07-01-2014, 04:22 PM
Regular Expressions Considered Harmful in Client-Side XSS Filters
[b]ABSTRACT [/b]
Cross-site scripting flaws have now surpassed buffer over-flaws as the world's most common publicly-reported security vulnerability. In recent years, browser vendors and researchers have tried to develop client-side filters to mitigate these attacks. We analyze the best existing filters and find them to be either unacceptably slow or easily circumvented. Worse, some of these filters could introduce vulnerabilities into sites that were previously bug-free. We propose a new filter design that achieves both high performance and high precision by blocking scripts after HTML parsing but before execution. Compared to previous approaches, our approach is faster, protects against more vulnerability, and is harder for attackers to abuse.