Royal Holloway 2012: A framework for preventing cross-site scripting

Feature

Royal Holloway 2012: A framework for preventing cross-site scripting

2012 Royal Holloway thesis seriesCross-site scripting (XSS) has become hackers' favourite technique for attacking Web applications, and has been featured in attacks against some of the world’s most prominent websites. By using secure coding techniques, organisations can protect themselves against certain forms of XSS attacks, but hackers are constantly developing new ways of tricking websites into accepting malicious payloads or behaving in ways the sites' owners did not intend.

For his MSc thesis at Royal Holloway University of London (RHUL), Joseph Bugeja, under the supervision of lecturer Geraint Price, set out to explore not only how XSS is used by criminals to compromise systems, but also to develop a new set of techniques for preventing cross-site scripting attacks (.pdf) of all kinds.

Read the article

Download the article by Joseph Bugeja on preventing cross-site scripting attacks (.pdf).

Read the full thesis (.pdf).

In his article (.pdf) published on SearchSecurity.co.UK, Bugeja traces how XSS attacks started in 1996, exploiting simple vulnerabilities in websites, and describes how they have changed since to take full advantage of the new Web technologies.

Bugeja shows how XSS is used in different forms of attacks, and also talks about new types of attacks that are only now starting to appear in the wild. He concludes by proposing a pragmatic new framework that organisations could adopt in order to prevent XSS attacks.

The feature is one of six SearchSecurity.co.UK is publishing this year in collaboration with RHUL.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in June 2012

 

COMMENTS powered by Disqus  //  Commenting policy