An algorithm for Prevention and Detection of Cross Site Scripting Attacks
International Journal of Computer Science and Engineering |
© 2020 by SSRG - IJCSE Journal |
Volume 7 Issue 7 |
Year of Publication : 2020 |
Authors : Aqsa Afroz, Dr Mohsin Ali Memon, Salahuddin Saddar, Muhammad Haris Khan |
How to Cite?
Aqsa Afroz, Dr Mohsin Ali Memon, Salahuddin Saddar, Muhammad Haris Khan, "An algorithm for Prevention and Detection of Cross Site Scripting Attacks," SSRG International Journal of Computer Science and Engineering , vol. 7, no. 7, pp. 8-18, 2020. Crossref, https://doi.org/10.14445/23488387/IJCSE-V7I7P102
Abstract:
Currently, we live in an era of information and communication technology (ICT) in which humans are globally connected with each other through
Internet. With the advent of World Wide Web (WWW), Internet has enabled numerous useful applications for the benefit of people around the
world. These include online shopping, e-learning, internet banking, social interactions, etc. However, security of web applications has always remain a
major concern of its users in general and prevention from hacking attacks in particular. Although, an adversary might attack on web applications by
exploiting several hacking techniques, but in recent years Cross-Site Scripting (XSS) and Cross-site Request Forgery (XSRF) attacks has got significant attention from the researchers. According to Open Web Application Security Project (OWASP), XSS attack is amongst the top ten web application vulnerabilities (Mahindrakar, 2014; Cross-site Scripting, 2015). XSS might result in several types of threats, such as phishing, pop-up flooding, session hijacking, etc. The focus of this research is analysis, detection and/or prevention of XSS attacks. In contrast to earlier work on XSS attacks, this research provides a solution that is browser compatible and web development language independent. And our approach will provide zero code modification of already running web applications, equally beneficial for providing prevention to legacy systems.
Keywords:
Cross Site Scripting, Algorithm ,Scripting Attacks, Vulnerabilities, Prevention and Detection, SQL Injection, Security Misconfiguration, Maliciuos Attacks, Broken Authentication and Session Management, Cross Site Request forgery
References:
[1] A. S. Christensen, A. Mooler and M. I. Schwartzbach, “Precise analysis of string expression”, In proceedings of the 10th international static analysis symposium, LNCS, Springer-Verlag, vol. 2694, pp. 1-18. S
[2] Y. W Huang, F. Yu, C. Hang, C. H. Tsai, D. Lee and S. Y. Kuo, “Verifying Web Application using Bounded Model Checking,” In Proceedings of the International Conference on Dependable Systems and Networks.
[3] Cross-site Scripting (XSS). https://www.owasp.org/index.php/Crosssite_Scripting_(XSS)
[4] H. Liu, H.B.K. Tan (2009). “Covering Code Behavior on Input Validation in Functional Testing”. Information & Software Technology. Vol. 51,No. (02)
[5] H. Shahriar, M. Zulkernine (2009). “MUTEC: mutation-based testing of cross site scripting”. In Proceedings of the 5th International Workshop on Software Engineering for Secure Systems (SESS’09).
[6] I. Hydara, Abu Bakar Md. Sultan, Hazura Zulzalil, Novia Admodisastro (2015). “Current State of research on cross-site scripting (XSS) – A systematic literature review”, International Journal of Information & Software Technology, Vol. 58, Pages: 170-186.
[7] J.H. Hayes, A.J. Offutt (2006). “Input Validation Analysis and Testing”, Empirical Software Eng. Vol. 11 No. (04).
[8] L. Khin Shar, Hee Beng Kuan Tan (2012). “Automated removal of cross site scripting vulnerabilities in web applications”. Journal of Information & Software Technology, Vol. 54, No. (5). Pages: 467-478.
[9] Manisha S. Mahindrakar (2014), “Prevention to Crosssite Scripting Attacks: A Survey”. International Journal of Science and Research (IJSR), Vol. 3, Issue 7.
[10] T. Jim, N. Swamy, M. Hicks (2007). “Defeating Script Injection Attacks with Browser Enforced Embedded Policies (BEEP)”. In Proceedings of the 16th International Conference on World Wide Web.
[11] V. Nithya1, S. LakshmanaPandian and C. Malarvizhi (2015). “A Survey on Detection and Prevention of Cross-Site Scripting Attack”. International Journal of Security and Its Applications, Vol. 9, No. 3.
[12] David Scott and Richard Sharp (2002). “Abstracting Application-Level Web Security”. In Proceeding the 11th International World Wide Web Conference.
[13] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D.T. Lee and Sy-Yen Kuo (2004). “Securing Web Application Code by Static Analysis and Runtime Protection”. In Proceedings of the 13th International World Wide Web Conference.
[14] Yueqiang Cheng, Xuhua Ding, Robert H. Deng (2013). “AppShield: Protecting Applications Against Untrusted Operating System”. School of Information Systems, Singapore Management University.
[15] G. Wassermann and Z. Su (2008). “Static detection of cross-site Scripting vulnerabilities”. In Proceeding of the 30thInternational Conference on Software Engineering.
[16] Sanctum Inc. “Web Application Security Testing—AppScan” 3.5.http://www.sanctuminc.com
[17] SPI Dynamics (2003). “Web Application Security Assessment”. SPI Dynamics Whitepaper.
[18] Kavado, Inc (2003). InterDo Version 3.0. Kavado Whitepaper.
[19] E. Kirda, C. Kruegel, G. Vigna and N. Jovanovic (2006). “Noxes: A client-side solution for mitigating cross site scripting attacks”. In Proceedings of the 21stACM symposium on Applied computing, ACM pp. 330-337.
[20] N. Jovanovic, C. Kruegel and E. Kirda (2006). “Pixy: A static analysis tool for detecting web application vulnerabilities (short paper)”. In IEEE Symposium on Security and Privacy, Oakland, CA.
[21] MITRE. Common Vulnerabilities and Exposure List. http://cve.mitre.org.
[22] Sourceforge, Open source websiteW.
[23] Monali Sachin Kawalkar, Dr. P. K. Butey "An Approach for Detecting and Preventing SQL Injection and Cross Site Scripting Attacks using Query
sanitization with regular expression". International Journal of Computer Trends and Technology (IJCTT) V49(4), 2017.
[24] OWASP XSS Filter Evasion Cheat Sheet.
[25] https://www.owasp.org/index.php .