Abstract
Cross-Site Scripting (XSS) attacks are type of injection problems in modern Web applications that can be exploited by injecting JavaScript code. By now there have been a variety of defensive techniques to protect web application against XSS injection attack, but XSS still cannot be totally detected by injecting benign code of JavaScript: injecting of existing method calls or overriding an existing method definition. Moreover, the present server-side XSS detection systems are based on source code modification of the supervised application. In this project, we developed a server side XSS detection approach based on scripts features analysis, which permits the detection of a wide range of injected scripts: malicious script or legitimate script which is similar to the benign script, without any modification of application source code. Our approach is evaluated on three web applications. The experimental results prove that our approach detects a wide range of XSS attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Shahriar, H., North, S., Chen, W., Mawangi, E: Design and development of Anti XSS proxy. In: Proceedings of the 8th IEEE International Conference for Internet Technology and Secured Transactions (ICITST), London, UK, 2013, pp. 489–494. ICITST (2013)
Shahriar, H., Zulkernine, M.: Injecting comments to detect JavaScript code injection attacks. In: 35th IEEE Annual Computer Software and Applications Conference Workshops, pp. 104–109 (2011)
Gupta, S., Gupta, B.B.: XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arabian J. Sci. Eng. 41, 897–920 (2015)
Wurzinger, P., Platzer, C., et al.: SWAP: mitigating XSS attacks using a reverse proxy. In: ICSE Workshop on Software Engineering for Secure Systems, pp. 33–39. IEEE (2009)
Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook Finding and Exploiting Security Flaws. Wiley, Indianapolis (2011)
Edgescan: Vulnerability Statistics Report (2015). https://www.edgescan.com/assets/docs/reports/2015-edgescan-Stats-Report-(2015)-v5.pdf. Accessed 30 Nov 2016
Website Security Statistics Report (2015). https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-Report.pdf. Accessed 30 Nov 2016
OWASP Top 10 Application Security Risks (2017). https://www.owasp.org/index.php/Top_10_2017-Top_10
Twitter users fall victim to new XSS worm. https://news.netcraft.com/archives/2010/09/21/twitter-users-fall-victim-to-new-xss-worm.html. Accessed 12 Dec 2016
XSS attack information. www.xssed.com/news/128/Not_surprisingly_McAfee_websites_are_susceptible_to_XSS_attacks/. Accessed 10 Dec 2016
UnderNews. https://www.undernews.fr/undernews/exclusivite-faille-xss-sur-le-site-de-la-nasa.html. Accessed 07 Dec 2016
VeriSign Trusted’ shops found to have XSS holes. https://nakedsecurity.sophos.com/2012/02/28/verisign-xss-holes/. Accessed 04 Apr 2017
XSS in Google Finance. https://miki.it/blog/2013/7/30/xss-in-google-finance/. Accessed 13 Dec 2016
PayPal Site Vulnerable to XSS Attack. threatpost.com/paypal-site-vulnerable-to-xssattack/100787/. Accessed 13 Apr 2017
TweetDeck Taken Down To Assess XSS Vulnerability. techcrunch.com/2014/06/11/tweetdeck-fixes-xss-vulnerability. Accessed 04 Apr 2016
Microsoft Internet Explorer Universal Cross-Site Scripting Flaw. http://thehackernews.com/2015/02/internet-explorer-xss.html. Accessed 04 Apr 2016
arsiadi.net/2016/06/11/stories-of-xss-in-google-april-may-2016. Accessed 04 Apr 2016
Frenz, C., Yoon, J.: XSSmon: a perl based IDS for the detection of potential XSS attacks. In: IEEE Long Island, pp. 1–4, May 2012
Levenshtein-algorithm. https://people.cs.pitt.edu/~kirk/cs1501/Pruhs/Spring2006/assignments/editdistance/Levenshtei%20Distance.htm. Accessed 30 May 2017
Shahriar, H., Sarah, M., et al.: Information theoretic XSS attack detection in web applications. Int. J. Secure Softw. Eng. 5(3), 1–15 (2014)
Shahriar, H., Sarah, M.: Server-side code injection attack detection based on Kullback-Leibler distance. Int. J. Internet Technol. Secured Trans. 5(3), 240–261 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Lalia, S., Sarah, A. (2018). XSS Attack Detection Approach Based on Scripts Features Analysis. In: Rocha, Á., Adeli, H., Reis, L., Costanzo, S. (eds) Trends and Advances in Information Systems and Technologies. WorldCIST'18 2018. Advances in Intelligent Systems and Computing, vol 746. Springer, Cham. https://doi.org/10.1007/978-3-319-77712-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-77712-2_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-77711-5
Online ISBN: 978-3-319-77712-2
eBook Packages: EngineeringEngineering (R0)