S2XS2: A Server Side Approach to Automatically Detect XSS Attacks

Cross site scripting (XSS) vulnerabilities are widespread in web-based programs. Server side detection of suspected contents can mitigate XSS exploitations early. Unfortunately, existing serve side approaches impose modification of server and client side environments. In this paper, we develop an automated framework to detect XSS attacks at the server side based on the notion of boundary injection and policy generation. Boundaries mark content generation locations in server script code. We derive expected benign features of dynamic contents that are matched during response page generation to detect attacks. We develop a prototype tool to automatically insert boundaries and generate policies for JSP programs. We evaluate the approach with four JSP programs. The results indicate that the approach detects most of the well known XSS attacks. Moreover, the false positive rates vary between zero and 5.2%. The approach suffers from negligible runtime overhead.

[1]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[2]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[3]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[4]  Mohammad Zulkernine,et al.  MUTEC: Mutation-based testing of Cross Site Scripting , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[5]  Úlfar Erlingsson,et al.  Using web application construction frameworks to protect against code injection attacks , 2007, PLAS '07.

[6]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[8]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[9]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[10]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[11]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[12]  R. Sekar An Efficient Black-box Technique for Defeating Web Application Attacks , 2009, NDSS.

[13]  Martin Paul Eve,et al.  XSS Cheat Sheet , 2007 .

[14]  Benjamin Livshits,et al.  SCRIPTGARD: Preventing Script Injection Attacks in Legacy Web Applications with Automatic Sanitization , 2010 .

[15]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[16]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[17]  Mohammad Zulkernine,et al.  Injecting Comments to Detect JavaScript Code Injection Attacks , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[18]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[19]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[20]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.