Chrisando Ryan Pardomuan, Aditya Kurniawan, Mohamad Yusof Darus, Muhammad Azizi Mohd Ariffin and Yohan Muliono
Pertanika Journal of Science & Technology, Volume 31, Issue 3, April 2023
Keywords: Cross-site scripting, injection attack, server-side detection, web application security
Published on: 7 April 2023
Cross-site Scripting attacks have been a perennial threat to web applications for many years. Conventional practices to prevent cross-site scripting attacks revolve around secure programming and client-side prevention techniques. However, client-side preventions are still prone to bypasses as the inspection is done on the user’s browser, so an adversary can alter the inspection algorithm to come up with the bypasses or even manipulate the victim to turn off the security measures. This decreases the effectiveness of the protection and leads to many web applications are still vulnerable to cross-site scripting attacks. We believe that XSS Auditor, which was pre-installed in Google Chrome browser for more than 9 years, is a great approach in combating and preventing XSS attacks. Hence, in this paper, we proposed a novel approach to thoroughly identify two types of cross-site scripting attacks through server-side filter implementation. Our proposed approach follows the original XSS Auditor mechanism implemented in Google Chrome. However, instead of placing the detection system on the client side, we design a detection mechanism that checks HTTP requests and responses as well as database responses for possible XSS attacks from the server side. From 500 payloads used to evaluate the proposed method, 442 payloads were classified correctly, thus showing that the proposed method was able to reach 88.4% accuracy. This work showed that the proposed approach is very promising in protecting users from devastating Cross-site Scripting attacks.
Abaimov, S., & Bianchi, G. (2019). CODDLE: Code-injection detection with deep learning. IEEE Access, 7, 128617-128627. https://doi.org/10.1109/ACCESS.2019.2939870
Bates, D., Barth, A., & Jackson, C. (2010). Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th International Conference on World Wide Web (pp. 91-100). ACM Publishing. https://doi.org/10.1145/1772690.1772701
Cui, Y., Cui, J., & Hu, J. (2020). A survey on XSS attack detection and prevention in web applications. In Proceedings of the 2020 12th International Conference on Machine Learning and Computing (pp. 443-449). ACM Publishing. https://doi.org/10.1145/3383972.3384027
Gan, J. M., Ling, H. Y., & Leau, Y. B. (2020). A Review on detection of cross-site scripting attacks (XSS) in web security. In M. Anbar, N. Abdullah, & S. Manickam (Eds.), International Conference on Advances in Cyber Security (Vol. 1347, pp. 685-709). Springer. https://doi.org/10.1007/978-981-33-6835-4_45
Giménez, C. T., Villegas, A. P., & Marañón, G. Á. (2010). HTTP data set CSIC 2010. Information Security Institute of CSIC (Spanish Research National Council). https://www.tic.itefi.csic.es/dataset/
Jabiyev, B., Sprecher, S., Onarlioglu, K., & Kirda, E. (2021). T-Reqs: HTTP request smuggling with differential fuzzing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (pp. 1805-1820). ACM Publishing. https://doi.org/10.1145/3460120.3485384
Khazal, I. F., & Hussain, M. A. (2021). Server side method to detect and prevent stored XSS attack. Iraqi Journal for Electrical & Electronic Engineering, 17(2), 58-65. https://doi.org/10.37917/ijeee.17.2.8
Liu, M., Zhang, B., Chen, W., & Zhang, X. (2019). A survey of exploitation and detection methods of XSS vulnerabilities. IEEE Access, 7, 182004-182016. https://doi.org/10.1109/ACCESS.2019.2960449
Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, Article 106960. https://doi.org/10.1016/j.comnet.2019.106960
Swiat. (2008). IE 8 XSS filter architecture/implementation. Microsoft. https://msrc.microsoft.com/blog/2008/08/ie-8-xss-filter-architecture-implementation/
Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A survey of detection methods for XSS attacks. Journal of Network and Computer Applications, 118, 113-143. https://doi.org/10.1016/j.jnca.2018.06.004
Satish, P. S., & Chavan, R. K. (2017). Web browser security: Different attacks detection and prevention techniques. International Journal of Computer Applications, 170(9), 35-41.
Shar, L. K., & Tan, H. B. K. (2011). Defending against cross-site scripting attacks. Computer, 45(3), 55-62. https://doi.org/10.1109/MC.2011.261
Stock, B., Lekies, S., Mueller, T., Spiegel, P., & Johns, M. (2014). Precise client-side protection against DOM-based cross-site scripting. In 23rd USENIX Security Symposium (pp. 655-670). USENIX Association.
Vartouni, A. M., Kashi, S. S., & Teshnehlab, M. (2018). An anomaly detection method to detect web attacks using stacked auto-encoder. In 2018 6th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS) (pp. 131-134). IEEE Publishing. https://doi.org/10.1109/CFIS.2018.8336654
Wichers, D., & Williams, J. (2017). OWASP top 10 - 2017. OWASP Foundation. https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf
The Chromium Projects. (2019). XXX Auditor. https://www.chromium.org/developers/design-documents/xss-auditor
Yavanoglu, O., & Aydos, M. (2017). A review on cyber security datasets for machine learning algorithms. In 2017 IEEE International Conference on Big Data (Big Data) (pp. 2186-2193). IEEE Publishing. https://doi.org/10.1109/BigData.2017.8258167
Share this article