Risk mitigation for cross site scripting attacks using signature based model on the server side

Researchers and industry experts state that the Cross-site Scripting (XSS) is the top most vulnerability in the web applications. Attacks on web applications are increasing with the implementation of newer technologies, new html tags and new JavaScript functions. This demands an efficient approach on the server side to protect the users of the application. The proposed Signature based misuse detection approach introduces a security layer on top of the web application, so that the existing web application remain unchanged whenever a new threat is introduced that demands new security mechanisms. The web pages that are newly introduced in the web application need not be changed to incorporate the security mechanisms as the solution is implemented on top of the web application. To test the effectiveness of this approach, the vulnerable web inputs listed in research sites, black-hat hacker sites and in the black hat hacker sites are considered. The proposed security system was run on JBoss server and tested on those vulnerable inputs collected from the above sites. There are around 100 variants of XSS attacks found during the testing. It has been found that the approach is very effective as it addresses the vulnerabilities at a granular level of tags and attributes, in addition to addressing the XSS vulnerabilities.

[1]  Richard Sharp,et al.  Developing Secure Web Applications , 2002, IEEE Internet Comput..

[2]  D. T. Lee,et al.  Non-detrimental Web application security scanning , 2004, 15th International Symposium on Software Reliability Engineering.

[3]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[4]  Thomas P. Gallagher,et al.  Hunting Security Bugs , 2006 .

[5]  Giuseppe A. Di Lucca,et al.  Identifying cross site scripting vulnerabilities in Web applications , 2004, Proceedings. Sixth IEEE International Workshop on Web Site Evolution.

[6]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[8]  Mike Shema,et al.  Hacking Exposed Web Applications , 2010 .

[9]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[10]  Jin-Cherng Lin,et al.  An Automatic Revised Tool for Anti-Malicious Injection , 2006, The Sixth IEEE International Conference on Computer and Information Technology (CIT'06).

[11]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[12]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[13]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[14]  Andy Podgurski,et al.  Using dynamic information flow analysis to detect attacks against applications , 2005, SOEN.

[15]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[16]  Mark Burnett Hacking the Code: ASP.NET Web Application Security , 2004 .

[17]  Andy Podgurski,et al.  An empirical study of the strength of information flows in programs , 2006, WODA '06.