Analysis of XSS attack Mitigation techniques based on Platforms and Browsers

In the recent years, everything is in web. It may be Organization’s administration software, Custom ERP application, Employee portals or Real estate portals. The Social networking sites like Face book, Twitter, MySpace which is a web application is been used by millions of users around the world. So web applications have become very popular among users. Hence they are observed and may be exploited by hackers. Researchers and industry experts state that the Cross-site Scripting (XSS) is the one of the top most vulnerabilities in the web application. The cross-site scripting has become a common vulnerability of many web sites and web applications. XSS consists in the exploitation of input validation flaws, with the purpose of injecting arbitrary script code which is later executed at the web browser of the victim. According to OSWAP, Cross-site scripting attacks on web applications have experienced an important rise in recent year. This demands an efficient approach on the server side to protect the users of the application as the reason for the vulnerability primarily lies on the server side. The actual exploitation is within the victim’s web browser on the client-side. Therefore, an operator of a web application has only very limited evidence of XSS issues. However, there are many solutions for this vulnerability. But such techniques may degrade the performance of the system. In such scenarios challenge is to decide which method, platform, browser and middleware can be used to overcome the vulnerabilities, with reasonable performance over head to the system. Inspired by this problem, we present performance comparison of two mitigation techniques for Cross-site Scripting (XSS) at the server side based on the parameters like application’s platform, middleware technology and browser used by the end user. We implemented Mitigation parsing technique using database and replace technique in different platforms, middleware and checked its performance. We calculated the time taken by different browsers to render the pages using two techniques under different platform and middleware. In this paper we proposed the best combination of development platform, browser and the middleware for the two mitigation technique with respect to developer and end users.

[1]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[2]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[3]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007, 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007).

[4]  M. Ponnavaikko,et al.  Risk mitigation for cross site scripting attacks using signature based model on the server side , 2007, Second International Multi-Symposiums on Computer and Computational Sciences (IMSCCS 2007).

[5]  Alwyn Roshan Pais,et al.  Security-aware Software Development Life Cycle (SaSDLC) - Processes and tools , 2009, 2009 IFIP International Conference on Wireless and Optical Communications Networks.