Preventing Cross-Site Scripting with Script-Free HTML

Authors

  • Matthew Seffernick Ohio State University

Abstract

The injection of scripts into a web page by means of evading input filtering is called a cross-site scripting (XSS) attack.  Even popular websites, such as Google, Facebook, and YouTube, have been exploited by XSS attacks.  In 2010, OWASP ranked XSS attacks the 2nd-leading source of web security risk.

Current methods to prevent XSS exploits are either ineffective (allowing some attacks to succeed) or overly prohibitive (preventing legitimate HTML-rich content).  This paper describes a new approach: the structure of safe input is rigorously defined and a server-side tool is implemented to detect the presence of a potential XSS attack.  This tool prevents XSS attacks while still permitting HTML-rich content.  We define a new context-free grammar (Script-Free HTML 4) that precisely characterizes safe input.  Our approach is evaluated by applying it to a benchmark of known XSS vulnerabilities.  We also consider the future evolution of this approach in the ever-changing world of web standards.

Downloads

Published

2014-05-27

Issue

Vol. 4 (2013)

Section

JUROS Science & Technology

License

Copyright (c) 2023 The Journal of Undergraduate Research at Ohio State