Prevention of Cross-Site Scripting Attacks on Current Web Applications

  • Joaquin Garcia-Alfaro
  • Guillermo Navarro-Arribas
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4804)


Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advantages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seamlessly integrated in generic web applications by relaying in the SSL and secure redirect calls.


Software Protection Code Injection Attacks Security Policies 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alcorna, W.: Cross-site scripting viruses and worms – a new attack vector. Journal of Network Security 7, 7–8 (2006)CrossRefGoogle Scholar
  2. 2.
    Anderson, A., Lockhart, H.: SAML 2.0 profile of XACML v2.0. Standard, OASIS (February 2005)Google Scholar
  3. 3.
    Amit, Y.: XSS vulnerabilities in (November 2005),
  4. 4.
    Anupam, V., Mayer, A.: Secure Web scripting. IEEE Journal of Internet Computing 2(6), 46–55 (1998)CrossRefGoogle Scholar
  5. 5.
    Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: IEEE Symposium on Security and Privacy, pp. 143–159 (2002)Google Scholar
  6. 6.
    Cary, C., Wen, H.J., Mahatanankoon, P.: A viable solution to enterprise development and systems integration: a case study of web services implementation. International Journal of Management and Enterprise Development, Inderscience 1(2), 164–175 (2004)CrossRefGoogle Scholar
  7. 7.
    Crane, D., Pascarello, E., James, D.: Ajax in Action. Manning Publications (2005)Google Scholar
  8. 8.
    Forrest, S., Hofmeyr, A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–129 (1996)Google Scholar
  9. 9.
    Ginda, R.: Writing a Mozilla Application with XUL and Javascript. In: O’Reilly Open Source Software Convention, USA (2000)Google Scholar
  10. 10.
    Godik, S., Moses, T., et al.: eXtensible Access Control Markup Language (XACML) Version 2. Standard, OASIS (February 2005)Google Scholar
  11. 11.
    Google. Docs & Spreadsheets.
  12. 12.
    Google. Orkut: Internet social network service.
  13. 13.
    Grossman, J., Hansen, R., Petkov, P., Rager, A., Fogie, S.: Cross site scripting attacks: XSS Exploits and defense. In: Syngress, Elsevier, Amsterdam (2007)Google Scholar
  14. 14.
    Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: ICECCS 2005. 10th IEEE International Conference on Engineering of Complex Computer Systems, pp. 85–94 (2005)Google Scholar
  15. 15.
    Hansen, R.: Cross Site Scripting Vulnerability in Google (July 2006),
  16. 16.
    Hansen, R.: XSS cheat sheet for filter evasion.
  17. 17.
    Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. Microsoft Press, Redmond (2003)Google Scholar
  18. 18.
    InformAction. Noscript firefox extension. Software (2006),
  19. 19.
    Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In: AINA 2004. 18th Int. Conf. on Advanced Information Networking and Applications (2004)Google Scholar
  20. 20.
    Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social Phishing. Communications of the ACM (to appear)Google Scholar
  21. 21.
    Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: WWW 2007. International World Wide Web Conferencem (May 2007)Google Scholar
  22. 22.
    Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: 2006 Workshop on Programming Languages and Analysis for Security, USA, pp. 27–36 (2006)Google Scholar
  23. 23.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross-site scripting attacks. In: 21st ACM Symposium on Applied Computing (2006)Google Scholar
  24. 24.
    Larson, E., Austin, T.: High coverage detection of input-related security faults. In: 12 USENIX Security Simposium, pp. 121–136 (2003)Google Scholar
  25. 25.
    Livshits, B., Erlingsson, U.: Using web application construction frameworks to protect against code injection attacks. In: 2007 workshop on Programming languages and analysis for security, pp. 95–104 (2007)Google Scholar
  26. 26.
    Mcfarlane, N.: Rapid Application Development with Mozilla. Prentice-Hall, Englewood Cliffs (2004)Google Scholar
  27. 27.
    Microsoft. HotMail: The World’s FREE Web-based E-mail.
  28. 28.
    MySpace. Online Community.
  29. 29.
    Mutton, P: PayPal Security Flaw allows Identity Theft (June 2006),
  30. 30.
    Mutton, P.: PayPal XSS Exploit available for two years? (July 2006),
  31. 31.
    Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., Evans, D.: Automatically hardering web applications using precise tainting. In: 20th IFIP International Information Security Conference (2005)Google Scholar
  32. 32.
    Obscure. Bypassing JavaScript Filters – the Flash! Attack (2002),
  33. 33.
    PayPal Inc. PayPal Web Site.
  34. 34.
    Pietraszeck, T., Vanden-Berghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  35. 35.
  36. 36.
    Samy. Technical explanation of The MySpace Worm
  37. 37.
    Sethumadhavan, R.: Orkut Vulnerabilities.
  38. 38.
    Scott, D., Sharp, R.: Abstracting application-level web security. In: 11th Internation Conference on the World Wide Web, pp. 396–407 (2002)Google Scholar
  39. 39.
    Su, Z., Wasserman, G.: The essence of command injections attacks in web applications. In: 33rd ACM Symposium on Principles of Programming Languages, pp. 372–382 (2006)Google Scholar
  40. 40.
    Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing Web Services. White Paper, Computer Associates (2005)Google Scholar
  41. 41.
    Wordpress. Blog Tool and Weblog Platform.
  42. 42.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: 15th USENIX Security Symposium (2006)Google Scholar
  43. 43.
    Zero. Historic Lessons From Marc Slemko – Exploit number 3: Steal hotmail account.

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Joaquin Garcia-Alfaro
    • 1
  • Guillermo Navarro-Arribas
    • 2
  1. 1.Universitat Oberta de Catalunya, Rambla Poble Nou 156, 08018 BarcelonaSpain
  2. 2.Universitat Autònoma de Barcelona, Edifici Q, Campus de Bellaterra, 08193, BellaterraSpain

Personalised recommendations