Defending the OSN-Based Web Applications from XSS Attacks Using Dynamic JavaScript Code and Content Isolation

Abstract

Online social networks (OSNs) are continuously suffering from the plague of cross-site scripting (XSS) vulnerabilities. This article presents a contemporary XSS defensive framework for the OSN-based web applications that is completely based on the context type qualifier. The proposed framework executes in two key phases: Context-Aware Sanitization Generator (CASG) and Context-Aware Dynamic Parsing (CADP). The former phase performs the static analysis of HTML document to determine the context of the untrusted JavaScript code. In addition to this, it also injects the context-sensitive sanitizers in the location of the untrusted JavaScript code. The later phase performs the dynamic parsing of HTML document generated by the first phase. The main objective of this phase is to determine the context of the untrusted malicious script code that is statically ambiguous to identify in the first phase. It also performs the sanitization depending on the context identified. The testing and evaluation of proposed framework was done on a tested suite of real-world OSN-based web applications (e.g., HumHub and Elgg). The experimental results revealed that the proposed framework is capable of implementing auto-context aware sanitization on the untrusted JavaScript malicious code with less number of false positives and false negatives. Evaluation outcomes also revealed that the technique has accomplished the untrusted malicious JavaScript code isolation in the HTML document generated by OSN-based web applications for mitigating the effect of XSS worms with less dynamic runtime overhead.