A Client-Side Solution for Mitigating Cross-Site Scripting Attacks


We are currently reengineering Noxes and fixing bugs. We would to eventually release the software are an open source project.

About Noxes

Web applications are becoming the dominant way to provide access to on-line services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is embedded into web pages to support dynamic client-side behavior. This script code is executed in the context of the user's web browser. To protect the user's environment from malicious JavaScript code, a sand-boxing mechanism is used that limits a program to access only resources associated with its origin site. Unfortunately, these security mechanisms fail if a user can be lured into downloading malicious JavaScript code from an intermediate, trusted site. In this case, the malicious script is granted full access to all resources (e.g., authentication tokens and cookies) that belong to the trusted site. Such attacks are called cross-site scripting(XSS) attacks.

In general, XSS attacks are easy to execute, but difficult to detect and prevent. One reason is the high flexibility of HTML encoding schemes, offering the attacker many possibilities for circumventing server-side input filters that should prevent malicious scripts from being injected into trusted sites. Also, devising a client-side solution is not easy because of the difficulty of identifying JavaScript code as being malicious. Noxes is, to the best of our knowledge, the first client-side solution to mitigate cross-site scripting attacks. Noxes acts as a web proxy and uses both manual and automatically generated rules to mitigate possible cross-site scripting attempts. Noxes effectively protects against information leakage from the user's environment.

Documentation / Publications

Noxes is a research prototype. We do not provide a complete user guide (at least, not yet ;-)). Furthermore, the implementation of Noxes we provide on this site is a proof-of-concept implementation and not a product. Hence, there are known bugs and some functionality is missing. If you have any questions, feel free to contact the authors.

This paper gives a pretty good overview of the tool and describes how it works:

Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic, Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks, Security Track of the 21st ACM Symposium on Applied Computing (SAC 2006), Dijon, France, April 2006


  • Microsoft .NET Framework


    Noxes is not available for public download yet. If you want to have it, please send an e-mail to the authors.

    Running and using it

    Noxes is a Microsoft-Windows-based personal web firewall application that runs as a background service on the desktop of a user. The development of Noxes was inspired by Windows personal firewalls that are widely used on PCs and notebooks today. Popular examples of such firewalls are Tiny, ZoneAlarm, Kerio and Norton Personal Firewall.

    Typically, a personal firewall prompts the user for action if a connection request is detected that does not match the firewall rules. The user can then decide to block the connection, allow it, or create a permanent rule that specifies what should be done if such a request is detected again in the future.

    Although personal firewalls play an essential role in protecting users from a wide range of threats, they are ineffective against web-based client-side attacks, such as XSS attacks. This is because in a typical configuration, the personal firewall will allow the browser of the user to make outgoing connections to any IP address with the destination port of 80 (i.e., HTTP) or 443 (i.e., HTTPS). Therefore, an XSS attack that redirects a login form from a trusted web page to the attacker's server will not be blocked.

    Noxes provides an additional layer of protection that existing personal firewall do not support. The main idea is to allow the user to exert control over the connections that the browser is making just as personal firewalls allow a user to control the Internet connections received or originated by process running on the local machine.

    Noxes operates as a web proxy that fetches HTTP requests on behalf of the user's browser. Hence, all web connections of the browser pass through Noxes and can either be blocked or allowed based on the current security policy.

    Analogous to personal firewalls, Noxes allows the user to create filter rules (i.e., firewall rules) for web requests. There are three ways of creating rules:

    1. Manual creation. The user can open the rule database manually and enter a set of rules. When entering a rule, the user has the possibility of using wild cards and can choose to permit or deny requests matching the rule. For example, a permit rule like* allows all web requests sent to the domain, while a deny rule such as* blocks all requests to the "images" directory of the domain
    2. Firewall prompts. The user can interactively create a rule whenever a connection request is made that does not match any existing rule, in a way similar to what is provided by most personal firewalls. For example, if no rule exists for the request, the user is shown a dialog box to permit or deny the request. The user can also use a pop-up list for creating a rule from a list of possible general rules such as*, ** or **. In addition, the user can specify if the rule being created should be permanent or should just be active for the current browsing session only. Temporary rules are useful for web sites that the user does not expect to visit often. Hence, having temporary rules helps prevent the rule-base from growing too large and at the same reduces the number of prompts that the user will receive because of web requests to unknown web sites.
    3. Snapshot mode. The user can use the special snapshot mode integrated into Noxes to create a "browsing profile" and to automatically generate a set of permit rules. The user first starts by activating the snapshot mode and then starts surfing. When the snapshot mode is activated, Noxes tracks and collects the domains that have been visited by the browser. The user can then automatically generate permanent filter rules based on the list of domains collected during a specific session.
    Noxes also supports a special "XSS prevention technique" that we describe in our paper.


    Noxes is not available for public download yet. If you want to have it, please send an e-mail to the authors.


    We would like to thank Kishor Datar for pointing out a possible "echo" attack that would enable the attacker to by-pass Noxes. The problem should be fixed in the new release.


    Noxes was designed and written by Engin Kirda and Christopher Kruegel.

    Last Modified: Sat Feb 18 03:49:50 CET 2017

  • International Secure Systems Lab