Client-Side Detection of XSS Worms by Monitoring Payload Propagation

Cross-Site Scripting (XSS) vulnerabilities make it possible for worms to spread quickly to a broad range of users on popular Web sites. To date, the detection of XSS worms has been largely unexplored. This paper proposes the first purely client-side solution to detect XSS worms. The authors' insight is that an XSS worm must spread from one user to another by reconstructing and propagating its payload. Their approach prevents the propagation of XSS worms by monitoring outgoing requests that send self-replicating payloads. They intercept all HTTP requests on the client side and compare them with currently embedded scripts.