Auditing Defense against XSS Worms in Online Social Network-Based Web Applications

Nowadays, users of Online Social Network (OSN) are less familiar with cyber security threats that occur in such networks, comprising Cross-Site Scripting (XSS) worms, Distributed Denial of Service (DDoS) attacks, Phishing, etc. Numerous defensive methodologies exist for mitigating the effect of DDoS attacks and Phishing vulnerabilities from OSN. However, till now, no such robust defensive solution is proposed for the complete alleviation of XSS worms from such networks. This chapter discusses the detailed incidences of XSS attacks in the recent period on the platforms of OSN. A high level of taxonomy of XSS worms is illustrated in this article for the precise interpretation of its exploitation in multiple applications of OSN like Facebook, Twitter, LinkedIn, etc. We have also discussed the key contributions of current defensive solutions of XSS attacks on the existing platforms of OSN. Based on this study, we identified the current performance issues in these existing solutions and recommend future research guidelines.

[1]  Wei Xu,et al.  Toward worm detection in online social networks , 2010, ACSAC '10.

[2]  Shashank Gupta,et al.  Exploitation of Cross-Site Scripting (XSS) Vulnerability on Real World Web Applications and its Defense , 2012 .

[3]  Brij B. Gupta,et al.  Cross-Site Scripting (XSS) Abuse and Defense: Exploitation on Several Testing Bed Environments and Its Defense , 2015 .

[4]  Christopher Krügel,et al.  deDacota: toward preventing server-side XSS via automatic code and data separation , 2013, CCS.

[5]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[6]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[7]  S. Selvakumar,et al.  BIXSAN: browser independent XSS sanitizer for prevention of XSS attacks , 2011, SOEN.

[8]  Leslie Haddon,et al.  EU kids online II: final report 2011 , 2011 .

[9]  Mike Shema Cross-Site Scripting , 2010 .

[10]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[11]  Hao Chen,et al.  Noncespaces: Using randomization to defeat cross-site scripting attacks , 2012, Comput. Secur..

[12]  Brij B. Gupta,et al.  Automated Discovery of JavaScript Code Injection Attacks in PHP Web Applications , 2016 .

[13]  Xiaoqi Jia,et al.  Improved N-gram approach for cross-site scripting detection in Online Social Network , 2015, 2015 Science and Information Conference (SAI).

[14]  Rui Wang,et al.  Machine Learning Based Cross-Site Scripting Detection in Online Social Network , 2014, 2014 IEEE Intl Conf on High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE 11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS).

[15]  Yuval Elovici,et al.  Online Social Networks: Threats and Solutions , 2013, IEEE Communications Surveys & Tutorials.

[16]  Brij B. Gupta,et al.  XSS-SAFE: A Server-Side Approach to Detect and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code , 2016 .

[17]  Brij Bhooshan Gupta,et al.  Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art , 2017, Int. J. Syst. Assur. Eng. Manag..

[18]  Frank Piessens,et al.  JSand: complete client-side sandboxing of third-party JavaScript without browser modifications , 2012, ACSAC '12.

[19]  Jörg Schwenk,et al.  mXSS attacks: attacking well-secured web-applications by using innerHTML mutations , 2013, CCS.

[20]  Raees Ahmad Khan,et al.  Availability state transition model , 2011, SOEN.