Mitigating Cross-Site Scripting Attacks with a Content Security Policy

Abstract

Mitigating Cross-Site Scripting Attacks with a Content Security Policy,

A content security policy (CSP) can help Web application developers and server administrators better control website content and avoid vulnerabilities to cross site scripting (XSS).

In experiments with a prototype website, the authors’ CSP implementation successfully mitigated all XSS attack types in four popular browsers.

Among the many attacks on Web applications, cross site scripting (XSS) is one of the most common.

An XSS attack involves injecting malicious script into a trusted website that executes on a visitor’s browser without the visitor’s knowledge and thereby enables the attacker to access sensitive user data, such as session tokens and cookies stored on the browser.

1 With this data, attackers can execute several malicious acts, including identity theft, key logging, phishing, user impersonation, and webcam activation.

Conclusion

Mitigating Cross-Site Scripting Attacks with a Content Security Policy.

XSS attacks allows the attacker to execute malicious script on the victim’s browser thereby stealing user’s sensitive information.

The existing approaches mostly focus on detection XSS attack either at client side or at a server side.

So there is a need to come up with a solution that can detect Persistent and NonPersistent XSS Attack which will work both at the client and the server side.

Thus our proposed approach is modelled in such a way that it validates the input at the client side.

This technique works for both Persistent and Non Persistent XSS attack. The server side approach provides validated output.