Document Structure Integrity

In Proc. of the 16th Annual Network and Distributed System Security Symposium (NDSS), February 2009


Cross-site scripting (or XSS) has been the most dominant class of web vulnerabilities in 2007. The main underlying reason for XSS vulnerabilities is that web markup and client-side languages do not provide principled mechanisms to ensure secure, ground-up isolation of user-generated data in web application code. In this paper, we develop a new approach that combines randomization of web application code and runtime tracking of untrusted data both on the server and the browser to combat XSS attacks. Our technique ensures a fundamental integrity property that prevents untrusted data from altering the structure of trusted code throughout the execution lifetime of the web application. We call this property document structure integrity (or DSI). Similar to prepared statements in SQL, DSI enforcement ensures automatic syntactic isolation of inline usergenerated data at the parser-level. This forms the basis for confinement of untrusted data in the web browser based on a server-specified policy.

We propose a client-server architecture that enforces document structure integrity in a way that can be implemented in current browsers with a minimal impact to compatibility and that requires minimal effort from the web developer. We implemented a proof-of-concept and demonstrated that such DSI enforcement with a simple default policy is sufficient to defeat over 98% of 5,328 real-world reflected XSS vulnerabilities documented in 2007, with very low performance overhead both on the client and server.