Cross-site scripting (XSS) vulnerabilities are among themost common and serious web application vulnerabilities.Eliminating XSS is challenging because it is difficult for webapplications to sanitize all user inputs appropriately. Wepresent Noncespaces, a technique that enables web clientsto distinguish between trusted and untrusted content to pre-vent exploitation of XSS vulnerabilities. Using Nonces-paces, a web application randomizes the XML namespaceprefixes of tags in each document before delivering it to theclient. As long as the attacker is unable to predict the ran-domized prefixes, the client can distinguish between trustedcontent created by the web application and untrusted con-tent provided by an attacker. To implement Noncespaceswith minimal changes to web applications, we leverage apopular web application architecture to automatically ap-ply Noncespaces to static content processed through a pop-ular PHP template engine. We show that with simple poli-cies Noncespaces thwarts popular XSS attack vectors.
展开▼