A Defensive Framework for Reflected XSS in Client-Side Applications


  • Khulud Fisal Alenzi Department of Information Technology, University of Tabuk, Kingdom of Saudi Arabia
  • Onytra Abbas Bashir Abbas Department of Computer Science, University of Tabuk, Kingdom of Saudi Arabia https://orcid.org/0000-0001-9272-6041




Cross-site scripting, XSS, XSS filters, filtering rules, XSSFilter


Cross-site scripting attack (XSS) is a common vulnerability that is exploited in modern web applications by entering advanced HTML tags and Java Script functions. An attacker could potentially use this vulnerability to steal users’ sensitive information, hijack user sessions or rewrite whole website contents displaying fake login forms. This class of attacks affects the client-side of a web application and is a critical vulnerability that is difficult to both detect and remediate for websites, often leading to insufficient server-side protection, which is why the end-users need an extra layer of protection at the client-side. In this paper, we analyze the best-known client-side XSS filters, study their mechanisms, structures and mentioned the advantages and disadvantages of each filter. This paper presents a novel XSS filtering model based on filtering rules, XSSFilter, uses Regular Expression in Xpath to detect reflected content, which makes it more robust for web sites that employ custom input sanitizations. We provide a detailed experimental evaluation to compare the four filters with respect to their usability and protection.


Download data is not yet available.

Author Biographies

Khulud Fisal Alenzi, Department of Information Technology, University of Tabuk, Kingdom of Saudi Arabia

Khulud Fisal Alenzi has received her BS and MSc degrees from University of Tabuk in 2015, 2020 respectively, College of Computers and Information Technology. Her major research interests include Cyber Security and Web Applications.

Onytra Abbas Bashir Abbas, Department of Computer Science, University of Tabuk, Kingdom of Saudi Arabia

Onytra Abbas Bashir Abbas received her PhD in AI (text summarization and caching in mobile web application) from Sudan University of Science and Technology, Sudan (SUST) 2012. She is currently Assistance Professor in the College of Computers and Information Technology, University of Tabuk. Her major research interests include Cyber Security, Machine Learning and Web applications.


Gupta, S. (2016). “XSS-immune: a Google chrome extension-based XSS defensive framework for contemporary platforms of web applications,” Secur. Commun. Networks, vol. 9, no. 17, pp. 3966–3986.

acunetix. (n.d.). https://www.acunetix.com/vulnerability-scanner/. Retrieved from acunetix.

al, B. e. (2010). Mozilla Developer Network. Recuperado el, 1. Bates. (2010).

Bates, D., Barth, A., and Jackson, C. (2010). Regular expressions considered harmful in client-side XSS filters. Paper presented at the Proceedings of the 19th international conference on World wide web.

Christey, S., and Martin, R. A. (2007). Vulnerability type distributions in CVE Mitre report. OWASP Foundation.

Grossman, J. (2007). Whitehat website security statistics report. WhiteHat Security.

Hydara, I., Sultan, A. M., Zulzalil, H., and Admodiasaso, A. (2015). Current state of research on cross-site scripting (XSS) – A systematic literature review. Information and Software Technology.

Internet. (2015). https://www.alexa.com/topsites. Retrieved April 2020, from Alexa.

Introducing Content Security Policy. (2013). Retrieved March 2020, from https://developer.mozilla.org/en/.

lxml. (n.d.). https://lxml.de/. Retrieved from lxml.

lxmlpath. (n.d.). https://lxml.de/xpathxslt.html. Retrieved from lxmlpath.

Maone, G. (2012). NoScript-JavaScript/Java/Flash blocker for a safer Firefox experience. In.

Mewara, B., Bairwa, S., and Gajrani, J. (2014). Browser’s defenses against reflected cross-site scripting attacks. Paper presented at the 2014 International Conference on Signal Propagation and Computer Technology (ICSPCT 2014).

Mozilla. (n.d.). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept. Retrieved from Mozilla Developers.

Nava. (2010).

Nava, E. V., and Lindsay, D. (2009). Our favorite XSS filters/IDS and how to attack them. Black Hat USA.

Network. (2014).

OWASP, T. (2017). The Ten Most Critical Web Application Security Risks. OWASP Foundation.

Pelizz̀i. (2012).

Pelizzi, R., and Sekar, R. (2012). Protection, usability and improvements in reflected XSS filters. Paper presented at the proceedings of the 7th ACM Symposium on Information, Computer and Communications Security.

Rodríguez, G. E., Torres, J. G., Flores, P., and Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks.

Rodríguez, Torres, Flores, and Benavides. (2020).

Stock, B. (2014). “Precise client-side protection against DOM-based cross-site scripting,” in 23rd {USENIX} Security Symposium ({USENIX} Security 14), pp. 655–670.

testPHP. (n.d.). http://testphp.vulnweb.com. Retrieved from TestPHP.

Vigna, Jovanovic, Kirda, E., Kruegel, C., Vigna, G., and Jovanovic, N. (2006). 1Noxes: a client-side solution for mitigating cross-site scripting attacks. Paper presented at the Proceedings of the 2006 ACM symposium on Applied computing.

Vikne, A., and Ellingsen, P. (2018). Client-Side XSS Filtering in Firefox. In: SOFTENG.

Vogt, P., Nentwich, F., Jovanovic, N., and Kirda, E. (2007). Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. Paper presented at the NDSS.

vulnerability report. (2014). Retrieved March 2020, from https://www.infopoint-security.de/medien/cenzic-vulnerability-report-2014.pdf.

Wichers, D. (2013). OWASP TOP 10-2013. OWASP Foundation.





Secure web applications based on Moving Target Defense: challenges, solutions an