[Back]

C. Krügel, Ch. Platzer, E. Kirda, C. Ludl, P. Wurzinger:
"SWAP: Mitigating XSS Attacks using a Reverse Proxy";
Talk: International Workshop on Software Engineering for Secure Systems (SESS), Vancouver, Canada; 2009-05-19; in: "SESS proceedings", (2009).

Due to the increasing amount of Web sites offering features to contribute rich content, and the frequent failure of Web developers to properly sanitize user input, cross-site scripting prevails as the most significant security threat to Web applications. Using cross-site scripting techniques, miscreants can hijack Web sessions, and craft credible phishing sites. Previous work towards protecting against cross-site scripting attacks suffers from various drawbacks, such as practical infeasibility of deployment due to the need for client-side modifications, inability to reliably detect all injected scripts, and complex, error-prone parameterization. In this paper, we introduce SWAP (Secure Web Application Proxy), a server-side solution for detecting and preventing cross-site scripting attacks. SWAP comprises a reverse proxy that intercepts all HTML responses, as well as a modified Web browser which is utilized to detect script content. SWAP can be deployed transparently for the client, and requires only a simple automated transformation of the original Web application. Using SWAP, we were able to correctly detect exploits on several authentic vulnerabilities in popular Web applications.

XSS

http://publik.tuwien.ac.at/files/PubDat_180132.pdf

Project Head Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats