Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their Countermeasures
1. INTRODUCTION
With the everywhere-ness of information
superhighway, i.e. Internet, organizations are
serving people with their business on web.
However, as the owners of the business
emphasize greater on their business logic they do
not get concerned about the vulnerabilities and
security hazards inclined to their websites. Web
Security describes the guidelines used to block
threats to diminish the web attacks. An attack
may be feasible due to the existence of vary
types of flaws and bugs in the coding. As per
Ponemon Institute Life Threat Intelligence
Impact Report 2013 if the actionable intelligence
about cyber attacks is available only 60 seconds
before then the average cost of exploit could be
reduced to 40 percent [1]. That is if we have an
appropriate method to handle an attack at the
very first step then the cost of the damage caused
due to that attack can be diminished largely.
The inaccurate authorization and sanitization
of data given by web server has brought in the
accountability for XSS attacks. It is the attack on
the secrecy of customer of a specific website by
approving injection of inputs containing HTML
tags and JavaScript code. As per OWASP (Open
Web Application Security Project) 2013 release
cross-site scripting is one of the major attacks
performed [2]. Cenzic Application Vulnerability
Trends Report 2013 confers that among the top
10 attacks 26% comprises of XSS attacks only
[3].
www.ijcat.com
604
2.
WEB
ARCHITECTURE
APPLICATION
WEB
SERVER
+
request.getParameter(name)); %> (Example
of poorly written code on Web server- saving
it as test.jsp)
3. CROSS-SITE SCRIPTING
ATTACKS
In this section, XSS attacks & its types are
discussed in detail. An XSS attack is one of the
most common web application attacks that are
used by hackers to sneak into web applications.
In XSS, attacker embeds malicious script into a
website. Whenever a user browser run this code
the attacker can shape the browser to do
whatever it wants .XSS attacks occur whenever
an application takes un-trusted data and sends it
to web browser without proper validation and
sanitization[5]. So in XSS attacks three parties
www.ijcat.com
Output:
Case2: Attacker
<HTML>
<BODY>
Welcome <script>alert ("Attacked") </script>
</BODY>
</HTML>
605
www.ijcat.com
4. RELATED WORK
Johns et al. has proposed a passive detection
system to identify successful XSS attacks [5]. It
uses two different approaches based on generic
observations of XSS attacks and web
applications. In this reflected attack is detected
by a request/response matching which is based
on the direct relationship between the input data
and the injected scripts. In this the input
parameters and the scripts found in final HTML
is converted into a non-ambiguous representation
by removing all encodings and the appropriate
matching is done by constructing a DFA for each
of the input parameter. For stored attacks, it
adopts a generic XSS detection using a list of
known scripts in which they used a training
based XSS detector in which list of all outgoing
script is matched up with the detectors known
list. The weakness of this system is that it uses
different implementation schemes for the two
types of XSS that increases the overhead. It just
detects the already existing attacks and false
positives are there.
A static analysis for finding XSS
vulnerabilities is demonstrated by Wassermann
& Su [7] that straightforwardly addresses weak
or absent input validation. The approach
integrates work on tainted information flow with
string analysis. The proposal has two parts: (1)
an adapted string analysis to track untrusted
substring values, and (2) a check for untrusted
scripts based on formal language techniques.
.String-taint analysis not only represents the set
of string values a program may create, it also
defines the formal language representation with
labels that indicate which substrings come from
untrusted sources. The second phase of the
method enforces the policy that generated web
pages include no untrusted scripts. It has many
disadvantages like the tool produces false
positives and it failed to resolve certain alias
relationships between variables whose values are
used for dynamic features. It failed to detect the
DOM-based XSS. The string analysis-based tool
could not handle arbitrarily complex and
dynamic code.
Wurzinger et al. [8] introduced a tool known
as SWAP (Secure Web Application Proxy), a
server-side solution for discovering and
preventing cross-site scripting attacks. SWAP
contain a reverse proxy that intercepts all HTML
responses, as well as a make use of modified
Web browser to detect script content. SWAP
contains a JavaScript detection component,
606
www.ijcat.com
www.ijcat.com
5. PROPOSED APPROACH
Cross-Site Scripting is one of the most
dangerous and the common attacks found over
the web applications. This survey presents study
of the ongoing techniques against XSS attacks.
These techniques suffer from the following
weaknesses:
Built-in limitations
Partial implementations
Complicated framework
Developers ability
Run-time overhead
False positives and false negatives
Insecure channel between the web
server and web browser
Response delay
Additional infrastructure
Cost of deployment
Dont prevent DOM based attacks
Our proposed system will try to remove
almost all of these weaknesses. It will include a
two-tier approach- one for detecting persistent
and non-persistent XSS attacks and second for
prevention of DOM based XSS attacks. For the
first tier we will implement our logic of script
guard in the controller part of MVC2 architecture
of server. The controller receives all requests
from the clients & forwards those requests to the
respective pages as per request. The controller
receives parameters sent by the client and scans
these parameter values for suspected XSS
attacks. These values are matched with sets of
expressions where every expression match
means an attack. In case of an attack, the
requests do not go beyond the controller and the
client is redirected back to the page where he
requested. For the second tier that is for
prevention of DOM based attacks we will have a
small JavaScript code (DOM attack detector
script) which is sent to the client with every
response. This code acts only at client side and
will prevent any sort of DOM based XSS
attacks. Thus, our proposed work will detect all
types of XSS attacks. Even it will have a little
performance overhead but it will have a
minimum response delay. There is no need of
additional infrastructure
and have not a
complex framework.
608
6. CONCLUSION
XSS attack is one of the most common and
dangerous web application attacks that can
reveal information about a user or company
profile. This paper presented what XSS attacks
are, what are there types, the previous
approaches for prevention of these attacks with
there limitations. Then we showed our proposed
approach and how it is better.
Many industries are employing web services
for their benefits on the World Wide Web but for
relieving themselves from the additional cost,
they do not go for the security of the websites
they created. Eventually it harms the users and
company too. With the expansion of web
applications, it is urgency to have an
comprehensive and coherent structure for the
prevention of unified XSS and other important
web application attacks.
7. REFRENCES
[1] http://www.ponemon.org/blog/live-threatintelligence-impact-report-2013-1
[2] https://www.owasp.org/index.php/Category:OW
ASP_Top_Ten_Project
[3] http://info.cenzic.com/rs/cenzic/images/CenzicApplication-Vulnerability-Trends-Report2013.pdf
[4] Jeom-Goo Kim, Injection Attack Detection
using the Removal of SQL Query Attribute
Values, IEEE, pp. 1-7, 2011.
[5] Martin Johns, Bjorne Englemann, Joachimm
Posegga,XSSDS: Server-side Detection of
Cross-site Scripting Attacks, Annual Computer
Security Applications Conference, IEEE, pp.
335-344, 2008.
[6] http://en.wikipedia.org/wiki/Cross-site_scripting
[7] Gary Wassermann, Zhendong Su, Static
detection of cross-site scripting vulnerabilities,
ACM/IEEE 30th International Conference on
Software Engineering, ICSE '08. pp. 171-180,
2008.
[8] Peter Wurzinger, Christian Platzer, Christian
Ludl, Engin Kirda, and Christopher Kruegel,
SWAP: Mitigating XSS Attacks using a Reverse
Proxy, ICSE
Workshop on Software
Engineering for Secure Systems, IEEE, pp. 3339, 2009.
[9] Qinglin Wu, Yanzhong Hu, Yan Wang, Unit
Testing and Action-Level Security Solution of
Struts Web Applications Based on MVC,
International
Conference
on
Biomedical
Engineering and Computer Science, IEEE, pp. 14, 2010.
www.ijcat.com
609