Noncespaces: Using randomization to defeat cross-site scripting attacks

Matthew Van Gundy and Hao Chen

Cross-site scripting (XSS) vulnerabilities are among the most common
and serious web application vulnerabilities. It is challenging to
eliminate XSS vulnerabilities because it is difficult for web
applications to sanitize all user input appropriately. We present Non-
cespaces, a technique that enables web clients to distinguish between
trusted and untrusted content to prevent exploitation of XSS
vulnerabilities. Using Noncespaces, a web application randomizes the
the (X)HTML tags and attributes in each document before delivering it
to the client. As long as the attacker is unable to guess the random
mapping, the client can distinguish between trusted content created by
the web application and untrusted content provided by an attacker. To
implement Noncespaces with minimal changes to web applications, we
leverage a popular web application architecture to automatically
apply Noncespaces to static content processed through a popular PHP
template engine. We design a policy language for Noncespaces,
implement a training mode to assist policy development, and conduct
extensive security testing of a generated policy for two large web
applications to show the effectiveness of our technique.