Journal of Artificial Intelligence Research & Advances

Abstract

In today’s modern world, most of the applications are using World Wide Web (www) for information processing and transaction management. The popularity of web has eased out global outreach and accessibility to different users around the globe. Although web traffic has scaled up, it has also increased the abuse of applications by malicious html-based attacks by users; one such attack being the cross-site scripting (XSS). This attack poses a serious threat to web applications and e-databases that may include sensitive user data. Although other web attacks like SQL Injection, CSRF, phishing and session hijacking are also common, XSS tops the list of preferred technique for hackers to capitalize web resources for malicious activities. In this paper, we draw an overview of XSS attacks and its different types. We also discuss certain code prevention techniques possible including robust defense mechanisms. The paper also explicates discussion over the related work that has been concluded by researchers for mitigation scenario and techniques possible for prevention.

Keywords: XSS, SQL, WWW, CSRF

Cite this Article

Mohd Umar John, Junaid Latief Shah, Gazi Imtiyaz Ahmad. Web Abuse Using Cross Site Scripting (XSS) Attacks. Journal of Artificial Intelligence Research & Advances. 2019; 6(1): 69–75p.

Allen, M. (2006). Social engineering: A means to violate a computer system. SANS Institute, InfoSec Reading Room.

Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., & Vigna, G. (2008, May). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 387-401). IEEE.

Bisht, P., & Venkatakrishnan, V. N. (2008, July). XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 23-43). Springer, Berlin, Heidelberg.

Calin, B. (2013). Email Header Injection Web Vulnerability–Acunetix. URL https://www. acunetix. com/blog/articles/email-header-injection-web-vulnerability-detection.

G. Wassermann, and Z. Su, “Static detection of cross-site scripting vulnerabilities,” Proceedings of the 30th international conference on Software engineering (ICSE '08), New York, USA, pp. 171-780, 2008.

Hallaraker, O., & Vigna, G. (2005, June). Detecting malicious javascript code in mozilla. In Engineering of Complex Computer Systems, 2005. ICECCS 2005. Proceedings. 10th IEEE International Conference on (pp. 85-94). IEEE.

Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., & Kuo, S. Y. (2004, May). Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web (pp. 40-52). ACM.

Johari, R., & Sharma, P. (2012, May). A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In Communication Systems and Network Technologies (CSNT), 2012 International Conference on (pp. 453-458). IEEE.

Johns, M. (2006, September). SessionSafe: Implementing XSS immune session handling. In European Symposium on Research in Computer Security (pp. 444-460). Springer, Berlin, Heidelberg.

Johns, M., Engelmann, B., & Posegga, J. (2008, December). Xssds: Server-side detection of cross-site scripting attacks. In Computer Security Applications Conference, 2008. ACSAC 2008. Annual (pp. 335-344). IEEE.

Jovanovic, N., Kruegel, C., & Kirda, E. (2006, May). Pixy: A static analysis tool for detecting web application vulnerabilities. In Security and Privacy, 2006 IEEE Symposium on (pp. 6-pp). IEEE.

Kals, S., Kirda, E., Kruegel, C., & Jovanovic, N. (2006, May). Secubat: a web vulnerability scanner. In Proceedings of the 15th international conference on World Wide Web (pp. 247-256). ACM.

Kirda, E., Kruegel, C., Vigna, G., & Jovanovic, N. (2006, April). Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing (pp. 330-337). ACM.

Kruegel, C., & Vigna, G. (2003, October). Anomaly detection of web-based attacks. In Proceedings of the 10th ACM conference on Computer and communications security (pp. 251-261). ACM.

OWASP, T. (2013). Top 10–2013. The ten most critical web application security risks.

Shahriar, H., & Zulkernine, M. (2011a, December). S2XS2: a server side approach to automatically detect XSS attacks. In Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on (pp. 7-14). IEEE.

Shahriar, H., & Zulkernine, M. (2011b, July). Injecting comments to detect JavaScript code injection attacks. In Computer Software and Applications Conference Workshops (COMPSACW), 2011 IEEE 35th Annual (pp. 104-109). IEEE.

Shar, L. K., & Tan, H. B. K. (2012). Defending against cross-site scripting attacks. Computer, 45(3), 55-62.

Ter Louw, M., & Venkatakrishnan, V. N. (2009, May). Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Security and Privacy, 2009 30th IEEE Symposium on (pp. 331-346). IEEE.

Van Gundy, M., & Chen, H. (2009, February). Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. In NDSS.

Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., & Vigna, G. (2007, February). Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In NDSS (Vol. 2007, p. 12).

Wassermann, G., & Su, Z. (2008, May). Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th international conference on Software engineering (pp. 171-180). ACM.

Web Application Security Consortium. (2010). WASC threat classification. Release, Web Application Security Consortium.

Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., & Kruegel, C. (2009, May). SWAP: Mitigating XSS attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (pp. 33-39). IEEE Computer Society.

Xie, Y., & Aiken, A. (2006, July). Static Detection of Security Vulnerabilities in Scripting Languages. In USENIX Security Symposium (Vol. 15, pp. 179-192).