Research Article
WebMTD: Defeating Cross-Site Scripting Attacks Using Moving Target Defense
Table 3
Comparison of WebMTD vs. existing techniques against client-side code injections.
| | Criteria | ā | BEEP | xJS | Noncespaces | ISR | CSP 1.0 | CSP 2.0 | WebMTD |
| | Effectiveness | External blocks | yes | yes | yes | - | yes | yes | yes | | Inline blocks | yes | yes | yes | - | prohibited | yes | yes | | Elements with event attributes | yes | yes | yes | - | prohibited | prohibited | yes | | Elements with JavaScript: URL | no | yes | yes | - | prohibited | prohibited | yes |
| | Overhead | Deployment overhead | low | low | low | low | high | high | low | | Round-trip latency | low | medium | medium | high | low | low | low | | Execution overhead on browser | high | medium | medium | high | low | low | low | | Space overhead | low | low | low | low | low | low | low |
| | Transparency | Browser modification? | yes | yes | yes | yes | yes | yes | no | | Developer involved? | no | no | yes | no | yes | yes | no |
| | Backward Compatibility | Web browser | yes | no | yes | no | yes | yes | yes | | Web application | no | yes | no | yes | no | no | yes |
|
|
