A solution to block Cross Site Scripting Vulnerabilities based on Service Oriented Architecture

Research data shows that, about 80% of the web applications are vulnerable to cross site scripting attacks. This is because of the fact that the users are allowed to enter tags in the input control for increasing the flexibility in handling web applications input. This increases the threat to the web application by allowing the hackers to plant worms in the web applications through the features like tags. Further, there are billions of web pages that are developed in different languages like PHP, ASP, JSP, HTML, CGI- PERL, .Net etc. There is no single solution available that can be applied for the web application to prevent XSS that are developed in different languages and deployed in different platforms. This paper presents a new solution to block cross site scripting (XSS) attacks that is independent of the languages in which the web applications are developed and addresses XSS vulnerabilities arise from other interfaces. The solution is modularized, configured, and developed in .Net, XML and XSD. This approach is evaluated in a web application developed in JSP/Servlets deployed in JBOSS application server and is found effective as it provides the flexibility to be used across languages with a very minimal configuration to prevent XSS.

[1]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[2]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[3]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[4]  Andy Podgurski,et al.  Using dynamic information flow analysis to detect attacks against applications , 2005, SOEN.

[5]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[6]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[7]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[8]  Richard Sharp,et al.  Developing Secure Web Applications , 2002, IEEE Internet Comput..

[9]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).