Detecting Cross-Site Scripting in Web Applications Using Fuzzy Inference System

With improvement in computing and technological advancements, web-based applications are now ubiquitous on the Internet. However, these web applications are becoming prone to vulnerabilities which have led to theft of confidential information, data loss, and denial of data access in the course of information transmission. Cross-site scripting (XSS) is a form of web security attack which involves the injection of malicious codes into web applications from untrusted sources. Interestingly, recent research studies on the web application security centre focus on attack prevention and mechanisms for secure coding; recent methods for those attacks do not only generate high false positives but also have little considerations for the users who oftentimes are the victims of malicious attacks. Motivated by this problem, this paper describes an “intelligent” tool for detecting cross-site scripting flaws in web applications.+is paper describes the method implemented based on fuzzy logic to detect classic XSS weaknesses and to provide some results on experimentations. Our detection framework recorded 15% improvement in accuracy and 0.01% reduction in the false-positive rate which is considerably lower than that found in the existing work by Koli et al. Our approach also serves as a decision-making tool for the users.

[1]  Nasser Modiri,et al.  Presentation of a Pattern to Counteract the Attacks of XSS Malware , 2016 .

[2]  Sokratis K. Katsikas,et al.  Using a Fuzzy Inference System to Reduce False Positives in Intrusion Detection , 2009, 2009 16th International Conference on Systems, Signals and Image Processing.

[3]  Hossain Shahriar,et al.  Fuzzy Rule-Based Vulnerability Assessment Framework for Web Applications , 2016, Int. J. Secur. Softw. Eng..

[4]  Lwin Khin Shar,et al.  Automated removal of cross site scripting vulnerabilities in web applications , 2012, Inf. Softw. Technol..

[5]  Priti Srinivas Sajja,et al.  Measuring Human Intelligence by Applying Soft Computing Techniques: A Genetic Fuzzy Approach , 2013 .

[6]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[7]  D. T. Lee,et al.  Non-detrimental Web application security scanning , 2004, 15th International Symposium on Software Reliability Engineering.

[8]  S. Krishnaveni,et al.  Multiclass Classification of XSS Web Page Attack using Machine Learning Techniques , 2013 .

[9]  Ebrahim Mamdani,et al.  Applications of fuzzy algorithms for control of a simple dynamic plant , 1974 .

[10]  Novia Admodisastro,et al.  An approach for cross-site scripting detection and removal based on genetic algorithms. , 2014, ICSEA 2014.

[11]  Animesh Biswas,et al.  Genetic Algorithm Based Hybrid Fuzzy System for Assessing Morningness , 2014, Adv. Fuzzy Syst..

[12]  Kamarularifin Abd Jalil,et al.  A Method for Web Application Vulnerabilities Detection by Using Boyer-Moore String Matching Algorithm☆ , 2015 .

[13]  Dake He,et al.  Model Checking for the Defense against Cross-Site Scripting Attacks , 2012, 2012 International Conference on Computer Science and Service System.

[14]  Hao Chen,et al.  Noncespaces: Using randomization to defeat cross-site scripting attacks , 2012, Comput. Secur..

[15]  C. Malarvizhi,et al.  A Survey on Detection and Prevention of Cross-Site Scripting Attack , 2015 .

[16]  Ali M. Alakeel A New Approach for Assertions Processing during Assertion-Based Software Testing , 2014 .

[17]  Pankaj Sharma,et al.  Integrated approach to prevent SQL injection attack and reflected cross site scripting attack , 2012, Int. J. Syst. Assur. Eng. Manag..

[18]  John Durkin,et al.  Expert systems - design and development , 1994 .

[19]  Marco Vieira,et al.  Vulnerability & attack injection for web applications , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[20]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[21]  Sanjay Rawat,et al.  XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[22]  Priti Singh,et al.  Detection of SQL Injection and XSS Vulnerability in Web Application , 2015 .

[23]  Hossain Shahriar,et al.  Risk assessment of code injection vulnerabilities using fuzzy logic-based system , 2014, SAC.

[24]  R. Johari,et al.  A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection , 2012, 2012 International Conference on Communication Systems and Network Technologies.