Preventing Cross-Site Scripting with Script-Free HTML
Abstract
The injection of scripts into a web page by means of evading input filtering is called a cross-site scripting (XSS) attack. Even popular websites, such as Google, Facebook, and YouTube, have been exploited by XSS attacks. In 2010, OWASP ranked XSS attacks the 2nd-leading source of web security risk.
Current methods to prevent XSS exploits are either ineffective (allowing some attacks to succeed) or overly prohibitive (preventing legitimate HTML-rich content). This paper describes a new approach: the structure of safe input is rigorously defined and a server-side tool is implemented to detect the presence of a potential XSS attack. This tool prevents XSS attacks while still permitting HTML-rich content. We define a new context-free grammar (Script-Free HTML 4) that precisely characterizes safe input. Our approach is evaluated by applying it to a benchmark of known XSS vulnerabilities. We also consider the future evolution of this approach in the ever-changing world of web standards.How to Cite:
Seffernick, M., (2014) “Preventing Cross-Site Scripting with Script-Free HTML”, The Journal of Undergraduate Research 4.
Rights: The Journal of Undergraduate Research at Ohio State
Downloads
Download PDF