A Defensive Framework for Reflected XSS in Client-Side Applications

Cross-site scripting attack (XSS) is a common vulnerability that is exploited in modern web applications by entering advanced HTML tags and Java Script functions. An attacker could potentially use this vulnerability to steal users' sensitive information, hijack user sessions or rewrite whole website contents displaying fake login forms. This class of attacks affects the client -side of a web application and is a critical vulnerability that is difficult to both detect and remediate for websites, often leading to insufficient server -side protection, which is why the end-users need an extra layer of protection at the client-side. In this paper, we analyze the best-known client-side XSS filters, study their mechanisms, structures and mentioned the advantages and disadvantages of each filter. This paper presents a novel XSS filtering model based on filtering rules, XSSFilter, uses Regular Expression in Xpath to detect reflected content, which makes it more robust for web sites that employ custom input sanitizations. We provide a detailed experimental evaluation to compare the four filters with respect to their usability and protection.