Comp527 Final Project Milestone Details (Nov. 3, 2013)
Detection & Sanitization of XSS
Jun Zheng (jz33) Chao Zhang (cz15)
Rice University
10/16/2013
Final project proposal has been posted on blog, we want to deeply look at the Cross-site Scripting (XSS), which allows attacker injects malicious client side scripts to other users. In this project, we focus on Django framework, in which XSS is protected by “Auto-sanitization”.
Also, we posted the strategy of our final project.
1) Doing research on analysis of XSS attacks based on two papers from Weinberger[1][2].
2) Our team will focus on Django’s “Auto-sanitization” mechanism, looking deeply with the implementation and limitations.
3) We choose to design and implement assistant programs or plug-ins to detect possible XSS attack codes.
10/26/2013
Until October 26th, our group focus on definition of XSS attacks, why XSS defense is so significant and what kinds of challenges of XSS sanitization exist in real world industry.
Problem from XSS attack:
Malicious programmer may inject client-side script to Web pages which is viewed by other users.
Responsibility of XSS defense (XSS sanitization):
Remove dangerous contents from untrusted data.
Current challenge of XSS sanitization:
1) Context Sensitivity
2) Nested Contexts
3) Browser Transductions
4) Dynamic Code Evaluation
5) Character-set Issues
6) Other challenges such as MIME-based XSS, Universal XSS and Mashup Confinement, which is not considered in this final project.
11/2/2013
Django framework & Django’s “Auto-sanitization” mechanism (implementation).
Future Works:
1) Continue working on Django’s “Auto-sanitization” mechanism.
2) Design and implement plug-ins to detect possible XSS attack codes.
References:
[1] Weinberger, J., et al., “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Springer-Verlag Berlin Heidelberg 2011
[2] Weinberger, J., et al., “An Empirical Analysis of XSS Sanitization in Web Application Frameworks”, Technical Report No. UCB/EECS-2011-11