Injecting Comments to Detect JavaScript Code Injection Attacks

Most web programs are vulnerable to cross site scripting (XSS) that can be exploited by injecting JavaScript code. Unfortunately, injected JavaScript code is difficult to distinguish from the legitimate code at the client side. Given that, server side detection of injected JavaScript code can be a layer of defense. Existing server side approaches rely on identifying legitimate script code, and an attacker can circumvent the technique by injecting legitimate JavaScript code. Moreover, these approaches assume that no JavaScript code is downloaded from third party websites. To address these limitations, we develop a server side approach that distinguishes injected JavaScript code from legitimate JavaScript code. Our approach is based on the concept of injecting comment statements containing random tokens and features of legitimate JavaScript code. When a response page is generated, JavaScript code without or incorrect comment is considered as injected code. Moreover, the valid comments are checked for duplicity. Any presence of duplicate comments or a mismatch between expected code features and actually observed features represents JavaScript code as injected. We implement a prototype tool that automatically injects JavaScript comments and deploy injected JavaScript code detector as a server side filter. We evaluate our approach with three JSP programs. The evaluation results indicate that our approach detects a wide range of code injection attacks.

[1]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[2]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[3]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[4]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[5]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[6]  Mohammad Zulkernine,et al.  Taxonomy and classification of automatic monitoring of program security vulnerability exploitations , 2011, J. Syst. Softw..

[7]  Mohammad Zulkernine,et al.  MUTEC: Mutation-based testing of Cross Site Scripting , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[8]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[9]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[10]  Ezequiel Gutesman,et al.  A dynamic technique for enhancing the security and privacy of web applications , 2007 .

[11]  Mohammad Zulkernine,et al.  PhishTester: Automatic Testing of Phishing Attacks , 2010, 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement.

[12]  Mohammad Zulkernine,et al.  Mitigating program security vulnerabilities: Approaches and challenges , 2012, CSUR.

[13]  Mike Shema Cross-Site Scripting , 2010 .

[14]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[15]  Mohammad Zulkernine,et al.  Client-Side Detection of Cross-Site Request Forgery Attacks , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[16]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.