Precise XSS detection and mitigation with Client-side Templates
This provides a novel, application-specific defense for web users against XSS exploits, especially zero-days, before patches are applied, addressing a critical security gap.
The paper tackles the problem of cross-site scripting (XSS) attacks by introducing XSnare, a client-side Firefox extension that uses CVE-based exploit descriptions to detect and mitigate XSS, achieving 94.2% protection against 81 recent CVEs with minimal performance overhead.
We present XSnare, a fully client-side XSS solution, implemented as a Firefox extension. Our approach takes advantage of available previous knowledge of a web application's HTML template content, as well as the rich context available in the DOM to block XSS attacks. XSnare prevents XSS exploits by using a database of exploit descriptions, which are written with the help of previously recorded CVEs. CVEs for XSS are widely available and are one of the main ways to tackle zero-day exploits. XSnare effectively singles out potential injection points for exploits in the HTML and sanitizes content to prevent malicious payloads from appearing in the DOM. XSnare can protect application users before application developers release patches and before server operators apply them. We evaluated XSnare on 81 recent CVEs related to XSS attacks, and found that it defends against 94.2% of these exploits. To the best of our knowledge, XSnare is the first protection mechanism for XSS that is application-specific, and based on publicly available CVE information. We show that XSnare's specificity protects users against exploits which evade other, more generic, anti-XSS approaches. Our performance evaluation shows that our extension's overhead on web page loading time is less than 10% for 72.6% of the sites in the Moz Top 500 list.