More Web Proxy on the site http://driver.im/

research-article

A Survey on XSS Attack Detection and Prevention in Web Applications

Authors:

Jianwei HuAuthors Info & Claims

ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and Computing

Pages 443 - 449

https://doi.org/10.1145/3383972.3384027

Published: 26 May 2020 Publication History

Abstract

With the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may perform session-hijacking, cookie-stealing, malicious redirection and malware spreading. It is essential to implement detect and defend against XSS attacks. In this paper, we focus on XSS attacks and give an introduction of its injection, detection and prevention. Firstly, we introduced the attack principle of different types of XSS, and then investigated and introduced some existing XSS detection and defense methods. In addition, we compared existing XSS detection and defense methods. Finally, we discuss existing issues and estimate future research trends.

References

[1]

Cross-site scripting. [2018-05-20]. https://en.wikipedia.org/wiki/Cross-site_scripting.

[2]

OWASP top 10 application security risks. [2018-03-27]. https://www.owasp.org/index.php/Top_10-2017_Top_10.

[3]

G. Dong, Y. Zhang, X. Wang, P. Wang and L. Liu, "Detecting cross site scripting vulnerabilities introduced by HTML5," 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE), Chon Buri, 2014, pp. 319--323.

[4]

S. K. Mahmoud, M. Alfonse, M. I. Roushdy and A. B. M. Salem, "A comparative analysis of Cross Site Scripting (XSS) detecting and defensive techniques," 2017 Eighth International Conference on Intelligent Computing and Information Systems (ICICIS), Cairo, 2017, pp. 36--42.

[5]

A. W. Marashdih and Z. F. Zaaba, "Detection and Removing Cross Site Scripting Vulnerability in PHP Web Application," 2017 International Conference on Promising Electronic Technologies (ICPET), Deir El-Balah, 2017, pp. 26--31.

[6]

J. Pan and X. Mao, "DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection" 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, 2016, pp. 208--215.

[7]

S. Shalini and S. Usha, "Prevention of cross-site scripting attacks (xss) on web applications in the client side," IJCSI International Journal of Computer Science Issues, vol. 8, no. 4, 2011.

[8]

Z. Li, S. Alrwais, X. Wang and E. Alowaisheq, "Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections," 2014 IEEE Symposium on Security and Privacy, San Jose, CA, 2014, pp. 3--18.

[9]

M. Mohammadi, B. Chu, H. R. Lipford and E. Murphy-Hill, "Automatic Web Security Unit Testing: XSS Vulnerability Detection," 2016 IEEE/ACM 11th International Workshop in Automation of Software Test (AST), Austin, TX, 2016, pp. 78--84.

[10]

Xiuno. https://github.com/xiuno.

[11]

R. Johari and P. Sharma, "A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection," 2012 International Conference on Communication Systems and Network Technologies, Rajkot, 2012, pp. 453--458.

[12]

What are cookies. http://www.whatarecookies.com/

[13]

M. R. Faghani and U. T. Nguyen, "A Study of XSS Worm Propagation and Detection Mechanisms in Online Social Networks," in IEEE Transactions on Information Forensics and Security, vol. 8, no. 11, pp. 1815--1826, Nov. 2013.

Digital Library

[14]

R. Mohammed, "Protecting Website from Cross Site Script Attack", 2015 Iraqi Journal of Information Technology, P.95.

[15]

S. Berinato, Software Vulnerability Disclosure: The Chilling Effect, 2007, http://www.csoonline.com/article/221113/software-vulnerability-disclosure-the-chilling-effect.

[16]

Ishikawa, Tomohisa, and Kouichi Sakurai. "Parameter manipulation attack prevention and detection by using web application deception proxy", Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, ACM, Jan 2017.

[17]

Katy Anton, Jim Manico, and Jim Bird, "Top 10 proactive controls 2016", OWASP, US, 2016.

[18]

XSSer: Cross Site "Scripter". [2018-04]. https://xsser.03c8.net/.

[19]

Xelenium info page. R@http://www.hackguide4u.com/2012/07/owasp-xelenium-xss-scanner.html.

[20]

H. Shahriar and M. Zulkernine, "S2XS2: A Server Side Approach to Automatically Detect XSS Attacks," 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, Sydney, NSW, 2011, pp. 7--14.

[21]

J. Pan and X. Mao, "DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection" 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, 2016, pp. 208--215.

[22]

Tawfiq S. Barhoom and Sarah N. Kohail, "A new server-side solution for detecting Cross Site Scripting attack", International Journal of Computer Information Systems, Vol. 3, No. 2, 2011.

[23]

Shashank Gupta and B. B. Gupta, "Automated discovery of JavaScript code injection attacks in PHP web applications", International Conference on Information Security & Privacy (ICISP), Nagpur, INDIA, 11-12 December 2015, Elsevier, Procedia Computer Science, vol. 78, pp.82 -- 87, 2016.

[24]

M. Gundy and H. Chen, "Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks," Proc. of NDSS, San Diego, Feb. 2009.

[25]

Q. Zhang, H. Chen and J. Sun, "An execution-flow based method for detecting Cross-site Scripting attacks," The 2nd International Conference on Software Engineering and Data Mining, Chengdu, China, 2010, pp. 160--165.

[26]

Prithvi Bisht, V. N. Venkatakrishnan, "XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks, "Detection of Intrusions and Malware, and Vulnerability Assessment Systems and Internet Security Lab, Department of Computer ScienceUniversity of Illinois, Chicago, 2008, pp. 23--43.

[27]

W. Xiao, J. Sun, H. Chen and X. Xu, "Preventing Client Side XSS with Rewrite Based Dynamic Information Flow," 2014 Sixth International Symposium on Parallel Architectures, Algorithms and Programming, Beijing, 2014, pp. 238--243.

[28]

B. Mewara, S. Bairwa, J. Gajrani and V. Jain, "Enhanced browser defense for reflected Cross-Site Scripting," Proceedings of 3rd International Conference on Reliability, Infocom Technologies and Optimization, Noida, 2014, pp. 1--6.

[29]

Shashank Gupta and B. B. Gupta, "CSSXC: Context-Sensitive Sanitization Framework for web applications against XSS vulnerabilities in cloud environments", Procedia Computer Science, No. 85, pp. 198--205, Elsevier, 2016.

Cited By

Sa'adah KHanaputra RGirinoto Cahyono S(2024)A Deep Learning Approach to Detect Cross-Site Scripting Attack as a Web Application Firewall2024 International Conference on Information Technology and Computing (ICITCOM)10.1109/ICITCOM62788.2024.10762471(93-98)Online publication date: 7-Aug-2024
https://doi.org/10.1109/ICITCOM62788.2024.10762471
Rodríguez-Galán GTorres J(2024)Personal data filtering: a systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealingAnnals of Telecommunications10.1007/s12243-024-01022-879:11-12(763-802)Online publication date: 18-Apr-2024
https://doi.org/10.1007/s12243-024-01022-8
Pardomuan CKurniawan ADarus MMohd Ariffin MMuliono Y(2023)Server-side Cross-site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS AuditorPertanika Journal of Science and Technology10.47836/pjst.31.3.1431:3(1353-1377)Online publication date: 31-Mar-2023
https://doi.org/10.47836/pjst.31.3.14
Show More Cited By

Index Terms

A Survey on XSS Attack Detection and Prevention in Web Applications
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Software and application security
    1. Web application security

Recommendations

A survey of detection methods for XSS attacks
Abstract
Cross-site scripting attack (abbreviated as XSS) is an unremitting problem for the Web applications since the early 2000s. It is a code injection attack on the client-side where an attacker injects malicious payload into a vulnerable ...
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of Programs

We present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and Computing

February 2020

607 pages

ISBN:9781450376426

DOI:10.1145/3383972

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Shenzhen University: Shenzhen University

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 May 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICMLC 2020

ICMLC 2020: 2020 12th International Conference on Machine Learning and Computing

February 15 - 17, 2020

Shenzhen, China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
885
Total Downloads

Downloads (Last 12 months)178
Downloads (Last 6 weeks)27

Reflects downloads up to 10 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sa'adah KHanaputra RGirinoto Cahyono S(2024)A Deep Learning Approach to Detect Cross-Site Scripting Attack as a Web Application Firewall2024 International Conference on Information Technology and Computing (ICITCOM)10.1109/ICITCOM62788.2024.10762471(93-98)Online publication date: 7-Aug-2024
https://doi.org/10.1109/ICITCOM62788.2024.10762471
Rodríguez-Galán GTorres J(2024)Personal data filtering: a systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealingAnnals of Telecommunications10.1007/s12243-024-01022-879:11-12(763-802)Online publication date: 18-Apr-2024
https://doi.org/10.1007/s12243-024-01022-8
Pardomuan CKurniawan ADarus MMohd Ariffin MMuliono Y(2023)Server-side Cross-site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS AuditorPertanika Journal of Science and Technology10.47836/pjst.31.3.1431:3(1353-1377)Online publication date: 31-Mar-2023
https://doi.org/10.47836/pjst.31.3.14
Yin ZLee S(2023)Security Analysis of Web Open-Source Projects Based on Java and PHPElectronics10.3390/electronics1212261812:12(2618)Online publication date: 10-Jun-2023
https://doi.org/10.3390/electronics12122618
Et-Tolba MHanin CBelmekki A(2023)Intelligent Systems for XSS attack detection: A brief survey2023 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC58020.2023.10182407(910-916)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWCMC58020.2023.10182407
Wang JLiu X(2023)Research on Software Security Based on DVWA2023 IEEE 3rd International Conference on Electronic Technology, Communication and Information (ICETCI)10.1109/ICETCI57876.2023.10176481(38-42)Online publication date: 26-May-2023
https://doi.org/10.1109/ICETCI57876.2023.10176481
Hsiao WWang C(2023)Detection of SQL Injection and Cross-Site Scripting Based on Multi-Model CNN Combined with Bidirectional GRU and Multi-Head Self-Attention2023 5th International Conference on Computer Communication and the Internet (ICCCI)10.1109/ICCCI59363.2023.10210155(142-150)Online publication date: 23-Jun-2023
https://doi.org/10.1109/ICCCI59363.2023.10210155
Arifuzzaman BMahmud SMuniat AHaque A(2022)Securing Web ApplicationsAdvanced Practical Approaches to Web Mining Techniques and Application10.4018/978-1-7998-9426-1.ch004(63-89)Online publication date: 18-Mar-2022
https://doi.org/10.4018/978-1-7998-9426-1.ch004
Nguyen HLuong TTruong N(2022)Generating Test Paths to Detect XSS Vulnerabilities of Web Applications2022 9th NAFOSTED Conference on Information and Computer Science (NICS)10.1109/NICS56915.2022.10013397(287-293)Online publication date: 31-Oct-2022
https://doi.org/10.1109/NICS56915.2022.10013397
Azshwanth DSujatha G(2022)A novel automated method to detect XSS vulnerability in webpages2022 International Conference on Computer Communication and Informatics (ICCCI)10.1109/ICCCI54379.2022.9740937(1-4)Online publication date: 25-Jan-2022
https://doi.org/10.1109/ICCCI54379.2022.9740937
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents