Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis.

TLDR

Cross‑site scripting injects malicious code into web pages, allowing attackers to steal data, yet most defenses are server‑side and vulnerable sites often remain unpatched. This work proposes a client‑side method that tracks sensitive data flow within the browser to stop XSS attacks. When sensitive information is about to be sent to a third party, the system prompts the user to approve or block the transfer. The approach gives users an extra protection layer while browsing, reducing reliance on the web application’s security.

Abstract

Cross-site scripting (XSS) is an attack against web applications in which scripting code is injected into the output of an application that is then sent to a user’s web browser. In the browser, this scripting code is executed and used to transfer sensitive data to a third party (i.e., the attacker). Currently, most approaches attempt to prevent XSS on the server side by inspecting and modifying the data that is exchanged between the web application and the user. Unfortunately, it is often the case that vulnerable applications are not fixed for a considerable amount of time, leaving the users vulnerable to attacks. The solution presented in this paper stops XSS attacks on the client side by tracking the flow of sensitive information inside the web browser. If sensitive information is about to be transferred to a third party, the user can decide if this should be permitted or not. As a result, the user has an additional protection layer when surfing the web, without solely depending on the security of the web application.

References

Page 1

	Year	Citations

Page 1