Xilara: An XSS Filter Based on HTML Template Restoration

  • Keitaro YamazakiEmail author
  • Daisuke Kotani
  • Yasuo Okabe
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)


Cross Site Scripting (XSS) is one of the most fearful attacks against web applications because of its potential damage to users. XSS filter is one of existing mitigation technologies against XSS by monitoring communication between servers and clients to find attack codes in HTTP requests. However, some complicated attacks can bypass such XSS filters, e.g., attack codes are encoded with base64 or others, and attacks may not include attack codes in HTTP requests, such as Stored XSS. This paper proposes a new XSS filter, Xilara, to detect XSS attacks including such complicated ones by a new approach: monitoring HTML document structures in HTTP responses instead of the requests. A key idea is that normal responses have very similar HTML document structures because they are usually generated by the same program (HTML template) and some parameters (untrusted data), but once an XSS attack succeeds, the structure of an HTML document changes due to the attack codes in the untrusted data. As a preparation, Xilara collects normal HTTP responses, and restores HTML templates. To detect XSS attacks, Xilara regards the response is harmful if an HTML document in the response is not an instance of the restored template. Our evaluation using XSS vulnerabilities reported in the real world shows that Xilara can detect XSS attacks whose attack codes are difficult to be detected by existing XSS filters, as well as performance comparison between Xilara and existing XSS filters.


  1. 1.
    Wichers, D.: OWASP top-10 2013. OWASP Foundation, February 2013Google Scholar
  2. 2.
  3. 3.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM (2010)Google Scholar
  4. 4.
    Trustwave: Modsecurity: open source web application firewall (2004).
  5. 5.
    Wichers, D.: Types of cross-site scripting.
  6. 6.
    Dave, T., David Heinemeier, H.: Agile web development with rails. Citeseer (2005)Google Scholar
  7. 7.
    Lokhande, P., Aslam, F., Hawa, N., Munir, J., Gulamgaus, M.: Efficient way of web development using Python and Flask (2015)Google Scholar
  8. 8.
    Arasu, A., Garcia-Molina, H.: Extracting structured data from web pages. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, pp. 337–348. ACM (2003)Google Scholar
  9. 9.
    Crescenzi, V., Mecca, G., Merialdo, P., et al.: RoadRunner: towards automatic data extraction from large web sites. VLDB 1, 109–118 (2001)Google Scholar
  10. 10.
    Zhai, Y., Liu, B.: Structured data extraction from the web based on partial tree alignment. IEEE Trans. Knowl. Data Eng. 18(12), 1614–1628 (2006)CrossRefGoogle Scholar
  11. 11.
    Javed, A., Schwenk, J.: Towards elimination of cross-site scripting on mobile versions of web applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 103–123. Springer, Cham (2014). Scholar
  12. 12.
    Kettle, J.: When security features collide (2017).
  13. 13.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930. ACM (2010)Google Scholar
  14. 14.
    Van Gundy, M., Chen, H.: Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: NDSS (2009)Google Scholar
  15. 15.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS, vol. 2009, p. 20 (2009)Google Scholar
  16. 16.
    Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development, p. 13. USENIX Association (2010)Google Scholar
  17. 17.
    Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1376–1387. ACM (2016)Google Scholar
  18. 18.
    Heydon, A., Najork, M.: Mercator: a scalable, extensible web crawler. World Wide Web 2(4), 219–229 (1999)CrossRefGoogle Scholar
  19. 19.
    Galán, E., Alcaide, A., Orfila, A., Blasco, J.: A multi-agent scanner to detect stored-XSS vulnerabilities. In: 2010 International Conference for Internet Technology and Secured Transactions (ICITST), pp. 1–6. IEEE (2010)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.Kyoto UniversitySakyoJapan

Personalised recommendations