navigation-timing-2/
Nguyen-Tuong A, Guarnieri S, Greene D et al (2005) Automatically hardening web applications using precise tainting. Security and Privacy in the Age of Ubiquitous Computing, IFIP TC11 20th International Conference on Information Security (SEC 2005), May 30 - June 1, 2005. Chiba, Japan, pp 295–308
nMa (2019) nmap network mapper. https://nmap.org/
Noscript (2022) Noscript homepage. https://noscript.net/
Pan J, Mao X (2017) Detecting dom-sourced cross-site scripting in browser extensions. In: 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). pp 24–34. https://doi.org/10.1109/ICSME.2017.11
Pazos JC, Légaré JS, Beschastnikh I (2021) Xsnare: Application-specific client-side cross-site scripting protection. In: 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). pp 154–165. https://doi.org/10.1109/SANER50967.2021.00023
Pietraszek T, Berghe CV (2006) Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection. Springer-Verlag, Berlin, Heidelberg, RAID’05. pp 124–145. https://doi.org/10.1007/11663812_7
Rap (2018) Security report for in-production web applications. https://www.rapid7.com/resources/security-report-for-in-production-web-applications/
Rap (2021) The 2021 vulnerability intelligence report. https://www.rapid7.com/products/insightvm/vulnerability-report-hub-page/
rcc (2019) Responsive cookie consent 1.8 patches. https://plugins.trac.wordpress.org/browser/responsive-cookie-consent/tags/1.8/includes/admin-page.php
saf (2019) Safely inserting external content into a page. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page
Snyder P, Taylor C, Kanich C (2017) Most websites don’t need to vibrate: A cost-benefit approach to improving browser security. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, CCS ’17. pp 179–194. https://doi.org/10.1145/3133956.3133966
Steffens M, Rossow C, Johns M, et al (2019) Don’t trust the locals: Investigating the prevalence of persistent client-side cross-site scripting in the wild. In: 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019
Stock B, Johns M, Steffens M, et al (2017) How the web tangled itself: Uncovering the history of client-side web (in)security. In: Proceedings of the 26th USENIX Conference on Security Symposium. USENIX Association, Berkeley, CA, USA, SEC’17, pp 971–987. http://dl.acm.org/citation.cfm?id=3241189.3241265
Stock B, Lekies S, Mueller T, et al (2014) Precise client-side protection against dom-based cross-site scripting. In: Proceedings of the 23rd USENIX Conference on Security Symposium. USENIX Association, Berkeley, CA, USA, SEC’14. pp 655–670. http://dl.acm.org/citation.cfm?id=2671225.2671267
stu (2019) Wordpress plugin responsive cookie consent 1.7 / 1.6 / 1.5 - (authenticated) persistent cross-site scripting. https://www.exploit-db.com/exploits/44563
Suc (2021) 2021 website threat research report. https://sucuri.net/wp-content/uploads/2022/04/sucuri-2021-hacked-report.pdf
Sundareswaran S, Squicciarini AC (2012) XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks. In: Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy. Springer-Verlag, Berlin, Heidelberg, DBSec’12. pp 223–238. https://doi.org/10.1007/978-3-642-31540-4_17
Sun F, Xu L, Su Z (2009) Client-side detection of XSS worms by monitoring payload propagation. In: Backes M, Ning P (eds) Computer Security - ESORICS 2009. Springer Berlin Heidelberg, Berlin, Heidelberg, pp 539–554
uBlockOrigin (2022) ublock origin. https://github.com/gorhill/uBlock#ublock-origin
w3s (2019) Usage of content management systems for websites. https://w3techs.com/technologies/overview/content_management/all
Wassermann G, Su Z (2008) Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering. Association for Computing Machinery, New York, NY, USA, ICSE ’08. p 171-180. https://doi.org/10.1145/1368088.1368112
Wassermann G, Yu D, Chander A, et al (2008) Dynamic test input generation for web applications. In: Proceedings of the 2008 International Symposium on Software Testing and Analysis. Association for Computing Machinery, New York, NY, USA, ISSTA ’08. p 249-260. https://doi.org/10.1145/1390630.1390661
wpp (2019) Wordpress: Plugins. https://wordpress.org/plugins/
wps (2019) Wpscan. https://wpscan.org/
wpw (2019) Statistics show why wordpress is a popular hacker target. https://www.wpwhitesecurity.com/statistics-70-percent-wordpress-installations-vulnerable/
Wurzinger P, Platzer C, Ludl C, et al (2009) Swap: Mitigating XSS attacks using a reverse proxy. In: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems. IEEE Computer Society, Washington, DC, USA, IWSESS ’09. pp 33–39. https://doi.org/10.1109/IWSESS.2009.5068456
Xiao X, Paradkar A, Thummalapenta S, et al (2012) Automated extraction of security policies from natural-language software documents. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, FSE ’12. https://doi.org/10.1145/2393596.2393608
xss (2019) XSS auditor. https://www.chromium.org/developers/design-documents/xss-auditor
xss (2020) Cve details vulnerabilities by type. https://www.cvedetails.com/vulnerabilities-by-types.php
Xu W, Bhatkar S, Sekar R (2006) Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15. USENIX Association, Berkeley, CA, USA, USENIX-SS’06. http://dl.acm.org/citation.cfm?id=1267336.1267345
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
The three authors do not have any conflicts of interest with regard to this publication. This research did not involve any human participants.
Additional information
Communicated by: Rick Kazman, Marouane Kessentini, Yuanfang Cai.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article belongs to the Topical Collection: Software Analysis, Evolution and Reengineering (SANER)
Appendix A Signature Language Description
Appendix A Signature Language Description
We now provide further description of our signature language. We implement a signature as a key-value JavaScript object. Each of the fields details an aspect of the signature’s behaviour. Table 4 describes this.
If the value of type in Table 4 is ‘listener’, the signature will have an additional field called listenerData, which acts as a nested signature with fields that identify a particular dynamic request. A developer can optionally specify the request’s injection points using this nested signature. Table 5 describes this sub-signature format.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Pazos, J.C., Légaré, JS. & Beschastnikh, I. XSnare: application-specific client-side cross-site scripting protection. Empir Software Eng 28, 110 (2023). https://doi.org/10.1007/s10664-023-10323-w
Accepted:
Published:
DOI: https://doi.org/10.1007/s10664-023-10323-w