Blog: A Blueprint to Stop Browser Attacks; defending against cross-site scripting attacks

A Blueprint to Stop Browser Attacks
Technology Review (05/14/09) Naone, Erica

University of Illinois at Chicago (UIC) researchers will present a new way of defending against cross-site scripting attacks at the upcoming IEEE Symposium on Security and Privacy. The new defense enables a Web site to control how user-generated content is transmitted to a Web browser, neutralizing cross-site scripting attacks before they reach the end user. White Hat Security founder Jeremiah Grossman says cross-site scripting is the most prevalent threat on the Internet, and although newer Web sites are better equipped to defend against these attacks, there are still millions of vulnerabilities on the Internet. The UIC solution involves a layer of software called Blueprint that can be inserted between user-generated pages and the browser. Blueprint is stored on a Web site's servers, reads user-generated HTML, and checks it against a white list of trusted code, removing any potentially harmful scripts and deciding how content should appear in a browser. The software then reformats the information and transmits it to the browser. For example, Blueprint eliminates characters and symbols that are sometimes used to send unauthorized scripting signals to a user's browser. The solution was tested against 94 types of cross-site scripting attacks and successfully prevented every attack. "What we want to do is to take away the ability for the browser's parser to make any script-identification decisions on the untrusted content that is supplied by the Web application," says UIC professor V. N. Venkatakrishnan.

View Full Article