Enhancing the Browser-Side Context-Aware Sanitization of Suspicious HTML5 Code for Halting the DOM-Based XSS Vulnerabilities in Cloud

This article presents a cloud-based framework that thwarts the DOM-based XSS vulnerabilities caused due to the injection of advanced HTML5 attack vectors in the HTML5 web applications. Initially, the framework collects the key modules of web application, extracts the suspicious HTML5 strings from the latent injection points and performs the clustering on such strings based on their level of similarity. Further, it detects the injection of malicious HTML5 code in the script nodes of DOM tree by detecting the variation in the HTML5 code embedded in the HTTP response generated. Any variation observed will simply indicate the injection of suspicious script code. The prototype of our framework was developed in Java and installed in the virtual machines of cloud environment on the Google Chrome extension. The experimental evaluation of our framework was performed on the platform of real world HTML5 web applications deployed in the cloud platform.

[1]  Brij Bhooshan Gupta,et al.  PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications , 2015, Conf. Computing Frontiers.

[2]  Mohammad Zulkernine,et al.  Injecting Comments to Detect JavaScript Code Injection Attacks , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[3]  Muttukrishnan Rajarajan,et al.  A survey on security issues and solutions at different layers of Cloud computing , 2012, The Journal of Supercomputing.

[4]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[5]  Raees Ahmad Khan,et al.  Availability state transition model , 2011, SOEN.

[6]  Xianghua Xu,et al.  Preventing Client Side XSS with Rewrite Based Dynamic Information Flow , 2014, 2014 Sixth International Symposium on Parallel Architectures, Algorithms and Programming.

[7]  Brij B. Gupta,et al.  Cross-Site Scripting (XSS) Abuse and Defense: Exploitation on Several Testing Bed Environments and Its Defense , 2015 .

[8]  Christopher Krügel,et al.  deDacota: toward preventing server-side XSS via automatic code and data separation , 2013, CCS.

[9]  Brij Bhooshan Gupta,et al.  Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art , 2017, Int. J. Syst. Assur. Eng. Manag..

[10]  James Harris Defending the network several times over , 2011, Netw. Secur..

[11]  Chonho Lee,et al.  A survey of mobile cloud computing: architecture, applications, and approaches , 2013, Wirel. Commun. Mob. Comput..

[12]  Shadi Aljawarneh,et al.  Cloud Security Engineering: Avoiding Security Threats the Right Way , 2011, Int. J. Cloud Appl. Comput..

[13]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[14]  Sanjay Rawat,et al.  KameleonFuzz: evolutionary fuzzing for black-box XSS detection , 2014, CODASPY '14.

[15]  Brij Bhooshan Gupta,et al.  JS-SAN: defense mechanism for HTML5-based web applications against javascript code injection vulnerabilities , 2016, Secur. Commun. Networks.

[16]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[17]  Shadi Aljawarneh,et al.  Investigations of automatic methods for detecting the polymorphic worms signatures , 2016, Future Gener. Comput. Syst..

[18]  Brij B. Gupta,et al.  XSS-SAFE: A Server-Side Approach to Detect and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code , 2016 .

[19]  S. Selvakumar,et al.  BIXSAN: browser independent XSS sanitizer for prevention of XSS attacks , 2011, SOEN.

[20]  Zhendong Su,et al.  Client-Side Detection of XSS Worms by Monitoring Payload Propagation , 2009, ESORICS.

[21]  Brij Bhooshan Gupta,et al.  XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud , 2018, Multimedia Tools and Applications.

[22]  R. Sekar,et al.  Protection, usability and improvements in reflected XSS filters , 2012, ASIACCS '12.

[23]  Shadi Aljawarneh,et al.  A web engineering security methodology for e-learning systems , 2011, Netw. Secur..

[24]  Hung Dang,et al.  DexterJS: robust testing platform for DOM-based XSS vulnerabilities , 2015, ESEC/SIGSOFT FSE.