XSS attack prevention using DOM based filtering API

Abstract

Cross-site scripting (XSS) is a type of vulnerability typically found in Web applications that enables users to input data and uses user submitted data without proper sanitation. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability present in web application may be used by attackers to bypass access controls such as the Same Origin Policy(SOP). Cross site-scripting is ranked 3rd among list of Top10 vulnerability mentioned in OWASP (Open Web Application Security Projects). Some of existing solutions to XSS attack include use of regular expressions to detect the presence of malicious dynamic content that can easily bypassed using parsing quirks and client side filtering mechanisms such as Noscript and Noxes tool which require security awareness by user that cannot be guaranteed. Some of existing solutions are unacceptably slow and can be bypassed .Some of them as too restrictive resulting in loss of functionality. In our work, we developed server side response filtering API that will allow benign HTML to pass through it but blocks harmful script. It does not require large amount of modification in existing web application. Proposed system is having high fidelity and low response time.