| Title | Two for the price of one: A combined browser defense against XSS and clickjacking |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Rao, K. S., Jain, N., Limaje, N., Gupta, A., Jain, M., Menezes, B. |
| Conference Name | 2016 International Conference on Computing, Networking and Communications (ICNC) |
| Keywords | attack vector, attribute injection, browser, browser defense, Browsers, clickjacking, client-side defence, composability, Context, Cross Site Scripting, Engines, HTML, HTML injection, HTTP request parameter, Human Behavior, Information filters, Internet, Java, JavaScript, Mozilla Firefox browser, online front-ends, partial script injection, pubcrawl, Resiliency, security of data, Web application threat, Web pages, web security, XBuster, XSS attack vector |
| Abstract | Cross Site Scripting (XSS) and clickjacking have been ranked among the top web application threats in recent times. This paper introduces XBuster - our client-side defence against XSS, implemented as an extension to the Mozilla Firefox browser. XBuster splits each HTTP request parameter into HTML and JavaScript contexts and stores them separately. It searches for both contexts in the HTTP response and handles each context type differently. It defends against all XSS attack vectors including partial script injection, attribute injection and HTML injection. Also, existing XSS filters may inadvertently disable frame busting code used in web pages as a defence against clickjacking. However, XBuster has been designed to detect and neutralize such attempts. |
| DOI | 10.1109/ICCNC.2016.7440629 |
| Citation Key | rao_two_2016 |
Two for the price of one: A combined browser defense against XSS and clickjacking