Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created Web content is a notorious vector for cross-site scripting (XSS) attacks that target Web sites and confidential user data. In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest.A challenge for these security mechanisms is enabling Web applications to accept complex HTML input from users, while disallowing malicious script content. This challenge is made difficult by anomalous Web browser behaviors, which are often used as vectors for successful XSS attacks.Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing Web browsers, despite anomalous browser behavior. Our approach seeks to minimize trust placed on browsers for interpreting untrusted content. We implemented this approach in a tool called Blueprint that was integrated with several popular Web applications. We evaluated Blueprint against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with Web browsers and reasonable performance overheads.