An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks
We present an execution-flow analysis for JavaScript programs running in a web browser to prevent Cross-site Scripting (XSS) attacks. We construct finite-state automata (FSA) to model the client-side behavior of Ajax applications under normal execution. Our system is deployed in proxy mode. The proxy analyzes the execution flow of client-side JavaScript before the requested web pages arrive at the browser to prevent potentially malicious scripts, which do not conform to the FSA. We evaluate our technique against several real-world applications and the result shows that it protects against a variety of XSS attacks and has an acceptable performance overhead.
XSS FSA JavaScript Ajax
Qianjie Zhang Hao Chen Jianhua Sun Adv. Internet Media Lab
School of Computer and Communication. Hunan University Changsha, China
国际会议
成都
英文
70-75
2010-06-23(万方平台首次上网日期,不代表论文的发表时间)