TY - GEN
T1 - Prevention of cross-site scripting attacks on current web applications
AU - Garcia-Alfaro, Joaquin
AU - Navarro-Arribas, Guillermo
PY - 2007/1/1
Y1 - 2007/1/1
N2 - Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advantages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seamlessly integrated in generic web applications by relaying in the SSL and secure redirect calls.
AB - Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advantages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seamlessly integrated in generic web applications by relaying in the SSL and secure redirect calls.
KW - Code injection attacks
KW - Security policies
KW - Software protection
U2 - 10.1007/978-3-540-76843-2_45
DO - 10.1007/978-3-540-76843-2_45
M3 - Conference contribution
AN - SCOPUS:38349004532
SN - 9783540768357
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 1770
EP - 1784
BT - On the Move to Meaningful Internet Systems 2007
PB - Springer Verlag
T2 - OTM Confederated International Conferences CoopIS, DOA, ODBASE, GADA, and IS 2007
Y2 - 25 November 2007 through 30 November 2007
ER -