Risk mitigation for cross site scripting attacks using signature based model on the server side

Researchers and industry experts state that the Cross-site Scripting (XSS) is the top most vulnerability in the web applications. Attacks on web applications are increasing with the implementation of newer technologies, new html tags and new JavaScript functions. This demands an efficient approach on the server side to protect the users of the application. The proposed Signature based misuse detection approach introduces a security layer on top of the web application, so that the existing web application remain unchanged whenever a new threat is introduced that demands new security mechanisms. The web pages that are newly introduced in the web application need not be changed to incorporate the security mechanisms as the solution is implemented on top of the web application. To test the effectiveness of this approach, the vulnerable web inputs listed in research sites, black-hat hacker sites and in the black hat hacker sites are considered. The proposed security system was run on JBoss server and tested on those vulnerable inputs collected from the above sites. There are around 100 variants of XSS attacks found during the testing. It has been found that the approach is very effective as it addresses the vulnerabilities at a granular level of tags and attributes, in addition to addressing the XSS vulnerabilities.

[1]  Rob van Nieuwpoort,et al.  The Grid Application Toolkit: Toward Generic and Easy Application Programming Interfaces for the Grid , 2005, Proceedings of the IEEE.

[2]  Thomas P. Gallagher,et al.  Hunting Security Bugs , 2006 .

[3]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[4]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[5]  Richard Sharp,et al.  Developing Secure Web Applications , 2002, IEEE Internet Comput..

[6]  Jin-Cherng Lin,et al.  An Automatic Revised Tool for Anti-Malicious Injection , 2006, The Sixth IEEE International Conference on Computer and Information Technology (CIT'06).

[7]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Andy Podgurski,et al.  Using dynamic information flow analysis to detect attacks against applications , 2005, SOEN.

[9]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[10]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[11]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[12]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[13]  Giuseppe A. Di Lucca,et al.  Identifying cross site scripting vulnerabilities in Web applications , 2004, Proceedings. Sixth IEEE International Workshop on Web Site Evolution.

[14]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[15]  Mark Burnett Hacking the Code: ASP.NET Web Application Security , 2004 .

[16]  Andy Podgurski,et al.  An empirical study of the strength of information flows in programs , 2006, WODA '06.

[17]  Miron Livny,et al.  Condor and the Grid , 2003 .

[18]  Jason Novotny,et al.  GridSphere: a portal framework for building collaborations , 2004, Concurr. Pract. Exp..

[19]  D. T. Lee,et al.  Non-detrimental Web application security scanning , 2004, 15th International Symposium on Software Reliability Engineering.

[20]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[21]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.