Over the past decade, cross site scripting1 (XSS) has become one of the most ubiquitous vulnerability afflicting web applications. More recently “ClickJacking”2 was discovered which probably is even more prevalent than XSS in modern web applications. The ease with which these vulnerabilities can be identified and exploited along with the substantial benefits to be had (for e.g. compromising the user’s session to impersonate the victim user to the application, tricking the user into submitting sensitive credential information, performing a privileged action on behalf of the user etc.) by exploiting these vulnerabilities make them a perfect target for the attackers to look for and exploit in web applications.
In this article, we will survey some of the techniques that have been introduced by the browser makers that are designed to prevent exploitation of these widespread vulnerabilities.These techniques are not dependent on HTML5 but instead are standalone techniques. We will NOT be looking at purely client side techniques such as “Cross Site Scripting (XSS) filters” that are completely implemented and enforced client side. We will be focusing on the techniques that include a server side component and allow the web developer to control and tweak the level of protection enforced.Also note that there have been solutions presented to remediate these vulnerabilities; however these new techniques present the web developer and administrators an elegant and efficient way to eliminate these vulnerabilities as compared to the more involved techniques. All of these new mechanisms are enforced by the end user’s browser. Further, they are also backward compatible and as such a browser that does not understand these techniques continues to interpret and render the response as if they did not exist.
Download PDF: http://www.mcafee.com