XSS Defense: An Approach for Detecting and Preventing Cross Site Scripting Attacks
Web Applications provide wide range of services to its users in an easy and efficient manner. From the past few years web based attacks are increasing. Cross Site Scripting (XSS) is one of the major attacks found in web applications. In 2013, OWASP (Open Web Application Security Project) has ranked XSS third in the list of top 10 attacks found in web applications . XSS attacks occur when an application takes insecure data and sends it to the browser without proper validation or escaping. This can result in hijacking of user sessions, defacing websites and redirecting the users to malicious sites. This paper presents a new XSS defense approach which is based on the OWASP guidelines available for prevention of XSS attacks. In this approach for XSS defense there is an XSS checker that will check for the unauthorized characters in each parameter in the input and block them on both client side and server side of a web application. Client side solutions reduces the run time overhead and server side solutions are more reliable as any attack occurring when request is going from client to server will be detected by server side solution only but it incurs runtime overhead. So a combination of both will be more robust as it can prevent most of the attacks and manage runtime overhead effectively. This approach is tested on a prototype. It is found that this approach covers major categories of XSS attacks i.e. reflected and stored and will require no additional frameworks.
T.Jim , N.Swamy and M.Hicks, â€œ Defending against Cross-Site Scripting Attacks with Browser-Enforced Embedded Policies,â€Proc of the WWW,Banff,Alberta,May 2007,pp. 601-610.
Siddharth Tiwari, Richa Bansal, Divya Bansal, â€œOptimized Client Side Solution for Cross Site Scripting,â€ IEEE 16th International Conference on Networks, December 2008, pp.1-4.
M.T. Louw and V.N. Venkatakrishnan, â€œBlueprint: Robust Prevention of Cross-Site Scripting Attacks for Existing Browsers,â€ Proc. 30th IEEE Symp. Security and Privacy (SP 09), IEEE CS, 2009, pp. 331-346.
E. Kirda et al., â€œClient-Side Cross-Site Scripting Protection,â€ Computers & Security,â€Proc of 21st ACM Symposium on Applied Computing,Oct. 2009, pp. 592-604.
H. Shahriar and M. Zulkernine, â€œMUTEC: Mutation-Based Testing of Cross Site Scripting,â€ Proc. 5th Intâ€™l Workshop Software Eng. for Secure Systems (SESS 09), IEEE, 2009, pp. 47-53.
P.wurzinger,C.Platzer,C.ludl,E.kirda and C.Kruegel, â€œSWAP:Mitigating XSS Attacks using Reverse Proxy, â€Proc. Of the SESS,Vancouver,Msy 2009,pp. 33-39.
S.Stamm, B.Sterne and G.Markham, â€œReining in the Web with Content Security Policy,â€ Proc. of WWW, Releigh, North Carolina, April 2010, pp. 921-930.
R.Putthacharoen and P.Bunyatnoparat,â€ Protecting Cookies from Cross Site Script Attacks Using Dynamic Cookies Rewritng Technique,â€Proc. of IEEE 13th International Conference on Advanced Communication Technology, Feb 2011,pp. 1090-1094.
Hossain Shahriar and Mohammad Zulkernine, â€œS2XS2: A Server Side Approach to Automatically Detect XSS Attacks ,â€IEEE Ninth International Conference on Dependable,Automatic and secure computing,2011.
Takeshi Matsuda , Daiki Koizumi and Michio Sonoda, â€œCross Site Scripting Attacks Detection Algorithm Based on the Appearance Position of Charactersâ€The 5th International Conference on Communications,Computers and Applications.Istanbul,Turkey,October 2012,pp.-65-70.
Open Web Application Security Project,Top 10 ,https://www.owasp.org/index.php/Top_10_2013-Top_10
Cross site scripting Wikipedia, http://en.wikipedia.org/wiki/Cross-site_scripting
Cross site scripting ,accunetix,http://www.acunetix.com/websitesecurity/cross-site-scripting/
XSS PREVENTION RULES by OWASP, https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
BURP Suite http://portswigger.net/burp/
The submitter hereby warrants that the Work (collectively, the “Materials”) is original and that he/she is the author of the Materials. To the extent the Materials incorporate text passages, figures, data or other material from the works of others, the undersigned has obtained any necessary permissions. Where necessary, the undersigned has obtained all third party permissions and consents to grant the license above and has all copies of such permissions and consents.
The submitter represents that he/she has the power and authority to make and execute this assignment. The submitter agrees to indemnify and hold harmless the COMPUSOFT from any damage or expense that may arise in the event of a breach of any of the warranties set forth above. For authenticity, validity and originality of the research paper the author/authors will be totally responsible.