Cross Site Scripting 2015

 

 
SoS Logo

Cross Site Scripting

2015

 

A type of computer security vulnerability typically found in Web applications, cross-site scripting (XSS) enables attackers to inject client-side script into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same origin policy. Consequences may range from petty nuisance to significant security risk, depending on the value of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner. A frequent method of attack, research is being conducted on methods to prevent, detect, and mitigate XSS attacks. The articles cited here were published in 2015.




Gupta, M.K.; Govil, M.C.; Singh, G., “Predicting Cross-Site Scripting (XSS) Security Vulnerabilities In Web Applications,” in Computer Science and Software Engineering (JCSSE), 2015 12th International Joint Conference on, vol., no., pp. 162–167, 22–24 July 2015. doi:10.1109/JCSSE.2015.7219789

Abstract: Recently, machine-learning based vulnerability prediction models are gaining popularity in web security space, as these models provide a simple and efficient way to handle web application security issues. Existing state-of-art Cross-Site Scripting (XSS) vulnerability prediction approaches do not consider the context of the user-input in output-statement, which is very important to identify context-sensitive security vulnerabilities. In this paper, we propose a novel feature extraction algorithm to extract basic and context features from the source code of web applications. Our approach uses these features to build various machine-learning models for predicting context-sensitive Cross-Site Scripting (XSS) security vulnerabilities. Experimental results show that the proposed features based prediction models can discriminate vulnerable code from non-vulnerable code at a very low false rate.

Keywords: Internet; feature extraction; security of data; Web applications; XSS security vulnerability prediction; context-sensitive cross-site scripting; cross-site scripting security vulnerability prediction; feature extraction algorithm; Accuracy; Context; Feature extraction; HTML; Measurement; Predictive models; Security; context-sensitive; cross-site scripting vulnerability; input validation; machine learning; web application security (ID#: 16-9177)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7219789&isnumber=7219755

 

Sonewar, P.A.; Mhetre, N.A., “A Novel Approach for Detection of SQL Injection and Cross Site Scripting Attacks,” in Pervasive Computing (ICPC), 2015 International Conference on, vol., no., pp. 1–4, 8–10 Jan. 2015. doi:10.1109/PERVASIVE.2015.7087131

Abstract: Web applications provide vast category of functionalities and usefulness. As more and more sensitive data is available over the internet hackers are becoming more interested in such data revealing which can cause massive damage. SQL injection is one of such attacks. This attack can be used to infiltrate the database of any web application that may lead to alteration of database or disclosing important information. Cross site scripting is one more attack in which attacker obfuscates the input given to the web application that may lead to changes in view of the web page. Three tier web applications can be categorized statically and dynamically for detecting and preventing these types of attacks. Mapping model in which requests are mapped on queries can be used effectively to detect such kind of attacks and prevention logic can be applied.

Keywords: Internet; SQL; Web sites; security of data; SQL injection detection; Web applications; Web page; cross site scripting attack; database infiltration; mapping model; prevention logic; Blogs; Computers; Conferences; Databases; Intrusion detection; Uniform resource locators; Cross Site Scripting (XSS); Intrusion Detection System (IDS); SQL injection attack; Tier Web Application; Web Security Vulnerability (ID#: 16-9178)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7087131&isnumber=7086957

 

Shanmugasundaram, G.; Ravivarman, S.; Thangavellu, P., “A Study on Removal Techniques of Cross-Site Scripting from Web Applications,” in Computation of Power, Energy Information and Communication (ICCPEIC), 2015 International Conference on, vol., no., pp. 0436–0442, 22–23 April 2015. doi:10.1109/ICCPEIC.2015.7259498

Abstract: Cross site scripting (XSS) vulnerability is among the top 10 web application vulnerabilities based on survey by Open Web Applications Security Project of 2013 [9]. The XSS attack occurs when web based application takes input from users through web pages without validating them. An attacker or hacker uses this to insert malicious scripts in web pages through such inputs. So, the scripts can perform malicious actions when a client visits the vulnerable web pages. This study concentrates on various security measures for removal of XSS from web applications (say defensive coding technique) and their issues of defensive technique based on that measures is reported in this paper.

Keywords: Internet; security of data; Web application vulnerability; XSS attack; cross-site scripting; removal technique; Encoding; HTML; Java; Uniform resource locators; cross site scripting; data sanitization; data validation; defensive coding technique; output escaping; scripting languages; vulnerabilities (ID#: 16-9179)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7259498&isnumber=7259434

 

Panja, B.; Gennarelli, T.; Meharia, P., “Handling Cross Site Scripting Attacks Using Cache Check to Reduce Webpage Rendering Time with Elimination of Sanitization and Filtering in Light Weight Mobile Web Browser,” in Mobile and Secure Services (MOBISECSERV), 2015 First Conference on, vol., no., pp. 1–7, 20–21 Feb. 2015. doi:10.1109/MOBISECSERV.2015.7072878

Abstract: In this paper we propose a new approach to prevent and detect potential cross-site scripting attacks. Our method called Buffer Based Cache Check, will utilize both the server-side as well as the client-side to detect and prevent XSS attacks and will require modification of both in order to function correctly. With Cache Check, instead of the server supplying a complete whitelist of all the known trusted scripts to the mobile browser every time a page is requested, the server will instead store a cache that contains a validated “trusted” instance of the last time the page was rendered that can be checked against the requested page for inconsistencies. We believe that with our proposed method that rendering times in mobile browsers will be significantly reduced as part of the checking is done via the server, and fewer checking within the mobile browser which is slower than the server. With our method the entire checking process isn’t dumped onto the mobile browser and as a result the mobile browser should be able to render pages faster as it is only checking for “untrusted” content whereas with other approaches, every single line of code is checked by the mobile browser, which increases rendering times.

Keywords: cache storage; client-server systems; mobile computing; online front-ends; security of data; trusted computing; Web page rendering time; XSS attacks; buffer based cache check; client-side; cross-site scripting attacks; filtering; light weight mobile Web browser; sanitization; server-side; trusted instance; untrusted content; Browsers; Filtering; Mobile communication; Radio access networks; Rendering (computer graphics); Security; Servers; Cross site scripting; cache check; mobile browser; webpage rendering (ID#: 16-9180)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7072878&isnumber=7072857

 

Pandurang, R.M.; Karia, D.C., “A Mapping-Based Model for Preventing Cross Site Scripting and SQL Injection Attacks on Web Application and its Impact Analysis,” in Next Generation Computing Technologies (NGCT), 2015 1st International Conference on, vol., no., pp. 414–418, 4–5 Sept. 2015. doi:10.1109/NGCT.2015.7375152

Abstract: Web applications provide vast category of functionalities and usefulness. As more and more sensitive data is available over the web, crackers are getting attracted in such data revealing which can root immense harm. SQL injection is one of such type of attack. This attack can be used to infiltrate the back-end of any web application that may lead to modification of database or disclosing significant information. Attacker can obfuscate the input given to the web application using Cross site scripting attack that may direct to distortion in the web page view. Three tier web applications can be categorized into static and dynamic web application for detecting and preventing these types of attacks. Mapping model in which requests are mapped on generated queries can be used productively to detect such kind of attacks and prevention logic can be applied for attack removal. The impact measurement of container based approach on the web server is measured using autobench tool, the parameters used are network throughput and response time.

Keywords: Internet; SQL; query processing; security of data; SQL injection attack prevention logic; Web page view; Web server; attack removal; autobench tool; container based approach; cross site scripting attack prevention logic; database modification; dynamic Web applications; generated queries; impact measurement; mapping-based model; network response time; network throughput; static Web applications; Computers; Containers; Databases; Throughput; Time factors; Web servers; Cross Site Scripting (XSS) Attack; Intrusion Detection System (IDS); Mapping model; SQL Injection Attack (ID#: 16-9181)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7375152&isnumber=7375067

 

Rui Wang; Xiaoqi Jia; Qinlei Li; Daojuan Zhang, “Improved N-gram Approach for Cross-Site Scripting Detection in Online Social Network,” in Science and Information Conference (SAI), 2015, vol., no., pp. 1206–1212, 28–30 July 2015. doi:10.1109/SAI.2015.7237298

Abstract: Nowadays Online Social Networks (OSNs) have become a popular web service in the world. With the development of mobile networks, OSNs provide users with online communication platform. However, the OSNs’ openness leads to so much exposure that it brings many new security threats, such as cross-site scripting (XSS) attacks. In this paper, we present a novel approach using classifiers and the improved n-gram model to do the XSS detection in OSN. Firstly, we identify a group of features from webpages and use them to generate classifiers for XSS detection. Secondly, we present an improved n-gram model (a model derived from n-gram model) built from the features to classify webpages. Thirdly, we propose an approach based on the combination of classifiers and the improved n-gram model to detect XSS in OSN. Finally, a method is proposed to simulate XSS worm spread in OSN to get more accurate experiment data. Our experiment results demonstrate that our approach is effective in OSN’s XSS detection.

Keywords: computer crime; pattern classification; social networking (online); OSN openness; Web pages classification; Web service; XSS attacks; XSS detection; XSS worm spread; classifiers; cross-site scripting detection; mobile networks development; n-gram approach; n-gram model; online communication platform; online social network; security threats; Data models; Feature extraction; Grippers; HTML; Libraries; Malware; Social network services; Cross-site Scripting Attacks Detection; N-gram Model; Online Social Networks Security (ID#: 16-9182)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7237298&isnumber=7237120

 

Gupta, M.K.; Govil, M.C.; Singh, G.; Sharma, P., “XSSDM: Towards Detection and Mitigation of Cross-Site Scripting Vulnerabilities in Web Applications,” in Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on, vol., no., pp. 2010–2015, 10–13 Aug. 2015. doi:10.1109/ICACCI.2015.7275912

Abstract: With the growth of the Internet, web applications are becoming very popular in the user communities. However, the presence of security vulnerabilities in the source code of these applications is raising cyber crime rate rapidly. It is required to detect and mitigate these vulnerabilities before their exploitation in the execution environment. Recently, Open Web Application Security Project (OWASP) and Common Vulnerabilities and Exposures (CWE) reported Cross-Site Scripting (XSS) as one of the most serious vulnerabilities in the web applications. Though many vulnerability detection approaches have been proposed in the past, existing detection approaches have the limitations in terms of false positive and false negative results. This paper proposes a context-sensitive approach based on static taint analysis and pattern matching techniques to detect and mitigate the XSS vulnerabilities in the source code of web applications. The proposed approach has been implemented in a prototype tool and evaluated on a public data set of 9408 samples. Experimental results show that proposed approach based tool outperforms over existing popular open source tools in the detection of XSS vulnerabilities.

Keywords: Internet; computer crime; pattern matching; program diagnostics; source code (software); Internet; Web application; XSSDM; context-sensitive approach; cross-site scripting vulnerability detection; cyber crime; pattern matching technique; security vulnerability; source code; static taint analysis; Context; HTML; Reactive power; Security; Sensitivity; Servers; Standards; Context Sensitive; Cross-site scripting (XSS); Pattern matching; Static Analysis; Web Application Security (ID#: 16-9183)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7275912&isnumber=7275573

 

Zibordi de Paiva, O.; Ruggiero, W.V., “A Survey on Information Flow Control Mechanisms in Web Applications,” in High Performance Computing & Simulation (HPCS), 2015 International Conference on, vol., no., pp. 211–220, 20–24 July 2015. doi:10.1109/HPCSim.2015.7237042

Abstract: Web applications are nowadays ubiquitous channels that provide access to valuable information. However, web application security remains problematic, with Information Leakage, Cross-Site Scripting and SQL-Injection vulnerabilities — which all present threats to information — standing among the most common ones. On the other hand, Information Flow Control is a mature and well-studied area, providing techniques to ensure the confidentiality and integrity of information. Thus, numerous works were made proposing the use of these techniques to improve web application security. This paper provides a survey on some of these works that propose server-side only mechanisms, which operate in association with standard browsers. It also provides a brief overview of the information flow control techniques themselves. At the end, we draw a comparative scenario between the surveyed works, highlighting the environments for which they were designed and the security guarantees they provide, also suggesting directions in which they may evolve.

Keywords: Internet; SQL; security of data; SQL-injection vulnerability; Web application security; cross-site scripting; information confidentiality; information flow control mechanisms; information integrity; information leakage; server-side only mechanisms; standard browsers; ubiquitous channels; Browsers; Computer architecture; Context; Security; Standards; Web servers; Cross-Site Scripting; Information Flow Control; Information Leakage; SQL Injection; Web Application Security (ID#: 16-9184)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7237042&isnumber=7237005

 

Fazzini, M.; Saxena, P.; Orso, A., “AutoCSP: Automatically Retrofitting CSP to Web Applications,” in Software Engineering (ICSE), 2015 IEEE/ACM 37th IEEE International Conference on, vol. 1, no., pp. 336–346, 16–24 May 2015. doi:10.1109/ICSE.2015.53

Abstract: Web applications often handle sensitive user data, which makes them attractive targets for attacks such as cross-site scripting (XSS). Content security policy (CSP) is a content-restriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application’s behavior and likely disrupt its functionality. To address this issue, we propose AutoCSP, an automated technique for retrofitting CSP to web applications. AutoCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the server-side code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AutoCSP can retrofit CSP effectively and efficiently.

Keywords: Internet; security of data; AutoCSP policy; CSP content-restriction mechanism; CSP retrofitting; Web applications; XSS protection; content security policy; cross-site scripting; dynamic taint analysis; dynamically-generated HTML pages; server-side code modification; Algorithm design and analysis; Browsers; HTML; Heuristic algorithms; Security; Servers; Web pages; Content security policy (ID#: 16-9185)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7194586&isnumber=7194545

 

Hazel, J.J.; Valarmathie, P.; Saravanan, R., “Guarding Web Application with Multi-Angled Attack Detection,” in Soft-Computing and Networks Security (ICSNS), 2015 International Conference on, vol., no., pp. 1–4, 25–27 Feb. 2015. doi:10.1109/ICSNS.2015.7292382

Abstract: An important research issue in the design of web application is protecting the front end web application from unauthorized access. Normally the web application is in the front end and database is in the back end and can be accessible using web browser. The database contains valuable information and it is the target for the attackers. There are many security issues in the back end database and many security measures being implemented in order to protect it. The problem here is, the front end application has set accessible by everyone and the attackers are trying to compromise the web front end application which in turn compromise the back end database. Therefore, the challenge here is to provide security to the front end web application thus enhancing security to the back end database. Currently vulnerability scanner is used to provide security to the front end web application. Even though many attacks are possible with it the most common and top most attacks are “Remote file inclusion attack, Query string attack, Union attack, Cross site scripting attack”. The proposed system is based on the design of web application in which it concentrates mainly on the detection and prevention of above said attacks. Initially, the system will show how these attacks are happening in the front end web application and overcoming of these attacks using the proposed algorithms such as longest common subsequence algorithm and brute force string matching algorithm. The successful overcoming of these attacks enhances security in the back end by implementing security in the web front end.

Keywords: Internet; authorisation; database management systems; online front-ends; query processing; Web application; Web browser; Web front end application; back end database; cross site scripting attack; multi-angled attack detection; query string attack; remote file inclusion attack; security issues; security measures; unauthorized access; union attack; Algorithm design and analysis; Browsers; Communication networks; Databases; Force; Reliability; Security; Cross site scripting attack; Query string attack; Remote file inclusion attack; Union attack (ID#: 16-9186)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7292382&isnumber=7292366

 

Khan, N.; Abdullah, J.; Khan, A.S., “Towards Vulnerability Prevention Model for Web Browser Using Interceptor Approach,” in IT in Asia (CITA), 2015 9th International Conference on, vol., no., pp. 1–5, 4–5 Aug. 2015. doi:10.1109/CITA.2015.7349842

Abstract: Cross Site Scripting (XSS) is popular security vulnerability in modern web applications. XSS attacks are malicious scripts which are embedded by attackers into the source code of web page to be executed at client side by browsers. Researchers have proposed many techniques for detection and prevention of XSS, but eliminating XSS still remains a challenge. In this paper the authors propose a web security model for XSS vulnerability prevention for web browsers using interceptor approach. Several client and server side solution have been proposed but they degrade the browsing performance and increases configuration overheads. The proposed model is an effective solution with minimal performance overheads using both Client and Server side location in detection and prevention of XSS.

Keywords: Web sites; client-server systems; online front-ends; security of data; Web applications; Web browser; Web page source code; Web security model; XSS attacks; XSS detection; XSS vulnerability prevention; client-server side location; configuration overheads; cross site scripting; interceptor approach; malicious scripts; security vulnerability; vulnerability prevention model; Browsers; Filtering; HTML; Security; Servers; Uniform resource locators; Web pages; Attack; Hybrid; Interceptor; Prevention; Web Security; XSS (ID#: 16-9187)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7349842&isnumber=7349813

 

Hermerschmidt, L.; Kugelmann, S.; Rumpe, B., “Towards More Security in Data Exchange: Defining Unparsers with Context-Sensitive Encoders for Context-Free Grammars,” in Security and Privacy Workshops (SPW), 2015 IEEE, vol., no., pp. 134–141, 21–22 May 2015. doi:10.1109/SPW.2015.29

Abstract: To exchange complex data structures in distributed systems, documents written in context-free languages are exchanged among communicating parties. Unparsing these documents correctly is as important as parsing them correctly because errors during unparsing result in injection vulnerabilities such as cross-site scripting (XSS) and SQL injection. Injection attacks are not limited to the web world. Every program that uses input to produce documents in a context-free language may be vulnerable to this class of attack. Even for widely used languages such as HTML and JavaScript, there are few approaches that prevent injection attacks by context-sensitive encoding, and those approaches are tied to the language. Therefore, the aim of this paper is to derive context-sensitive encoder from context-free grammars to provide correct unparsing of maliciously crafted input data for all context-free languages. The presented solution integrates encoder definition into context-free grammars and provides a generator for context-sensitive encoders and decoders that are used during (un)parsing. This unparsing process results in documents where the input data does neither influence the structure of the document nor change their intended semantics. By defining encoding during language definition, developers who use the language are provided with a clean interface for writing and reading documents written in that language, without the need to care about security-relevant encoding.

Keywords: Internet; context-free grammars; context-free languages; context-sensitive grammars; ata structures; electronic data interchange; security of data; HTML; JavaScript; SQL injection; XSS; complex data structures; context-sensitive decoders; context-sensitive encoders; cross-site scripting; data exchange security; distributed systems; injection attack prevention; security-relevant encoding; unparsing process; Context; Decoding; Encoding; Grammar; Libraries; Security; context-sensitive encoder; encoding table; injection vulnerability; unparser (ID#: 16-9188)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163217&isnumber=7163193

 

Mtsweni, J., “Analyzing the Security Posture of South African Websites,” in Information Security for South Africa (ISSA), 2015, vol., no., pp. 1–8, 12–13 Aug. 2015. doi:10.1109/ISSA.2015.7335063

Abstract: Today, public-facing websites are virtually used across all different sectors by different types of organizations for information sharing and conducting core business activities. At the same time, the increasing use of mobile devices in Africa has also propelled the deployment and adoption of web-based applications. However, as the use of websites increases, so are the cyber-attacks. Web-based attacks are prevalent across the globe, and in South Africa an increase in such attacks is being observed. Research studies also suggest that over 80% of the active websites are vulnerable to a myriad of attacks. This paper reports on a study conducted to passively analyze and determine the security posture of over 70 South African websites from different sectors. The security posture of the local websites was thereafter compared against the top ten (10) global websites. The list of the websites was mainly chosen using the Amazon’s Alexa service. The focus of the study was mainly on the security defense mechanisms employed by the chosen websites. This approach was chosen because the client-side security policies, which may give an indication of the security posture of a website, can be analyzed without actively scanning multiple websites. Consequently, relevant web-based vulnerabilities and security countermeasures were selected for the analysis. The results of the study suggest that most of the 70 South African websites analyzed are vulnerable to cross-site scripting, injection vulnerabilities, clickjacking and man-in-middle attacks. Over 67% of the analyzed websites unnecessarily expose server information, approximately 50% of the websites do not protect session cookies, about 30% of the websites use secure communications, in particular for transmitting users’ sensitive information, and some websites use deprecated security policies. From the study, it was also determined that South African websites lag behind in adopting basic security defense mechanisms when compared against top global websites.

Keywords: Web sites; security of data; Amazon Alexa service; South African Web sites; Web-based applications; Web-based attacks; Web-based vulnerabilities; clickjacking attack; client-side security policy; cross-site scripting attack; cyber-attacks; injection vulnerabilities; man-in-middle attack; mobile devices; public-facing Web sites; security countermeasures; security defense mechanisms; security posture; Banking; Education; Government; Security; TV; World Wide Web; cybersecurity; security policies; south africa; web applications; websecurity; websites (ID#: 16-9189)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7335063&isnumber=7335039

 

Wazzan, M.A.; Awadh, M.H., “Towards Improving Web Attack Detection: Highlighting the Significant Factors,” in IT Convergence and Security (ICITCS), 2015 5th International Conference on, vol., no., pp. 1–5, 24–27 Aug. 2015. doi:10.1109/ICITCS.2015.7293028

Abstract: Nowadays, with the rapid development of Internet, the use of Web is increasing and the Web applications have become a substantial part of people’s daily life (e.g. E-Government, E-Health and E-Learning), as they permit to seamlessly access and manage information. The main security concern for e-business is Web application security. Web applications have many vulnerabilities such as Injection, Broken Authentication and Session Management, and Cross-site scripting (XSS). Subsequently, web applications have become targets of hackers, and a lot of cyber attack began to emerge in order to block the services of these Web applications (Denial of Service Attack). Developers are not aware of these vulnerabilities and have no enough time to secure their applications. Therefore, there is a significant need to study and improve attack detection for web applications through determining the most significant factors for detection. To the best of our knowledge, there is not any research that summarizes the influent factors of detection web attacks. In this paper, the author studies state-of-the-art techniques and research related to web attack detection: the author analyses and compares different methods of web attack detections and summarizes the most important factors for Web attack detection independent of the type of vulnerabilities. At the end, the author gives recommendation to build a framework for web application protection.

Keywords: Internet; computer crime; data protection; Web application protection; Web application security; Web application vulnerabilities; Web attack detection; XSS; broken authentication; cross-site scripting; cyber attack; denial of service attack; e-business; hackers; information access; information management; injection; session management; Buffer overflows; Computer crime; IP networks; Intrusion detection; Monitoring; Uniform resource locators (ID#: 16-9190)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7293028&isnumber=729288

 

Jung-Woo Sohn; Jungwoo Ryoo, “Securing Web Applications with Better “Patches“: An Architectural Approach for Systematic Input Validation with Security Patterns,” in Availability, Reliability and Security (ARES), 2015 10th International Conference on, vol., no., pp. 486–492, 24–27 Aug. 2015. doi:10.1109/ARES.2015.106

Abstract: Some of the most rampant problems in software security originate from improper input validation. This is partly due to ad hoc approaches taken by software developers when dealing with user inputs. Therefore, it is a crucial research question in software security to ask how to effectively apply well-known input validation and sanitization techniques against security attacks exploiting the user input-related weaknesses found in software. This paper examines the current ways of how input validation is conducted in major open-source projects and attempts to confirm the main source of the problem as these ad hoc responses to the input validation-related attacks such as SQL injection and cross-site scripting (XSS) attacks through a case study. In addition, we propose a more systematic software security approach by promoting the adoption of proactive, architectural design-based solutions to move away from the current practice of chronic vulnerability-centric and reactive approaches.

Keywords: Internet; security of data; software architecture; SQL injection attack; Web application security; XSS attack; ad hoc approaches; architectural approach; architectural design-based solution; chronic vulnerability-centric approach; cross-site scripting attack; input validation-related attacks; proactive-based solution; reactive approach; sanitization techniques; security patterns; systematic input validation; systematic software security approach; user input-related weaknesses; architectural patterns; improper input validation; intercepting validator; software security (ID#: 16-9191)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7299956&isnumber=7299862

 

Xiaobing Guo; Shuyuan Jin; Yaxing Zhang, “XSS Vulnerability Detection Using Optimized Attack Vector Repertory,” in Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2015 International Conference on, vol., no., pp. 29–36, 17–19 Sept. 2015. doi:10.1109/CyberC.2015.50

Abstract: In order to detect the Cross-Site Script (XSS) vulnerabilities in the web applications, this paper proposes a method of XSS vulnerability detection using optimal attack vector repertory. This method generates an attack vector repertory automatically, optimizes the attack vector repertory using an optimization model, and detects XSS vulnerabilities in web applications dynamically. To optimize the attack vector repertory, an optimization model is built in this paper with a machine learning algorithm, reducing the size of the attack vector repertory and improving the efficiency of XSS vulnerability detection. Based on this method, an XSS vulnerability detector is implemented, which is tested on 50 real-world websites. The testing results show that the detector can detect a total of 848 XSS vulnerabilities effectively in 24 websites.

Keywords: Web sites; learning (artificial intelligence); optimisation; security of data; Web applications; XSS vulnerability detection; cross-site script vulnerability detection; machine learning algorithm; optimal attack vector repertory; optimization model; optimized attack vector repertory; real-world Websites; Grammar; HTML; Optimization; Payloads; Testing; Uniform resource locators; Web servers; XSS; attack vector repertory; dynamic analysis; machine learning; web crawler (ID#: 16-9192)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7307783&isnumber=7307766

 

Yen-Lin Chen; Hahn-Ming Lee; Jeng, A.B.; Te-En Wei, “DroidCIA: A Novel Detection Method of Code Injection Attacks on HTML5-Based Mobile Apps,” in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, no., pp. 1014-1021, 20-22 Aug. 2015. doi:10.1109/Trustcom.2015.477

Abstract: Smartphones have become more and more popular recently. There are many different smartphone systems, such as Android, iOS, etc. Based on HTML5, now developers can have a convenient framework to develop cross-platform HTML5- based mobile apps. Unfortunately, HTML5-based apps are also susceptible to cross-site scripting attacks like most web applications. Attackers can inject malicious scripts from many different injection channels. In this paper, we propose a new way to detect a known malicious script injected by using HTML5 text box input type along with “document.getElementById(“TagID”).value”. This new text box injection channel was not detected by other researchers so far because they only analyzed JavaScript APIs, but overlooked HTML files which captured text box input type information. Later, we applied this new method to a vulnerable app set with 8303 cases obtained from Google Play. We detected a total of 351 vulnerable apps with accuracy 99%, which included 347 detected also by other researchers as well as 4 extra vulnerable apps that belonged to this text box injection channel. We also implemented a Code Injection Attack detection tool named DroidCIA that automated the drawing of JavaScript API call graph and the combination of API with HTML information.

Keywords: Internet; Java; application program interfaces; hypermedia markup languages; mobile computing; smart phones; DroidCIA; Google Play; HTML5 text box injection channel; HTML5-based mobile application; JavaScript API; code injection attack; smart phone; web applications; Data mining; electronic mail; Google; HTML; Mobile communication; Operating systems; Smart phones (ID#: 16-9193)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7345385&isnumber=7345233

 

Bozic, J.; Wotawa, F., “PURITY: A Planning-based secURITY Testing Tool,” in Software Quality, Reliability and Security - Companion (QRS-C), 2015 IEEE International Conference on, vol., no., pp. 46–55, 3–5 Aug. 2015. doi:10.1109/QRS-C.2015.19

Abstract: Despite sophisticated defense mechanisms security testing still plays an important role in software engineering. Because of their latency, security flaws in web applications always bear the risk of being exploited sometimes in the future. In order to avoid potential damage, appropriate prevention measures should be incorporated in time and in the best case already during the software development cycle. In this paper, we contribute to this goal and present the PURITY tool for testing web applications. PURITY executes test cases against a given website. It detects whether the website is vulnerable against some of the most common vulnerabilities, i.e., SQL injections and cross-site scripting. The goal is to resemble a malicious activity by following typical sequences of actions potentially leading to a vulnerable state. The test execution proceeds automatically. In contrast to other penetration testing tools, PURITY relies on planning. Concrete test cases are obtained from a plan, which in turn is generated from specific initial values and given actions. The latter are intended to mimic actions usually performed by an attacker. In addition, PURITY also allows a tester to configure input parameters and also tests a website in a manual manner.

Keywords: Internet; Web sites; program testing; security of data; software tools; PURITY; Web application testing; Web applications; Web site testing; defense mechanisms; malicious activity; planning-based security testing tool; prevention measures; security flaws; software development cycle; software engineering; test execution; Concrete; HTML; Java; Planning; Security; Testing; Uniform resource locators; Model-based testing; Testing tool; planning problem; security testing (ID#: 16-9194)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7322124&isnumber=7322103

 


Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.