Abstract
When faced with cross-site scripting (XSS) attacks, it is difficult to counter all malicious inputs such that they are rendered completely harmless. In such situations, the introduction of a whitelist-based XSS countermeasure is considered to be an effective and robust approach. However, as the behavior of current web applications is complex, it is difficult to theoretically generate the necessary and sufficient whitelists. To this end, we propose an examination-based approach for whitelist generation instead of a theory-based one. We focus on software tests that are always performed during the final stage of the development process and establish a method to automatically generate whitelists that are consistent with the specifications of each web application. By adding the function for whitelist generation on a web application’s test tool, a whitelist can be generated without changing the development process of a conventional web application. We implement our proposed method and evaluate its effectiveness.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
jQuery: http://jquery.com/. Accessed 05 Dec 2017
Blog Tool, Publishing Platform, and CMS – WordPress. https://wordpress.org/. Accessed 05 Dec 2017
Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Web application security fundamentals (2013). https://msdn.microsoft.com/en-us/library/ff648636.aspx. Accessed 28 Dec 2017
Lord, B.: All about the onMouseOver incident (2010). https://blog.twitter.com/official/en_us/a/2010/all-about-the-onmouseover-incident.html. Accessed 28 Dec 2017
Selenium - Web Browser Automation. https://www.seleniumhq.org/. Accessed 05 Dec 2017
Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM (2007)
Meyerovich, L.A., Livshits, B.: Conscript: specifying and enforcing fine-grained security policies for javascript in the browser. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 481–496. IEEE (2010)
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930. ACM (2010)
Kakuta, T., Ohtori, T., Fujii, Y., Taniguchi, N.: A detection method of malware infections based on graylists. IPSJ SIG Technical Reports, 2014-CSEC-66-16, pp. 1–7 (2014). (in Japanese)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Inoue, K., Honda, T., Mukaiyama, K., Ohki, T., Nishigaki, M. (2019). Automatic Examination-Based Whitelist Generation for XSS Attack Detection. In: Barolli, L., Leu, FY., Enokido, T., Chen, HC. (eds) Advances on Broadband and Wireless Computing, Communication and Applications. BWCCA 2018. Lecture Notes on Data Engineering and Communications Technologies, vol 25. Springer, Cham. https://doi.org/10.1007/978-3-030-02613-4_29
Download citation
DOI: https://doi.org/10.1007/978-3-030-02613-4_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02612-7
Online ISBN: 978-3-030-02613-4
eBook Packages: EngineeringEngineering (R0)