Skip to main content
SpringerLink
Log in

Evaluation of Open Source Server-Side XSS Protection Solutions

  • Conference paper
Information and Software Technologies (ICIST 2013)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 403))

Included in the following conference series:

Abstract

Web protection against XSS attacks is an indispensable tool for implementing reliable online systems. XSS attacks can be used for various malicious actions and stealing important information. Protection may be implemented both on user computer and on server side. In this work we have analyzed the server side protection solutions. These solutions must ensure appropriate level of security and at the same time should not considerably increase page response time. The aim of this paper is to determine the most effective and safe free tools for protection against XSS attacks for web pages created using PHP, ASP.NET and Java technologies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., Piessens, F.: FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM (2012)

    Google Scholar 

  2. Balduzzi, M., Gimenez, C., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Network and Distributed System Security Symposium (2011)

    Google Scholar 

  3. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM (2010)

    Google Scholar 

  4. Brooks, M.: Bypassing Internet Explorer’s XSS Filter. Traps of Gold-Defcon (2011)

    Google Scholar 

  5. Bugeja, J., Price, G.: A Pragmatic, Policy-Driven Framework for Protection Against Cross-Site Scripting. Royal Holloway Series (2012)

    Google Scholar 

  6. Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In: USENIX Security Symposium (2011)

    Google Scholar 

  7. FireHost Inc.: Cross-Site Scripting Attacks Up 160% in Final Quarter of 2012 (2013), http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012

  8. Galan, E., Alcaide, A., Orfila, A., Blasco, J.: A multi-agent scanner to detect stored-XSS vulnerabilities. In: Proceedings of the International Conference for Internet Technology and Secured Transactions, pp. 1–6 (2010)

    Google Scholar 

  9. Grossman, J., Hansen, R., Petkov, P.D., Rager, A., Fogie, S.: XSS Attacks: Cross-Site Scripting Exploits and Defense. Syngress (2007)

    Google Scholar 

  10. Hidhaya, S.F., Geetha, A.: Intrusion Protection against SQL Injection and Cross Site Scripting Attacks Using a Reverse Proxy. In: Thampi, S.M., Zomaya, A.Y., Strufe, T., Alcaraz Calero, J.M., Thomas, T. (eds.) SNDS 2012. CCIS, vol. 335, pp. 252–263. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  11. Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with BEK. In: Proceedings of the 20th USENIX Conference on Security (2011)

    Google Scholar 

  12. Hope, P., Walther, B.: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast. O’Reilly Media, Inc. (2008)

    Google Scholar 

  13. HTML Purifier, http://htmlpurifier.org

  14. htmLawed, http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php

  15. Klein, A.: DOM-based Cross-Site Scripting of the Third Kind, http://www.webappsec.org/projects/articles/071105.html

  16. Korscheck, C.: Automatic Detection of Second-Order Cross-Site Scripting Vulnerabilities. Diploma Thesis, Wilhelm-Schickard-Institut fur Informatik University at Tubingen (2010)

    Google Scholar 

  17. Kotha, R., Prasad, K., Naik, D.: Analysis of XSS attack mitigation techniques based on platforms and browsers. In: SEA, CLOUD, DKMP, CS & IT, vol. 5, pp. 395–405 (2012)

    Google Scholar 

  18. kses, http://sourceforge.net/projects/kses/

  19. Lundeen, R., Ou, J., Rhodes, T.: New Ways I’m Going to Hack Your Web App. Blackhat AD (2011)

    Google Scholar 

  20. Microsoft Anti-Cross Site library V4.2, http://www.microsoft.com/en-us/download/details.aspx?id=28589

  21. Hamada, M.H.A.: Client Side Action Against Cross Site Scripting Attacks. Degree of Master in Information Technology, Islamic University Faculty of Information Technology (2012)

    Google Scholar 

  22. Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Network and Distributed System Security Symposium (2009)

    Google Scholar 

  23. National Institute of Standarts and Technology: CVE and CCE Statistics Query Page, http://web.nvd.nist.gov/view/vuln/statistics

  24. Nunan, A.E., Souto, E., dos Santos, E.M., Feitosa, E.: Automatic Classification of Cross-Site Scripting in Web Pages Using Document-based and URL-based Features. In: Proceedings of ISCC, pp. 702–707 (2012)

    Google Scholar 

  25. Open Web Application Security Project: XSS (Cross Site Scripting) Prevention Cheat Sheet , https://www.owasp.org/index.php/XSS_Cross_Site_Scripting_Prevention_Cheat_Sheet

  26. OWASP AntiSamy Project, https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

  27. OWASP Java HTML Sanitizer Project, https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

  28. Pelizzi, R., Sekar, R.: Protection, usability and improvements in reflected XSS filters. In: Proceedings of the 7th ACM Symposium on Information (2012)

    Google Scholar 

  29. SafeHTMLChecker, http://doc.b2evo.net/v-1-9/evocore/_blogs-inc-_misc-_htmlchecker.class.php.html

  30. Saxena, P., Molnar, D., Livshits, B.: Scriptgard: Preventing script injection attacks in legacy web applications with automatic sanitization. Tech. rep., Microsoft Research (2010)

    Google Scholar 

  31. Selvamani, K., Duraisamy, A., Kannan, A.: Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side. International Journal of Computer Science and Information Security 7, 229–236 (2010)

    Google Scholar 

  32. Shar, L.K., Tan, H.: Automated removal of cross site scripting vulnerabilities in web applications. Information and Software Technology 54, 467–478 (2012)

    Article  Google Scholar 

  33. Tibom, P.: Incapsula vs. CloudFlare. Security Review & Comparison (2012)

    Google Scholar 

  34. TidyManaged, https://github.com/markbeaton/TidyManaged

  35. The OWASP Enterprise Security API, https://www.owasp.org/index.php/ESAPI

  36. Wang, Y., Li, Z., Guo, T.: Program Slicing Stored XSS Bugs in Web Application. In: Proceeding of the 5th IEEE International Symposium on Theoretical Aspects of Software Engineering, pp. 191–194 (2011)

    Google Scholar 

  37. Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A systematic analysis of XSS sanitization in web application frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Department, Kaunas University of Technology, Studentu str. 50, LT-51368, Kaunas, Lithuania

    Jonas Ceponis, Algimantas Venckauskas & Dainius Mockus

  2. Information System Department, Kaunas University of Technology, Studentu str. 50, LT-51368, Kaunas, Lithuania

    Lina Ceponiene

Authors
  1. Jonas Ceponis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lina Ceponiene
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Algimantas Venckauskas
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dainius Mockus
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Kaunas University of Technology, Studentu g. 50-313a, 51368, Kaunas, Lithuania

    Tomas Skersys

  2. Centre of Information Systems Design Technologies, Kaunas University of Technology, Studentu st. 50-313a, 51368, Kaunas, Lithuania

    Rimantas Butleris

  3. Kaunas University of Technology, Studentu g. 50-309a, 51368, Kaunas, Lithuania

    Rita Butkiene

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ceponis, J., Ceponiene, L., Venckauskas, A., Mockus, D. (2013). Evaluation of Open Source Server-Side XSS Protection Solutions. In: Skersys, T., Butleris, R., Butkiene, R. (eds) Information and Software Technologies. ICIST 2013. Communications in Computer and Information Science, vol 403. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41947-8_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41947-8_29

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41946-1

  • Online ISBN: 978-3-642-41947-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation