Talks and Poster Presentations (with Proceedings-Entry):
C. Krügel, Ch. Platzer, E. Kirda, C. Ludl, P. Wurzinger:
"SWAP: Mitigating XSS Attacks using a Reverse Proxy";
Talk: International Workshop on Software Engineering for Secure Systems (SESS),
Vancouver, Canada;
2009-05-19; in: "SESS proceedings",
(2009).
English abstract:
Due to the increasing amount of Web sites offering features to contribute rich content, and the frequent failure of Web developers to properly sanitize user input, cross-site scripting prevails as the most significant security threat to Web applications. Using cross-site scripting techniques, miscreants can hijack Web sessions, and craft credible phishing sites. Previous work towards protecting against cross-site scripting attacks suffers from various drawbacks, such as practical infeasibility of deployment due to the need for client-side modifications, inability to reliably detect all injected scripts, and complex, error-prone parameterization. In this paper, we introduce SWAP (Secure Web Application Proxy), a server-side solution for detecting and preventing cross-site scripting attacks. SWAP comprises a reverse proxy that intercepts all HTML responses, as well as a modified Web browser which is utilized to detect script content. SWAP can be deployed transparently for the client, and requires only a simple automated transformation of the original Web application. Using SWAP, we were able to correctly detect exploits on several authentic vulnerabilities in popular Web applications.
Keywords:
XSS
Electronic version of the publication:
http://publik.tuwien.ac.at/files/PubDat_180132.pdf
Related Projects:
Project Head Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats
Created from the Publication Database of the Vienna University of Technology.