Advertisement

Evaluation of Open Source Server-Side XSS Protection Solutions

  • Jonas Ceponis
  • Lina Ceponiene
  • Algimantas Venckauskas
  • Dainius Mockus
Part of the Communications in Computer and Information Science book series (CCIS, volume 403)

Abstract

Web protection against XSS attacks is an indispensable tool for implementing reliable online systems. XSS attacks can be used for various malicious actions and stealing important information. Protection may be implemented both on user computer and on server side. In this work we have analyzed the server side protection solutions. These solutions must ensure appropriate level of security and at the same time should not considerably increase page response time. The aim of this paper is to determine the most effective and safe free tools for protection against XSS attacks for web pages created using PHP, ASP.NET and Java technologies.

Keywords

XSS attacks server-side protection response time 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., Piessens, F.: FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM (2012)Google Scholar
  2. 2.
    Balduzzi, M., Gimenez, C., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Network and Distributed System Security Symposium (2011)Google Scholar
  3. 3.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM (2010)Google Scholar
  4. 4.
    Brooks, M.: Bypassing Internet Explorer’s XSS Filter. Traps of Gold-Defcon (2011)Google Scholar
  5. 5.
    Bugeja, J., Price, G.: A Pragmatic, Policy-Driven Framework for Protection Against Cross-Site Scripting. Royal Holloway Series (2012)Google Scholar
  6. 6.
    Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In: USENIX Security Symposium (2011)Google Scholar
  7. 7.
    FireHost Inc.: Cross-Site Scripting Attacks Up 160% in Final Quarter of 2012 (2013), http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012
  8. 8.
    Galan, E., Alcaide, A., Orfila, A., Blasco, J.: A multi-agent scanner to detect stored-XSS vulnerabilities. In: Proceedings of the International Conference for Internet Technology and Secured Transactions, pp. 1–6 (2010)Google Scholar
  9. 9.
    Grossman, J., Hansen, R., Petkov, P.D., Rager, A., Fogie, S.: XSS Attacks: Cross-Site Scripting Exploits and Defense. Syngress (2007)Google Scholar
  10. 10.
    Hidhaya, S.F., Geetha, A.: Intrusion Protection against SQL Injection and Cross Site Scripting Attacks Using a Reverse Proxy. In: Thampi, S.M., Zomaya, A.Y., Strufe, T., Alcaraz Calero, J.M., Thomas, T. (eds.) SNDS 2012. CCIS, vol. 335, pp. 252–263. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with BEK. In: Proceedings of the 20th USENIX Conference on Security (2011)Google Scholar
  12. 12.
    Hope, P., Walther, B.: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast. O’Reilly Media, Inc. (2008)Google Scholar
  13. 13.
    HTML Purifier, http://htmlpurifier.org
  14. 14.
  15. 15.
    Klein, A.: DOM-based Cross-Site Scripting of the Third Kind, http://www.webappsec.org/projects/articles/071105.html
  16. 16.
    Korscheck, C.: Automatic Detection of Second-Order Cross-Site Scripting Vulnerabilities. Diploma Thesis, Wilhelm-Schickard-Institut fur Informatik University at Tubingen (2010)Google Scholar
  17. 17.
    Kotha, R., Prasad, K., Naik, D.: Analysis of XSS attack mitigation techniques based on platforms and browsers. In: SEA, CLOUD, DKMP, CS & IT, vol. 5, pp. 395–405 (2012)Google Scholar
  18. 18.
  19. 19.
    Lundeen, R., Ou, J., Rhodes, T.: New Ways I’m Going to Hack Your Web App. Blackhat AD (2011)Google Scholar
  20. 20.
    Microsoft Anti-Cross Site library V4.2, http://www.microsoft.com/en-us/download/details.aspx?id=28589
  21. 21.
    Hamada, M.H.A.: Client Side Action Against Cross Site Scripting Attacks. Degree of Master in Information Technology, Islamic University Faculty of Information Technology (2012)Google Scholar
  22. 22.
    Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Network and Distributed System Security Symposium (2009)Google Scholar
  23. 23.
    National Institute of Standarts and Technology: CVE and CCE Statistics Query Page, http://web.nvd.nist.gov/view/vuln/statistics
  24. 24.
    Nunan, A.E., Souto, E., dos Santos, E.M., Feitosa, E.: Automatic Classification of Cross-Site Scripting in Web Pages Using Document-based and URL-based Features. In: Proceedings of ISCC, pp. 702–707 (2012)Google Scholar
  25. 25.
    Open Web Application Security Project: XSS (Cross Site Scripting) Prevention Cheat Sheet , https://www.owasp.org/index.php/XSS_Cross_Site_Scripting_Prevention_Cheat_Sheet
  26. 26.
  27. 27.
  28. 28.
    Pelizzi, R., Sekar, R.: Protection, usability and improvements in reflected XSS filters. In: Proceedings of the 7th ACM Symposium on Information (2012)Google Scholar
  29. 29.
  30. 30.
    Saxena, P., Molnar, D., Livshits, B.: Scriptgard: Preventing script injection attacks in legacy web applications with automatic sanitization. Tech. rep., Microsoft Research (2010)Google Scholar
  31. 31.
    Selvamani, K., Duraisamy, A., Kannan, A.: Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side. International Journal of Computer Science and Information Security 7, 229–236 (2010)Google Scholar
  32. 32.
    Shar, L.K., Tan, H.: Automated removal of cross site scripting vulnerabilities in web applications. Information and Software Technology 54, 467–478 (2012)CrossRefGoogle Scholar
  33. 33.
    Tibom, P.: Incapsula vs. CloudFlare. Security Review & Comparison (2012)Google Scholar
  34. 34.
  35. 35.
    The OWASP Enterprise Security API, https://www.owasp.org/index.php/ESAPI
  36. 36.
    Wang, Y., Li, Z., Guo, T.: Program Slicing Stored XSS Bugs in Web Application. In: Proceeding of the 5th IEEE International Symposium on Theoretical Aspects of Software Engineering, pp. 191–194 (2011)Google Scholar
  37. 37.
    Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A systematic analysis of XSS sanitization in web application frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jonas Ceponis
    • 1
  • Lina Ceponiene
    • 2
  • Algimantas Venckauskas
    • 1
  • Dainius Mockus
    • 1
  1. 1.Computer DepartmentKaunas University of TechnologyKaunasLithuania
  2. 2.Information System DepartmentKaunas University of TechnologyKaunasLithuania

Personalised recommendations