TY - GEN
T1 - XSS-Dec
T2 - 26th Annual WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2012
AU - Sundareswaran, Smitha
AU - Squicciarini, Anna Cinzia
PY - 2012
Y1 - 2012
N2 - Cross-site scripting attacks represent one of the major security threats in today's Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.
AB - Cross-site scripting attacks represent one of the major security threats in today's Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.
UR - http://www.scopus.com/inward/record.url?scp=84864346176&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84864346176&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-31540-4_17
DO - 10.1007/978-3-642-31540-4_17
M3 - Conference contribution
AN - SCOPUS:84864346176
SN - 9783642315398
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 223
EP - 238
BT - Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings
Y2 - 11 July 2012 through 13 July 2012
ER -