Online Submission!

Open Journal Systems

XSS Defense: An Approach for Detecting and Preventing Cross Site Scripting Attacks

Neha Gupta

Abstract


 

Web Applications provide wide range of services to its users in an easy and efficient manner. From the past few years web based attacks are increasing. Cross Site Scripting (XSS) is one of the major attacks found in web applications. In 2013, OWASP (Open Web Application Security Project) has ranked XSS third in the list of top 10 attacks found in web applications [11]. XSS attacks occur when an application takes insecure data and sends it to the browser without proper validation or escaping. This can result in hijacking of user sessions, defacing websites and redirecting the users to malicious sites. This paper presents a new XSS defense approach which is based on the OWASP guidelines available for prevention of XSS attacks. In this approach for XSS defense there is an XSS checker that will check for the unauthorized characters in each parameter in the input and block them on both client side and server side of a web application. Client side solutions reduces the run time overhead and server side solutions are more reliable as any attack occurring when request is going from client to server will be detected by server side solution only but it incurs runtime overhead. So a combination of both will be more robust as it can prevent most of the attacks and manage runtime overhead effectively. This approach is tested on a prototype. It is found that this approach covers major categories of XSS attacks i.e. reflected and stored and will require no additional frameworks.


Full Text:

PDF

References


T.Jim , N.Swamy and M.Hicks, “ Defending against Cross-Site Scripting Attacks with Browser-Enforced Embedded Policies,”Proc of the WWW,Banff,Alberta,May 2007,pp. 601-610.

Siddharth Tiwari, Richa Bansal, Divya Bansal, “Optimized Client Side Solution for Cross Site Scripting,” IEEE 16th International Conference on Networks, December 2008, pp.1-4.

M.T. Louw and V.N. Venkatakrishnan, “Blueprint: Robust Prevention of Cross-Site Scripting Attacks for Existing Browsers,” Proc. 30th IEEE Symp. Security and Privacy (SP 09), IEEE CS, 2009, pp. 331-346.

E. Kirda et al., “Client-Side Cross-Site Scripting Protection,” Computers & Security,”Proc of 21st ACM Symposium on Applied Computing,Oct. 2009, pp. 592-604.

H. Shahriar and M. Zulkernine, “MUTEC: Mutation-Based Testing of Cross Site Scripting,” Proc. 5th Int’l Workshop Software Eng. for Secure Systems (SESS 09), IEEE, 2009, pp. 47-53.

P.wurzinger,C.Platzer,C.ludl,E.kirda and C.Kruegel, “SWAP:Mitigating XSS Attacks using Reverse Proxy, ”Proc. Of the SESS,Vancouver,Msy 2009,pp. 33-39.

S.Stamm, B.Sterne and G.Markham, “Reining in the Web with Content Security Policy,” Proc. of WWW, Releigh, North Carolina, April 2010, pp. 921-930.

R.Putthacharoen and P.Bunyatnoparat,” Protecting Cookies from Cross Site Script Attacks Using Dynamic Cookies Rewritng Technique,”Proc. of IEEE 13th International Conference on Advanced Communication Technology, Feb 2011,pp. 1090-1094.

Hossain Shahriar and Mohammad Zulkernine, “S2XS2: A Server Side Approach to Automatically Detect XSS Attacks ,”IEEE Ninth International Conference on Dependable,Automatic and secure computing,2011.

Takeshi Matsuda , Daiki Koizumi and Michio Sonoda, “Cross Site Scripting Attacks Detection Algorithm Based on the Appearance Position of Characters”The 5th International Conference on Communications,Computers and Applications.Istanbul,Turkey,October 2012,pp.-65-70.

Open Web Application Security Project,Top 10 ,https://www.owasp.org/index.php/Top_10_2013-Top_10

Cross site scripting Wikipedia, http://en.wikipedia.org/wiki/Cross-site_scripting

Cross site scripting ,accunetix,http://www.acunetix.com/websitesecurity/cross-site-scripting/

XSS PREVENTION RULES by OWASP, https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

BURP Suite http://portswigger.net/burp/

http://stattrek.com/chi-square-test/independence




DOI: http://dx.doi.org/10.6084/ijact.v4i3.93

Refbacks

  • There are currently no refbacks.




Copyright (c) 2015 COMPUSOFT "An International Journal of Advanced Computer Technology"