XSS-SAFE: A Server-Side Approach to Detect and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code

详细信息查看全文

作者：Shashank Gupta ; B. B. Gupta
关键词：Cross ; site scripting (XSS) ; Feature injection ; JavaScript code injection ; Same origin policy (SOP) ; Sanitization routine ; Script injection vulnerabilities
刊名：Arabian Journal for Science and Engineering
出版年：2016
出版时间：March 2016
年：2016
卷：41
期：3
页码：897-920
全文大小：3,052 KB
参考文献：1.Flanagan D.: JavaScript: The Definitive Guide, 4th edn. O’Reilly, Newton (2001)
2.MacDonald, M.; Szpuszta, M.: Pro ASP.NET 2.0 in C#,” 2005, 1st edn. Apress. ISBN 1-59059-496-7
3.Symantec Corporation. Symantec Global Internet Security Threat Report, vol. 19 (2014)
4.CERT/CC. Cert R _ advisory ca-2000-02 malicious html tags embedded in client web requests. [online]. http://www.cert.org/advisories/CA-2000-02.html (01/30/06), Feb 2000
5.Rager, A.: Xss-proxy. http://xss-proxy.sourceforge.net
6.Samy.: Technical explanation of the myspace worm. http://namb.la/popular/tech.html
7.Open Web Application Security Project (OWASP), http://www.owasp.org
8.Gupta, S.; Gupta, B.B.: PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM International Conference on Computing Frontiers (CF’15), Ischia, Italy (2015)
9.Gupta B.B., Gupta S., Gangwar S., Kumar M., Meena P.K.: Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense. J. Inf. Priv. Sec. 11(2), 118–136 (2015)
10.Gupta, S.; Gupta, B.B.: Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manag. (2015). doi:10.1007/s13198-015-0376-0
11.Klein, A.: Cross site scripting explained. White Paper, Sanctum Security Group, http://crypto.stanford.edu/cs155/CSS.pdf , June 2002
12.Gupta, S.; Sharma, L., et al.: Prevention of cross-site scripting vulnerabilities using dynamic hash generation technique on the server side. Int. J. Adv. Comput. Res. 3, 49–54 (2012)
13.Gupta, S.; Sharma, L.: Exploitation of cross-site scripting (XSS) vulnerability on real world web applications and its defense. Int. J. Comput. Appl. 14, 28–33 (2012)
14.Gupta, S.; Gupta, B.B.: BDS: Browser Dependent XSS Sanitizer. Book on Cloud-Based Databases with Biometric Applications, IGI-Global’s Advances in Information Security, Privacy, and Ethics (AISPE) series, USA (2014)
15.Cross-Site Scripting (XSS) Attacks Information and Archive. http://xssed.com/
16.Netscape, Accessed from: http://isp.netscape.com/
17.ECMA Script, Accessed from http://www.ecmascript.org/docs.php
18.Sandboxing: https://developer.apple.com/app-sandboxing/
19.Mozilla Corporation. Same origin policy for JavaScript, https://developer.mozilla.org/En/Same origin policy for JavaScript
20.JAuction-0.3, http://sourceforge.net/projects/jauction/
21.Jvote, Accessed from http://sourceforge.net/projects/jspvote/
22.MeshCMS: http://cromoteca.com/en/meshcms/
23.Easy JSP Forum, http://sourceforge.net/projects/easyjspforum
24.Shaihriar, H.; Zulkernine, M.: S2XS2: a server side approach to automatically detect XSS attacks. In: Ninth International Conference on Dependable, Automatic Secure Computing, IEEE, 2011 pp. 7–17
25.Shahriar, H.; Zulkernine, M.: Injecting comments to detect javascript code injection attacks. In: Proceedings of the 6th IEEE Workshop on Security, Trust, and Privacy for Software Applications, Munich, Germany, July 2011, pp. 104–109
26.Cao, Y.; Yegneswaran, V.; Possas, P.; Chen.: Pathcutter: severing the self-propagation path of xssjavascript worms in social web networks. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA (2012)
27.Chandra V.S., Selvakumar S.: Bixsan: browser independent XSS sanitizer for prevention of XSS attacks. ACM SIGSOFT Softw. Eng. Notes 36(5), 1 (2011)CrossRef
28.Rsnake. XSS Cheat Sheet. http://ha.ckers.org/xss.html (2008)
29.Saxena, P.; Hanna, S.; Poosankam, P.; Song, D.: FLAX: systematic discovery of client-side validation vulnerabilities in rich web applications. In: NDSS (2010)
30.Stamm, S.; Sterne, B.; Markham, G.: Reining in the web with content security policy. In: ACM Proceedings of the 19th International Conference on World Wide Web, WWW ’2010, New York, NY, USA, pp. 921–930
31.Wurzinger, P.; Platzer, C.; Ludl, C.; Kirda, E.; Kruegel, C.: SWAP: Mitigating XSS attacks using a reverse proxy. In: ICSE Workshop on Software Engineering for Secure Systems. IEEE Computer Society (2009)
32.Galan, E.; Alcaide, A.; Orfila, A.; Blasco, J.: A Multi-agent Scanner to Detect Stored—XSS Vulnerabilities? In: IEEE International Conference on Internet Technology and Secure Transactions (ICITST), June 2010, pp. 332–337
33.Gundy, M.V.; Chen, H.: Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb 8–11 (2009)
34.Agten, P.; Acker, S.V.; Brondsema, Y.; Phung, P.H.; Desmet, L.; Piessens, F.: Jsand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Zakon, R.H. (ed.) ACSAC. ACM, pp. 1–10 (2012)
35.Jflex—The Fast Scanner Generator for Java: http://www.jflex.de/
36.Java Parser Cup: http://www.cs.princeton.edu/~appel/modern/java/CUP/
37.Jericho HTML parser, Accessed from http://jericho.htmlparser.net/
38.Jsoup: Java HTML Parser: http://jsoup.org/
39.Rhino Parser, Accessed from http://www.mozilla.org/rhino
40.Rhino, Accessed from http://www.mozilla.org/rhino
作者单位：Shashank Gupta (1)
B. B. Gupta (1)

1. National Institute of Technology, Kurukshetra, India
刊物类别：Engineering
刊物主题：Engineering, general
Mathematics
Science, general
出版者：Springer Berlin / Heidelberg

文摘

Nowadays, Web applications are considered to be one of the most ubiquitous platforms for providing the information and service release over the World Wide Web, particularly those deployed in health care, banking, e-commerce operations, etc. Boom of social networking sites and modern Web applications that transfer dynamic information to the client-side Web browsers has increased the user-generated and feature-rich HTML content on the Internet. This enhanced HTML content includes a malicious attack vector for Web-related attacks. Cross-site scripting (XSS) attacks are presently the most exploited security problems in modern Web applications and activated by an attacker to utilize the vulnerabilities of the poorly written Web application source code. Users across all over the popular social networking Web sites are exposed to XSS attacks. These attacks are generally caused by the malicious scripts, which do not validate the user-injected input appropriately and exploit the vulnerabilities in the source code of the Web applications. It results in the loss of confidential information such as stealing of cookies, theft of passwords, and other private credentials. In this paper, we propose a robust framework known as XSS-SAFE (Cross-Site Scripting Secure Web Application FramEwork), which is a server-side automated framework for the detection and mitigation of XSS attacks. XSS-SAFE is designed based on the idea of injecting the features of JavaScript and introduced an idea of injecting the sanitization routines in the source code of JavaScript to detect and mitigate the malicious injected XSS attack vectors. We repeatedly inject the feature content, generate rules, and insert sanitization routines for the discovery of XSS attacks. We have evaluated our approach on five real-world JavaServer Pages (JSP) programs. The results indicate that XSS-SAFE detects and mitigates most of the previously known and unknown XSS attacks with minimum false positives, zero false-negative rate, and low runtime overhead.

地址：北京市海淀区学院路29号邮编：100083

电话：办公室：(+86 10)66554848；文献借阅、咨询服务、科技查新：66554700