Skip to main content

Xilara: An XSS Filter Based on HTML Template Restoration

  • 569 Accesses

Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST,volume 255)

Abstract

Cross Site Scripting (XSS) is one of the most fearful attacks against web applications because of its potential damage to users. XSS filter is one of existing mitigation technologies against XSS by monitoring communication between servers and clients to find attack codes in HTTP requests. However, some complicated attacks can bypass such XSS filters, e.g., attack codes are encoded with base64 or others, and attacks may not include attack codes in HTTP requests, such as Stored XSS. This paper proposes a new XSS filter, Xilara, to detect XSS attacks including such complicated ones by a new approach: monitoring HTML document structures in HTTP responses instead of the requests. A key idea is that normal responses have very similar HTML document structures because they are usually generated by the same program (HTML template) and some parameters (untrusted data), but once an XSS attack succeeds, the structure of an HTML document changes due to the attack codes in the untrusted data. As a preparation, Xilara collects normal HTTP responses, and restores HTML templates. To detect XSS attacks, Xilara regards the response is harmful if an HTML document in the response is not an instance of the restored template. Our evaluation using XSS vulnerabilities reported in the real world shows that Xilara can detect XSS attacks whose attack codes are difficult to be detected by existing XSS filters, as well as performance comparison between Xilara and existing XSS filters.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-01704-0_18
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-01704-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   107.00
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

Notes

  1. 1.

    https://modsecurity.org/crs/.

  2. 2.

    This example comes from a real application that converts the external input value by calling the function (utf8HexDecode) in the following URL. https://sourceforge.net/p/subsonic/code/4715/tree/trunk/subsonic-main/src/main/java/net/sourceforge/subsonic/util/StringUtil.java#l410.

  3. 3.

    https://www.openbugbounty.org/reports/113400/.

  4. 4.

    This is an base64 encoded attack code of "\(> <svg/onload=prompt(/xssposed/)\).

  5. 5.

    We found these attributes in https://html5sec.org/ have the same characteristics. formaction attribute in button element/poster attribute in video element/href attribute in math, a, base, go, line element/xlink:href attribute in any element/background attribute in table element/value attribute in param element/src attribute in embed, img, image, script element/action attribute in form element/to, from attribute in set, animate element/folder attribute in a element.

  6. 6.

    In this case, injected data should not be malicious.

  7. 7.

    https://www.openbugbounty.org/.

  8. 8.

    REQUEST-941-APPLICATION-ATTACK-XSS.conf and REQUEST-949-BLOCKING-EVALUATION.conf.

References

  1. Wichers, D.: OWASP top-10 2013. OWASP Foundation, February 2013

    Google Scholar 

  2. Ross, D.: IE 8 XSS filter architecture/implementation (2008). https://blogs.technet.microsoft.com/srd/2008/08/19/ie-8-xss-filter-architecture-implementation/

  3. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM (2010)

    Google Scholar 

  4. Trustwave: Modsecurity: open source web application firewall (2004). https://www.modsecurity.org/

  5. Wichers, D.: Types of cross-site scripting. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

  6. Dave, T., David Heinemeier, H.: Agile web development with rails. Citeseer (2005)

    Google Scholar 

  7. Lokhande, P., Aslam, F., Hawa, N., Munir, J., Gulamgaus, M.: Efficient way of web development using Python and Flask (2015)

    Google Scholar 

  8. Arasu, A., Garcia-Molina, H.: Extracting structured data from web pages. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, pp. 337–348. ACM (2003)

    Google Scholar 

  9. Crescenzi, V., Mecca, G., Merialdo, P., et al.: RoadRunner: towards automatic data extraction from large web sites. VLDB 1, 109–118 (2001)

    Google Scholar 

  10. Zhai, Y., Liu, B.: Structured data extraction from the web based on partial tree alignment. IEEE Trans. Knowl. Data Eng. 18(12), 1614–1628 (2006)

    CrossRef  Google Scholar 

  11. Javed, A., Schwenk, J.: Towards elimination of cross-site scripting on mobile versions of web applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 103–123. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05149-9_7

    CrossRef  Google Scholar 

  12. Kettle, J.: When security features collide (2017). http://blog.portswigger.net/2017/10/when-security-features-collide.html

  13. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930. ACM (2010)

    Google Scholar 

  14. Van Gundy, M., Chen, H.: Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: NDSS (2009)

    Google Scholar 

  15. Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS, vol. 2009, p. 20 (2009)

    Google Scholar 

  16. Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development, p. 13. USENIX Association (2010)

    Google Scholar 

  17. Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1376–1387. ACM (2016)

    Google Scholar 

  18. Heydon, A., Najork, M.: Mercator: a scalable, extensible web crawler. World Wide Web 2(4), 219–229 (1999)

    CrossRef  Google Scholar 

  19. Galán, E., Alcaide, A., Orfila, A., Blasco, J.: A multi-agent scanner to detect stored-XSS vulnerabilities. In: 2010 International Conference for Internet Technology and Secured Transactions (ICITST), pp. 1–6. IEEE (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Keitaro Yamazaki .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Yamazaki, K., Kotani, D., Okabe, Y. (2018). Xilara: An XSS Filter Based on HTML Template Restoration. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01704-0_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01703-3

  • Online ISBN: 978-3-030-01704-0

  • eBook Packages: Computer ScienceComputer Science (R0)