Precise XSS detection and mitigation with Client-side Templates

TL;DR

XSnare is a client-side Firefox extension that leverages HTML template knowledge and CVE data to detect and prevent XSS attacks, offering application-specific protection before patches are available.

Contribution

It introduces XSnare, a novel, application-specific XSS mitigation tool that uses publicly available CVE information to identify and block exploits in real-time.

Findings

XSnare protects against 94.2% of recent CVE-related XSS exploits.

The extension adds less than 10% page load time overhead for most popular sites.

XSnare is the first to use CVE data for application-specific XSS defense.

Abstract

We present XSnare, a fully client-side XSS solution, implemented as a Firefox extension. Our approach takes advantage of available previous knowledge of a web application's HTML template content, as well as the rich context available in the DOM to block XSS attacks. XSnare prevents XSS exploits by using a database of exploit descriptions, which are written with the help of previously recorded CVEs. CVEs for XSS are widely available and are one of the main ways to tackle zero-day exploits. XSnare effectively singles out potential injection points for exploits in the HTML and sanitizes content to prevent malicious payloads from appearing in the DOM. XSnare can protect application users before application developers release patches and before server operators apply them. We evaluated XSnare on 81 recent CVEs related to XSS attacks, and found that it defends against 94.2% of these exploits. To the best of our knowledge, XSnare is the first protection mechanism for XSS that is application-specific, and based on publicly available CVE information. We show that XSnare's specificity protects users against exploits which evade other, more generic, anti-XSS approaches. Our performance evaluation shows that our extension's overhead on web page loading time is less than 10% for 72.6% of the sites in the Moz Top 500 list.