Currently, Cross Site Scripting (XSS), which allows an attacker to insert and execute a malicious script in a vulnerable Web application, has become a problem. In recent years, with the increase in functions on the client side, attacks by Client-Side XSS, a kind of XSS, have become a problem. This client-side XSS is different from the reflection-type or storage-type XSS, in that the script is composed of the victim's Web browser, so there is a problem that it is difficult to protection with conventional measures
Issues
In order to solve this problem, detection / protection measures using taint tracking have been proposed, but the performance is affected and there is no practical solution. Therefore, in this research, we propose a method that protects Client-Side XSS while reducing the impact on performance by defining Trusted Types that verify whether the string type is safe as primitive types.
As an implementation of the proposed method, it is implemented in OSS JavaScript engine and Web browser V8 and Chromium, and as a result of evaluation, overhead of the existing method is said to be 7 to 17%, or more than 5% However, the overhead of this method is up to 1.2%, and the effect on performance can be reduced.
Publication
- 山崎 勇二, 垣内 正年, 新井 イスマイル, 藤川 和利, "既存のWebアプリケーションへの適用性を考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法の提案," 研究報告コンピュータセキュリティ(CSEC), 情報処理学会, vol.2019-CSEC-87, no.5, pp1 -6, 2019年12月