View cross-site scripting attacks from IE to Google Chrome

Source: Internet
Author: User

The browser security has been significantly improved, but when discussing security threats that affect users, cross-site scripting attacks are still at the top of the list.

We have noticed that browser vendors have begun to solve browser security problems by creating more protection for browsers. For example, Microsoft has added a cross-site scripting filter in its IE8 browser, the challenge of this technology is to make Web applications accept complicated HTML input while blocking malicious scripts, two researchers in Illinois, United States, are considering adopting a new approach to enhance browser protection by reducing reliance on web applications on unreliable web browser Resolvers.

At the IEEE Security and Privacy seminar held in Auckland, California, the two researchers, Mike Louw and V. n. venkatakrishnan proposed a new method to defend against cross-site scripting attacks, known as BluePrint. As a software layer between web applications and browsers, BluePrint uses a secure whitelist of HTML elements to determine and remove Untrusted content. To avoid potential script injection attacks, the white list content is transmitted and copied carefully in the browser.

In a file, the two researchers said that the current web browser cannot perform trusted script recognition (cannot identify content involving suspicious HTML ), because of the untrusted parsing function of the browser. For this reason, they designed BluePrint to fundamentally control the resolution.

"On the application server, the resolution tree is generated from untrusted HTML, and necessary preventive measures must be taken to ensure that there are no dynamic content (such as scripts) nodes in the resolution tree, "In the client browser, the generated parsing tree is sent to the file generator of the browser, but it does not adopt untrusted paths, but involves unreliable browser parsing."

They said, "These two steps can ensure that the Untrusted Content generated by the browser conforms to the web application's understanding of the content, and the generated file can reflect the intent of the application, untrusted content does not contain script content, so all unauthenticated script execution is stopped."

The researchers tested their software in Google Chrome, Firefox 2 and 3, Opera 9.6, Safari3.1 and 3.2, and IE6 and IE7, in principle, bluePrint is compatible with all browsers that currently support JavaScript, represented by Venkatakrishnan.

"We use BluePrint to convert large-scale applications (such as MediaWiki and WordPress). The test results show that there is almost no actual impact on users who view the BluePrint conversion page," he said, "BluePrint does not modify any trusted content. If a webpage contains dynamic and trusted content, BluePrint will not affect these pages."

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.