From IE to Google Chrome, Researchers Target Cross-Site Scripting
Two researchers are proposing a software answer to cross-site scripting called BluePrint that takes parsing responsibilities away from Web browsers like Internet Explorer and Google Chrome to improve security. Mike Ter Louw and V.N. Venkatakrishnan are presenting their research May 20 at the IEEE Symposium on Security and Privacy, in Oakland, Calif.For all the advances in browser security, cross-site scripting remains at the top of the list when it comes to Website vulnerabilities affecting users. Browser vendors have started to address the security issue by building more protections into the browser. Microsoft, for example, added a cross-site scripting filter to Internet Explorer 8. The challenge for such technologies is to enable Web applications to accept complex HTML input while blocking malicious scripts. Now, two researchers from the University of Illinois at Chicago are talking up a new way to bolster browser protection by reducing the dependence of Web applications on unreliable browser parsers.
At the IEEE Symposium on Security and Privacy in Oakland, Calif., researchers Mike Ter Louw and V.N. Venkatakrishnan May 20 are offering up their answer to defending against cross-site scripting, which they call BluePrint. Inserted as a software layer between the Web app and the browser, BluePrint uses a whitelist of safe HTML elements to identify and remove untrusted content. To avoid potential script injection attacks, the whitelist content is carefully transported and reproduced safely in the browser, Venkatakrishnan told eWEEK.
that hosts Wikipedia) and WordPress using BluePrint and there was
very little impact on the actual user experience in viewing BluePrint-transformed pages," he said. "BluePrint doesn't modify any trusted content, and if a page contains dynamic content that is trusted, BluePrint doesn't affect these pages at all."