From IE to Google Chrome, Researchers Target Cross-Site Scripting

Two researchers are proposing a software answer to cross-site scripting called BluePrint that takes parsing responsibilities away from Web browsers like Internet Explorer and Google Chrome to improve security. Mike Ter Louw and V.N. Venkatakrishnan are presenting their research May 20 at the IEEE Symposium on Security and Privacy, in Oakland, Calif.

For all the advances in browser security, cross-site scripting remains at the top of the list when it comes to Website vulnerabilities affecting users.

Browser vendors have started to address the security issue by building more protections into the browser. Microsoft, for example, added a cross-site scripting filter to Internet Explorer 8. The challenge for such technologies is to enable Web applications to accept complex HTML input while blocking malicious scripts. Now, two researchers from the University of Illinois at Chicago are talking up a new way to bolster browser protection by reducing the dependence of Web applications on unreliable browser parsers.

At the IEEE Symposium on Security and Privacy in Oakland, Calif., researchers Mike Ter Louw and V.N. Venkatakrishnan May 20 are offering up their answer to defending against cross-site scripting, which they call BluePrint. Inserted as a software layer between the Web app and the browser, BluePrint uses a whitelist of safe HTML elements to identify and remove untrusted content. To avoid potential script injection attacks, the whitelist content is carefully transported and reproduced safely in the browser, Venkatakrishnan told eWEEK.

In a paper, the researchers contended that today's Web browsers cannot be trusted to make script identification decisions (PDF) involving suspicious HTML due to their unreliable parsing behavior. For that reason, the duo designed BluePrint to essentially take control of parsing decisions.

"On the application server, a parse tree is generated from untrusted HTML with precautions taken to ensure the absence of dynamic content (e.g., script) nodes in the tree," the researchers wrote. "On the client browser, the generated parse tree is conveyed to the browser's document generator without taking vulnerable paths ... which involve unreliable browser parsing behavior."

They continued, "This two-step process ensures untrusted content generated by the browser is consistent with the Web application's understanding of the content. The generated document reflects the application's intention that the untrusted content does not contain scripts, therefore all unauthorized script execution is prevented."

The researchers tested the software on versions of Google Chrome, Firefox 2 and 3, Opera 9.6, Safari 3.1 and 3.2, and Internet Explorer 6 and 7. In principle, though, BluePrint is designed to work with all existing browsers that support JavaScript, Venkatakrishnan said in an e-mail interview.

"We transformed large-scale applications such as MediaWiki (the software
that hosts Wikipedia) and WordPress using BluePrint and there was
very little impact on the actual user experience in viewing BluePrint-transformed pages," he said. "BluePrint doesn't modify any trusted content, and if a page contains dynamic content that is trusted, BluePrint doesn't affect these pages at all."