This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Defending against Cross-Site Scripting Attacks
March 2012 (vol. 45 no. 3)
pp. 55-62
Lwin Khin Shar, Nanyang Technological University, Singapore
Hee Beng Kuan Tan, Nanyang Technological University, Singapore
Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers' lack of understanding of the problem and their unfamiliarity with current defenses' strengths and limitations.

1. Open Web Application Security Project, XSS (Cross-Site Scripting), Prevention Cheat Sheet, 2011; https://www.owasp.org/index.phpXSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet .
2. S. Fogie et al., XSS Attacks: Cross Site Scripting Exploits and Defense, Syngress, 2007.
3. N. Li et al., "Perturbation-Based User-Input-Validation Testing of Web Applications," J. Systems and Software, Nov. 2010, pp. 2263-2274.
4. H. Shahriar and M. Zulkernine, "MUTEC: Mutation-Based Testing of Cross Site Scripting," Proc. 5th Int'l Workshop Software Eng. for Secure Systems (SESS 09), IEEE, 2009, pp. 47-53.
5. M.S. Lam et al., "Securing Web Applications with Static and Dynamic Information Flow Tracking," Proc. 2008 ACM SIGPLAN Symp. Partial Evaluation and Semantics-Based Program Manipulation (PEPM 08), ACM, 2008, pp. 3-12.
6. Y. Xie and A. Aiken, "Static Detection of Security Vulnerabilities in Scripting Languages," Proc. 15th Usenix Security Symp. (Usenix-SS 06), vol. 15, Usenix, 2006, pp. 179-192.
7. D. Balzarotti et al., "Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications," Proc. 29th IEEE Symp. Security and Privacy (SP 08), IEEE CS, 2008, pp. 387-401.
8. G. Wassermann and Z. Su, "Static Detection of Cross-Site Scripting Vulnerabilities," Proc. 30th Int'l Conf. Software Eng. (ICSE 08), ACM, 2008, pp. 171-180.
9. A. Kiezun et al., "Automatic Creation of SQL Injection and Cross-Site Scripting Attacks," Proc. 31st Int'l Conf. Software Eng. (ICSE 09), IEEE CS, 2009, pp. 199-209.
10. W. Halfond, A. Orso, and P. Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation," IEEE Trans. Software Eng., Jan. 2008, pp. 65-81.
11. M.T. Louw and V.N. Venkatakrishnan, "Blueprint: Robust Prevention of Cross-Site Scripting Attacks for Existing Browsers," Proc. 30th IEEE Symp. Security and Privacy (SP 09), IEEE CS, 2009, pp. 331-346.
12. E. Kirda et al., "Client-Side Cross-Site Scripting Protection," Computers & Security, Oct. 2009, pp. 592-604.

Index Terms:
Code vulnerabilities, Web applications, Secure coding practices, Web security, Cross-site scripting (XSS)
Citation:
Lwin Khin Shar, Hee Beng Kuan Tan, "Defending against Cross-Site Scripting Attacks," Computer, vol. 45, no. 3, pp. 55-62, March 2012, doi:10.1109/MC.2011.261
Usage of this product signifies your acceptance of the Terms of Use.