View cross-site scripting attacks from IE to Google Chrome

The browser security has been significantly improved, but when discussing security threats that affect users, cross-site scripting attacks are still at the top of the list.

We have noticed that browser vendors have begun to solve browser security problems by creating more protection for browsers. For example, Microsoft has added a cross-site scripting filter in its IE8 browser, the challenge of this technology is to make Web applications accept complicated HTML input while blocking malicious scripts, two researchers in Illinois, United States, are considering adopting a new approach to enhance browser protection by reducing reliance on web applications on unreliable web browser Resolvers.

At the IEEE Security and Privacy seminar held in Auckland, California, the two researchers, Mike Louw and V. n. venkatakrishnan proposed a new method to defend against cross-site scripting attacks, known as BluePrint. As a software layer between web applications and browsers, BluePrint uses a secure whitelist of HTML elements to determine and remove Untrusted content. To avoid potential script injection attacks, the white list content is transmitted and copied carefully in the browser.

In a file, the two researchers said that the current web browser cannot perform trusted script recognition (cannot identify content involving suspicious HTML ), because of the untrusted parsing function of the browser. For this reason, they designed BluePrint to fundamentally control the resolution.

"On the application server, the resolution tree is generated from untrusted HTML, and necessary preventive measures must be taken to ensure that there are no dynamic content (such as scripts) nodes in the resolution tree, "In the client browser, the generated parsing tree is sent to the file generator of the browser, but it does not adopt untrusted paths, but involves unreliable browser parsing."

They said, "These two steps can ensure that the Untrusted Content generated by the browser conforms to the web application's understanding of the content, and the generated file can reflect the intent of the application, untrusted content does not contain script content, so all unauthenticated script execution is stopped."

The researchers tested their software in Google Chrome, Firefox 2 and 3, Opera 9.6, Safari3.1 and 3.2, and IE6 and IE7, in principle, bluePrint is compatible with all browsers that currently support JavaScript, represented by Venkatakrishnan.

"We use BluePrint to convert large-scale applications (such as MediaWiki and WordPress). The test results show that there is almost no actual impact on users who view the BluePrint conversion page," he said, "BluePrint does not modify any trusted content. If a webpage contains dynamic and trusted content, BluePrint will not affect these pages."