Prevention of Cross-Site Scripting Attacks on Current Web Applications∗
Uloženo v:
| Název: | Prevention of Cross-Site Scripting Attacks on Current Web Applications∗ |
|---|---|
| Autoři: | Joaquin Garcia-alfaro, Guillermo Navarro-arribas |
| Přispěvatelé: | The Pennsylvania State University CiteSeerX Archives |
| Zdroj: | http://hacks-galore.org/guille/pubs/is-otm-07.pdf. |
| Sbírka: | CiteSeerX |
| Témata: | Software Protection, Code Injection Attacks, Security Policies |
| Popis: | Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to en-sure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advan-tages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seam-lessly integrated in generic web applications by relaying in the SSL and secure redirect calls. |
| Druh dokumentu: | text |
| Popis souboru: | application/pdf |
| Jazyk: | English |
| Relation: | http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.568.7722 |
| Dostupnost: | http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.568.7722 http://hacks-galore.org/guille/pubs/is-otm-07.pdf |
| Rights: | Metadata may be used without restrictions as long as the oai identifier remains attached to it. |
| Přístupové číslo: | edsbas.2C877C47 |
| Databáze: | BASE |
Nájsť tento článok vo Web of Science | Abstrakt: | Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to en-sure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advan-tages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seam-lessly integrated in generic web applications by relaying in the SSL and secure redirect calls. |
|---|