Watch What You Write: Preventing Cross-Site S cripting by Observing Program Output

We introduce a dynamic technique for defending web appli- cations that would otherwise be vulnerable to cross-site scripting attacks. Our method is comprised of two phases: an attack-free training period where we capture the normal behavior of the application in the form of a set of likely program invariants, and an indefinite period of time spent in a potentially hostile environment where we check to make sure the appli- cation does not deviate from the normal behavior. We demonstrate that our approach is both effective at protecting vulnerable applications and capable of doing so without introducing a prohibitive amount of over- head. Our experiments suggest that this invariant-based technique is the most powerful and accurate automated mechanism for identifying and protecting against the widest range of cross-site scripting vulnerabilities.