A Survey on Detection Techniques to Prevent Cross-Site Scripting Attacks on Current Web Applications

  • Joaquin Garcia-Alfaro
  • Guillermo Navarro-Arribas
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5141)


Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models, organizations, and so on. Moreover, critical systems such as those related to health care, banking, or even emergency response, are relying on such applications and services. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing crosssite scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. Applicability and limitations of each proposal are also discussed.


Network Security Software Protection Injection Attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alcorna, W.: Cross-site scripting viruses and worms – a new attack vector. Journal of Network Security 2006(7), 7–8 (2006)CrossRefGoogle Scholar
  2. 2.
    Amit, Y.: XSS vulnerabilities in (November 2005),
  3. 3.
    Anupam, V., Mayer, A.: Secure Web scripting. IEEE Journal of Internet Computing 2(6), 46–55 (1998)CrossRefGoogle Scholar
  4. 4.
    Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: IEEE Symposium on Security and Privacy, pp. 143–159 (2002)Google Scholar
  5. 5.
    Cary, C., Wen, H.J., Mahatanankoon, P.: A viable solution to enterprise development and systems integration: a case study of web services implementation. International Journal of Management and Enterprise Development 1(2), 164–175 (2004)CrossRefGoogle Scholar
  6. 6.
    Crane, D., Pascarello, E., James, D.: Ajax in Action. Manning Publications (2005)Google Scholar
  7. 7.
    Forrest, S., Hofmeyr, A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–129 (1996)Google Scholar
  8. 8.
    Google. Docs & Spreadsheets,
  9. 9.
    Google. Orkut: Internet social network service,
  10. 10.
    Grossman, J., Hansen, R., Petkov, P., Rager, A., Fogie, S.: Cross site scripting attacks: XSS Exploits and defense. In: Syngress. Elsevier, Amsterdam (2007)Google Scholar
  11. 11.
    Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)Google Scholar
  12. 12.
    Hansen, R.: Cross Site Scripting Vulnerability in Google (July 2006),
  13. 13.
    Hansen, R.: XSS cheat sheet for filter evasion,
  14. 14.
    Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. Microsoft Press, Redmond (2003)Google Scholar
  15. 15.
    Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In: 18th Int. Conf. on Advanced Information Networking and Applications (AINA 2004) (2004)Google Scholar
  16. 16.
    Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social Phishing. Communications of the ACM (to appear)Google Scholar
  17. 17.
    Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. International World Wide Web Conferencem, WWW 2007 (May 2007)Google Scholar
  18. 18.
    Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: 2006 Workshop on Programming Languages and Analysis for Security, USA, pp. 27–36 (2006)Google Scholar
  19. 19.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.N.: A client-side solution for mitigating cross-site scripting attacks. In: 21st ACM Symposium on Applied Computing (2006)Google Scholar
  20. 20.
    Larson, E., Austin, T.: High coverage detection of input-related security faults. In: 12 USENIX Security Simposium, pp. 121–136 (2003)Google Scholar
  21. 21.
    Livshits, B., Erlingsson, U.: Using web application construction frameworks to protect against code injection attacks. In: 2007 workshop on Programming languages and analysis for security, pp. 95–104 (2007)Google Scholar
  22. 22.
    Microsoft. HotMail: The World’s FREE Web-based E-mail,
  23. 23.
    MySpace. Online Community,
  24. 24.
    Mutton, P.: PayPal Security Flaw allows Identity Theft (June 2006),
  25. 25.
    Mutton, P.: PayPal XSS Exploit available for two years? (July 2006),
  26. 26.
    Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., Evans, D.: Automatically hardering web applications using precise tainting. 20th IFIP International Information Security Conference (2005)Google Scholar
  27. 27.
    Obscure. Bypassing JavaScript Filters – the Flash! Attack (2002),
  28. 28.
    PayPal Inc. PayPal Web Site,
  29. 29.
    Pietraszeck, T., Vanden-Berghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
  31. 31.
    Samy. Technical explanation of The MySpace Worm,
  32. 32.
    Sethumadhavan, R.: Orkut Vulnerabilities,
  33. 33.
    Scott, D., Sharp, R.: Abstracting application-level web security. In: 11th Internation Conference on the World Wide Web, pp. 396–407 (2002)Google Scholar
  34. 34.
    Su, Z., Wasserman, G.: The essence of command injections attacks in web applications. In: 33rd ACM Symposium on Principles of Programming Languages, pp. 372–382 (2006)Google Scholar
  35. 35.
    Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing Web Services. White Paper, Computer Associates (2005)Google Scholar
  36. 36.
    Wikimedia Project. Wikipedia: The Free Encyclopedia,
  37. 37.
    Wordpress. Blog Tool and Weblog Platform,
  38. 38.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: 15th USENIX Security Symposium (2006)Google Scholar
  39. 39.
    Slemko, M.: Microsoft Passport to Trouble,

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Joaquin Garcia-Alfaro
    • 1
  • Guillermo Navarro-Arribas
    • 2
  1. 1.Universitat Oberta de CatalunyaBarcelonaSpain
  2. 2.Universitat Autònoma de Barcelona, Edifici QBellaterraSpain

Personalised recommendations