NoMoXSS (no more XSS)

About the solution

Cross site scripting (XSS) is a common security problem of web applications where an attacker can inject scripting code into the output of the application that is then sent to a user's web browser. In the browser, this scripting code is executed and used to transfer sensitive data to a third party. Todays solutions attempt to prevent XSS on the server side, for example, by inspecting and modifying the data sent to and from the web application. The presented solution, on the other hand, stops XSS attacks on the client side by tracking the use of sensitive information in the JavaScript engine of the web browser. If sensitive information is about to be transfered to a third party, the user can decide if this should be allowed or not. As a result, the user has an additional protection layer when surfing websites without solely depending on the security of the web application.

Documentation / Publications

NoMoXSS is the software prototype of the master thesis (~1Mb) "Cross Site Scripting (XSS) Attack Prevention with Dynamic Data Tainting on the Client Side"

This paper (~800kb) gives an overview of the approach.

Prerequisites

  • The Mozilla Firefox source
  • The necessary patch file
  • A build system (e.g., Windows/Linux)
    • Windows XP Professional Service Pack 2, Visual Studio 2003 (later Visual Studio 2005 Express), and Cygwin
    • Debian Sarge
    • Mandriva Linux 10.2 (Limited Edition 2005)

Install

Read the build documentation.

Testing

There is a Testsuite (~1.8Mb) that contains the basic tests and the exploits with instructions.

Authors

The solution is developed by Philipp Vogt.


Last Modified: Wed Mar 29 11:41:02 CEST 2006


Distributed Systems Group / Automation Systems Group/ Technical University of Vienna www.seclab.tuwien.ac.at