Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

As user-generated content has become more popular online, websites have increasingly allowed users to customize, for example, their blog comments or posts to social-networking sites with HTML code. However, this also opens websites up to the risk of a type of attack known as cross-site scripting, which can allow attackers to steal information from users via a trusted site.

Next week, at the IEEE Symposium on Security and Privacy, in Oakland, CA, researchers from the University of Illinois at Chicago will present a new way to defend against cross-site scripting. The approach lets a website control how user-generated content is transmitted to a Web browser, potentially neutralizing cross-site scripting attacks before they can reach the intended victim.

Cross-site scripting involves getting a user’s browser to run an unauthorized script injected somewhere on the pages of an apparently trustworthy website. The script might let an attacker steal a user’s log-in credentials or other sensitive information.

“Cross-site scripting is the most prevalent vulnerability on the Internet,” says Jeremiah Grossman, founder and chief technology officer for White Hat Security, who was not involved in the research. “It’s kind of a cockroach out there in the industry.” Grossman says that newer websites are better equipped to defend against cross-site scripting, but there are still millions of vulnerable sites on the Internet. “We need alternatives to fixing the code,” he says.

The University of Illinois researchers developed a layer of software–called Blueprint–that Web developers can insert between user-generated pages and the browser. The researchers designed Blueprint to work with eight major browsers, which make up more than 96 percent of current market share, and tested the system against 94 types of cross-site scripting attacks taken from an Internet repository called the XSS Cheat Sheet. They found that it successfully prevented every attack on the list.

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, web applications, browsers, cross-site scripting, web application security

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me