Abstract
Nowadays, web applications are becoming one of the standard platforms for representing data and service releases over the World Wide Web. Since web applications are progressively more utilized for security-critical services, therefore they have turned out to be a well-liked and precious target for the web-related vulnerabilities. Even though several defensive mechanisms have been building up to reinforce the modern web applications and alleviate the attacks instigated against them. We have analyzed the major concerns for web applications and Internet-based services which are persistent in several web applications of diverse organizations like banking, health care, financial service, retail and so on by the referring the Website Security Statistics Report of White Hat Security. In this paper, we highlight some of the serious vulnerabilities found in the modern web applications and revealed various serious vulnerabilities. Cross-Site Scripting (XSS) attack is the top most vulnerability found in the today’s web applications which to be a plague for the modern web applications. XSS attacks permit an attacker to execute the malicious scripts on the victim’s web browser resulting in various side-effects such as data compromise, stealing of cookies, passwords, credit card numbers etc. We have also discussed a high level of taxonomy of XSS attacks and detailed incidences of these attacks on web applications. A detailed comprehensive analysis of the exploitation, detection and prevention mechanisms of XSS attacks has also been discussed. Based on explored strength and flaws of these mechanisms, we have discussed some further work.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
References
A Firefox PDF plug-in XSS vulnerability. http://lwn.net/Articles/216223/
Alexa Ranking Tool. http://developers.evrsoft.com/find-traffic-rank.shtml
Athanasopoulos E, Krithinakis A, Markatos EP (2010) Hunting cross-site scripting attacks in the network. In: W2SP 2010: web 2.0 security and privacy workshop
Avancini A, Ceccato M (2011) Security testing of web applications: a search-based approach for cross-site scripting vulnerabilities. In: 2011 IEEE 11th international working conference on source code analysis and manipulation, pp 85–94
Bisht P, Venkatakrishnan VN (2008) XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Conference on detection of intrusions and malware & vulnerability assessment
CAIDA analysis of Code-Red. http://www.caida.org/analysis/security/code-red/
Cao Y, Yegneswaran V, Possas P, Chen Y (2012) Pathcutter: severing the self-propagation path of XSS JavaScript worms in social web networks. In: Proceedings of the 19th network and distributed system security symposium (NDSS), San Diego, CA, USA
Choi JH, Choi C, Ko BK, Kim PK (2012) Detection of cross site scripting attack in wireless networks using n-Gram and SVM. Mob Inf Syst 8(3):275–286
Code-Red: a case study on the spread and victims of an Internet worm. http://www.caida.org/outreach/papers/2002/codered/codered.pdf
Cross-site scripting worm hits MySpace. BetaNews, 13 Oct 2005. http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391
Flanagan D (2001) JavaScript: the definitive guide, 4th edn. O’Reilly, Sebastopol
Frenz C, Yoon J (2012) XSSmon: a perl based IDS for the detection of potential XSS attacks. In: Systems, applications and technology conference (LISAT), Proceedings of 2012 IEEE Long Island, pp 1–4, May 2012
Frenz CM, Yoon JP (2012) XSSmon: a perl based IDS for the detection of potential XSS attacks. In: 2012 IEEE Long Island systems, application and technology conference (LISAT), pp 1–4
Gundy MV, Chen H (2012) Noncespaces: using randomization to defeat cross-site scripting attacks. Comput Secur 31(4):612–628
Gupta S, Sharma L (2012) Exploitation of cross-site scripting (XSS) vulnerability on real world web applications and its defense. Int J Comput Appl 60:28–33
Gupta S, Gupta BB (2014) BDS: browser dependent XSS sanitizer. Book on cloud-based databases with biometric applications. IGI-Global’s advances in information security, privacy, and ethics (AISPE) series. IGI-Global, Hershey, pp 174–191
Gupta S, Gupta BB (2015) PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM international conference on computing frontiers (CF’15), Ischia, Italy
Gupta S, Sharma L et al (2012) Prevention of cross-site scripting vulnerabilities using dynamic hash generation technique on the server side. Int J Adv Comput Res 2(5):49–54
Jim T, Swamy N, Hicks M (2007) Defeating script injection attacks with browser-enforced embedded policies. In: WWW’07: proceedings of the 16th international conference on World Wide Web, pp 601–610
Johns M (2006) SessionSafe: implementing XSS immune session handling. In: Proceedings of European symposium on research in computer security
Johns M, Engelmann B, Posegga J (2008) XSSDS: server- side detection of cross-site scripting attacks. In: Proceedings of the ACSAC, California, pp 335–344
Kallin J, Valbuena IL. A comprehensive tutorial on cross-site scripting. http://excess-xss.com/
Kals S, Kirda E, Kruegel C, Jovanovic J (2006) SecuBat: a web vulnerability scanner. In: 15th international World Wide Web conference (WWW), UK, May 2006
Kirda E, Kruegel C, Vigna G, Jovanovic N (2006) Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC’06: proceedings of the 2006 ACM symposium on applied computing, pp 330–337
Klein A (2005) DOM based cross site scripting or XSS of the third kind. Technical report, Web application security consortium
Louw MT, Venkatakrishnan V (2009) Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the IEEE symposium on security and privacy
MacDonald M, Szpuszta M (2005) Pro ASP.NET 2.0 in C# 2005, 1st edn. Apress, New York. ISBN 1-59059-496-7
Martin M, Lam MS (2008) Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the USENIX security symposium (USENIX)
Meyerovich L, Livshits B (2010) ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: Proceedings of the IEEE symposium on security and privacy
Nunan A, Souto E, dos Santos EM, Feitosa E (2012) Automatic classification of cross-site scripting in web pages using document based and URL based features. In: IEEE symposium on computers and communications (ISCC), pp 702–707
Putthacharoen R, Bunyatnoparat P (2011) Protecting cookies from cross site script attacks using dynamic cookies rewriting technique. In: 13th international conference on advanced communication technology ICACT2011, pp 1090–1094
Samy’s cancelled MySpace profile. http://www.myspace.com/33934660
Shahriar H, Zulkernine M (2009) MUTEC: mutation-based testing of cross site scripting. In: Proceedings of the 5th international ICSE workshop on software engineering for secure systems. IEEE CS Press, Vancouver, pp 47–53, May 2009
Shaihriar H, Zulkernine M (2011a) S2XS2: a server side approach to automatically detect XSS attacks. In: Ninth international conference on dependable, automatic secure computing. IEEE, pp 7–17
Shaihriar H, Zulkernine M (2011b) Injecting comments to detect JavaScript code injection attacks. In: Proceedings of the 6th IEEE workshop on security, trust, and privacy for software applications, Munich, Germany, pp 104–109
Shar LK, Tan HBK (2012) Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: IEEE/ACM international conference on automated software engineering, pp 310–313
Sharath Chandra V, Selvakumar S (2011) Bixsan: browser independent XSS sanitizer for prevention of XSS attacks. ACM SIGSOFT Softw Eng Notes 36(5):1
Slammed! Wired, July 2003. http://www.wired.com/wired/archive/11.07/slammer.html
SQL Slammer (computer worm). http://en.wikipedia.org/wiki/SQLSlammer
Technical explanation of the MySpace worm. http://namb.la/popular/tech.html
The spread of the Sapphire/Slammer worm. http://www.cs.berkeley.edu/~nweaver/sapphire/
Tiwari S, Bansal R, Bansal D (2008) Optimized client side solution for cross site scripting. In: 2008 16th IEEE international conference on networks, pp 1–4
Van-Acker S, Nikiforakis N, Desmet L, Joosen W, Piessens F (2012) FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: ASIACCS’12: proceedings of the 7th ACM symposium on information, computer and communications security, pp 12–13
Vogt P, Nentwich F, Jovanovic N, Kirda E, Kruegel C, Vigna G (2007) Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the network and distributed system security symposium (NDSS), San Diego, CA, February 2007
Wang S, Chang Y, Chiang W, Juang W (2007) Investigations in cross-site script on web-systems gathering digital evidence against cyber-intrusions. In: Future generation communication and networking (FGCN 2007), vol 2, pp 125–129
Wang Y, Li Z, Guo T (2011) Program slicing stored XSS bugs in web application. In: 2011 fifth international conference on theoretical aspects of software engineering, pp 191–194
Wassermann G, Su Z (2008) Static detection of cross-site scripting vulnerabilities. In: ICSE’08: proceedings of the 30th international conference on software engineering, pp 171–180
Weinberger J, Saxena P, Akhawe D, Finifter M, Shin R, Song D (2011) A systematic analysis of XSS sanitization in web application frameworks. In: Proceedings of the European symposium on research in computer security (ESORICS), Leuven, Belgium
WhiteHat (2013) WhiteHat website security statistic report 2013. https://www.whitehatsec.com/resource/stats.html
Wurzinger P, Platzer C, Ludl C, Kirda E, Kruegel C (2009) SWAP: mitigating XSS attacks using a reverse proxy. In: ICSE workshop on software engineering for secure systems. IEEE Computer Society
XSS Worm on Renren Social Network (2009). http://issmall.isgreat.org/blog/archives/2
Zhang Z, Wang Z (2010) A static analysis tool for detecting web application injection vulnerabilities for ASP program. In: 2nd international conference on e-business and information security (EBISS), pp 1–5
Zhang Q, Chen H, Sun J (2010) An execution-flow based method for detecting cross-site scripting attacks. In: 2nd international conference on software engineering and data mining (SEDM), pp 160–165. IEEE
Zhenyu Q, Jing X, Baoguo L, Fang T (2007) MBDS: model-based detection system for cross site scripting. In: IET conference on wireless, mobile and sensor networks, pp 849–852
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Gupta, S., Gupta, B.B. Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int J Syst Assur Eng Manag 8 (Suppl 1), 512–530 (2017). https://doi.org/10.1007/s13198-015-0376-0
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13198-015-0376-0