Check whether your app has such a risk

To check whether your HTML5-based app is potentially vulnerable, please do the following:

  • Does your app get data from any of the channels that is described in our paper? If so, do you have any filter to remove potential Javascript code from the data?
  • Do you display the data coming from those channels? What APIs are you using? We have listed some safe and unsafe APIs in our paper; check whether the your APIs are on the safe list or unsafe list.

Use safe APIs to display information

If you need to display information coming from untrsuted places, make sure you use safe JavaScript APIs to display it. Check the list in our paper.

  • The safe APIs mostly display the text as it is, so the format tags will also be displayed, rather than being used to format the text. This is the tradeoff that you are making. If that is not what you like, you can try the filter approach.
  • If the APIs that you want to use are not on either safe or unsafe list, you need to look at the documentation, and see whether the APIs can execute the code embeded in the data to be displayed. If you are not sure, do some testing by intentionally feed some JavaScript code into your APIs, and see whether the code can be executed. You can use the sample code that we provided in the paper. It should be noted that we have listed two ways to inject Javascript code, and make sure you test both, because some APIs is safe against one method, and unsafe against ther other.

Apply filters

If, for some reasons, you have to use unsafe APIs to display untrusted information, you need to apply filters to the data, and filter out the JavaScript code embeded in the data. Writing such a filter is quite challenging. In our attacks, we have only shown two ways to embed code in data; there are actually many ways to do that. You can see this XSS Filter Evasion Cheat Sheet for details.

We do not recommend you to write your own filters. The best way is to use some of the existing filters. Here are some resources about filters:

  • OWASP AntiSamy Project: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server.
  • OWASP Enterprise Security API (ESAPI) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. ESAPI also provides AntiSamy's functionality.
  • Coverity Security Library (CSL) is a lightweight set of escaping routines for fixing cross-site scripting (XSS), SQL injection, and other security defects in Java web applications.
  • xssprotect is a Java library for filtering XSS attacks from user input fields.
  • jsoup is a Java HTML parser library. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. It can also clean user-submitted content against a safe white-list, to prevent XSS attacks.

These filters are mostly for web applications (at the server side), not for HTML5-based mobile apps. We are sill trying to find a good filter that can be used to defend against the attacks.

Detection and System-Wide Protection

In our research, we are currently developing code-scanning tools to automatically detect whether your app is potentially vulnerable to the attack. Once we finish the implementation, we will make the tool available to everybody from this web site. Stay tuned.

We are also developing system-wide countermeasures to defeat the attack. We would like to build our solutions into the framework such as PhoneGap, so developers do not worry about the problem in their apps. We will make recommendation to PhoneGap. Stay tuned.


group picture
  • Advisor: Kevin Du
  • Emir Demirdag
  • Diana Jackson
  • Xing Jin
  • Tongbo Luo
  • Nagesh Gautam Peri
  • Derek Tsui
  • Kailiang Ying

Technical Reports

News Coverage

Contact Us

Tel: (315) 443-9180 Address:
4-206 CST Building
Department of EECS
Syracuse University
Syracuse, NY 13244