Home / Regular Issue / JST Vol. 31 (3) Apr. 2023 / JST-3458-2022

 

Server-side Cross-site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS Auditor

Chrisando Ryan Pardomuan, Aditya Kurniawan, Mohamad Yusof Darus, Muhammad Azizi Mohd Ariffin and Yohan Muliono

Pertanika Journal of Science & Technology, Volume 31, Issue 3, April 2023

DOI: https://doi.org/10.47836/pjst.31.3.14

Keywords: Cross-site scripting, injection attack, server-side detection, web application security

Published on: 7 April 2023

Cross-site Scripting attacks have been a perennial threat to web applications for many years. Conventional practices to prevent cross-site scripting attacks revolve around secure programming and client-side prevention techniques. However, client-side preventions are still prone to bypasses as the inspection is done on the user’s browser, so an adversary can alter the inspection algorithm to come up with the bypasses or even manipulate the victim to turn off the security measures. This decreases the effectiveness of the protection and leads to many web applications are still vulnerable to cross-site scripting attacks. We believe that XSS Auditor, which was pre-installed in Google Chrome browser for more than 9 years, is a great approach in combating and preventing XSS attacks. Hence, in this paper, we proposed a novel approach to thoroughly identify two types of cross-site scripting attacks through server-side filter implementation. Our proposed approach follows the original XSS Auditor mechanism implemented in Google Chrome. However, instead of placing the detection system on the client side, we design a detection mechanism that checks HTTP requests and responses as well as database responses for possible XSS attacks from the server side. From 500 payloads used to evaluate the proposed method, 442 payloads were classified correctly, thus showing that the proposed method was able to reach 88.4% accuracy. This work showed that the proposed approach is very promising in protecting users from devastating Cross-site Scripting attacks.

  • Abaimov, S., & Bianchi, G. (2019). CODDLE: Code-injection detection with deep learning. IEEE Access, 7, 128617-128627. https://doi.org/10.1109/ACCESS.2019.2939870

  • Bates, D., Barth, A., & Jackson, C. (2010). Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th International Conference on World Wide Web (pp. 91-100). ACM Publishing. https://doi.org/10.1145/1772690.1772701

  • Cui, Y., Cui, J., & Hu, J. (2020). A survey on XSS attack detection and prevention in web applications. In Proceedings of the 2020 12th International Conference on Machine Learning and Computing (pp. 443-449). ACM Publishing. https://doi.org/10.1145/3383972.3384027

  • Gan, J. M., Ling, H. Y., & Leau, Y. B. (2020). A Review on detection of cross-site scripting attacks (XSS) in web security. In M. Anbar, N. Abdullah, & S. Manickam (Eds.), International Conference on Advances in Cyber Security (Vol. 1347, pp. 685-709). Springer. https://doi.org/10.1007/978-981-33-6835-4_45

  • Giménez, C. T., Villegas, A. P., & Marañón, G. Á. (2010). HTTP data set CSIC 2010. Information Security Institute of CSIC (Spanish Research National Council). https://www.tic.itefi.csic.es/dataset/

  • Jabiyev, B., Sprecher, S., Onarlioglu, K., & Kirda, E. (2021). T-Reqs: HTTP request smuggling with differential fuzzing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (pp. 1805-1820). ACM Publishing. https://doi.org/10.1145/3460120.3485384

  • Khazal, I. F., & Hussain, M. A. (2021). Server side method to detect and prevent stored XSS attack. Iraqi Journal for Electrical & Electronic Engineering, 17(2), 58-65. https://doi.org/10.37917/ijeee.17.2.8

  • Liu, M., Zhang, B., Chen, W., & Zhang, X. (2019). A survey of exploitation and detection methods of XSS vulnerabilities. IEEE Access, 7, 182004-182016. https://doi.org/10.1109/ACCESS.2019.2960449

  • Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, Article 106960. https://doi.org/10.1016/j.comnet.2019.106960

  • Swiat. (2008). IE 8 XSS filter architecture/implementation. Microsoft. https://msrc.microsoft.com/blog/2008/08/ie-8-xss-filter-architecture-implementation/

  • Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A survey of detection methods for XSS attacks. Journal of Network and Computer Applications, 118, 113-143. https://doi.org/10.1016/j.jnca.2018.06.004

  • Satish, P. S., & Chavan, R. K. (2017). Web browser security: Different attacks detection and prevention techniques. International Journal of Computer Applications, 170(9), 35-41.

  • Shar, L. K., & Tan, H. B. K. (2011). Defending against cross-site scripting attacks. Computer, 45(3), 55-62. https://doi.org/10.1109/MC.2011.261

  • Stock, B., Lekies, S., Mueller, T., Spiegel, P., & Johns, M. (2014). Precise client-side protection against DOM-based cross-site scripting. In 23rd USENIX Security Symposium (pp. 655-670). USENIX Association.

  • Takahashi, H., Yasunaga, K., Mambo, M., Kim, K., & Youm, H. Y. (2013). Preventing abuse of cookies stolen by XSS. In 2013 Eighth Asia Joint Conference on Information Security (pp. 85-89). IEEE Publishing. https://doi.ieeecomputersociety.org/10.1109/ASIAJCIS.2013.20

  • Vartouni, A. M., Kashi, S. S., & Teshnehlab, M. (2018). An anomaly detection method to detect web attacks using stacked auto-encoder. In 2018 6th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS) (pp. 131-134). IEEE Publishing. https://doi.org/10.1109/CFIS.2018.8336654

  • Wichers, D., & Williams, J. (2017). OWASP top 10 - 2017. OWASP Foundation. https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf

  • The Chromium Projects. (2019). XXX Auditor. https://www.chromium.org/developers/design-documents/xss-auditor

  • Yavanoglu, O., & Aydos, M. (2017). A review on cyber security datasets for machine learning algorithms. In 2017 IEEE International Conference on Big Data (Big Data) (pp. 2186-2193). IEEE Publishing. https://doi.org/10.1109/BigData.2017.8258167