A robust defense against Content-Sniffing XSS attacks

Many Web sites such as MySpace, Facebook and Twitter allow their users to upload files. However when a Web site´s Content-Sniffing algorithm differs from a browser´s Content-Sniffing algorithm, an attacker can often mount a Content-Sniffing XSS attack on the visitor. That is, by carefully embedding HTML code containing malicious script into a non-HTML file and uploading this file to the Web site, an attacker can deceive the visitor´s browser into assuming the file as HTML file and run the script code. However Content-Sniffing XSS attack can be avoided if files uploaded on the server are checked for HTML codes. In this paper we propose a server-side ingress filter that aims to protect vulnerable browsers which may treat non-HTML files as HTML files. Our filter examines user-uploaded files against a set of potentially dangerous HTML elements (a set of regular expressions). The results of our experiment show that the proposed automata-based scheme is highly efficient and more accurate than existing signature-based approach.