Design and development of Anti-XSS proxy

Cross-Site Scripting (XSS) vulnerability allows an attacker to inject arbitrary JavaScript code that can be executed in the victim's browser and cause security breaches. The discovery of XSS is still widespread among today's web applications. As a result, there is a need to improve existing solutions or develop novel attack detection techniques. This paper proposes a proxy-level design and development of XSS attack detection approach (Anti-XSS) based on Kullback-Leibler Divergence (KLD) measure. The proposed approach has been applied for a number of open-source PHP web applications containing XSS vulnerabilities. The initial results show that the approach can effectively detect XSS attacks while displaying a low false positive rate depending on the choice of threshold values of KLD.

[1]  Didier Dubois,et al.  Decision-theoretic foundations of qualitative possibility theory , 2001, Eur. J. Oper. Res..

[2]  Mohammad Zulkernine,et al.  Mitigating program security vulnerabilities: Approaches and challenges , 2012, CSUR.

[3]  Brigitte Bigi,et al.  Using Kullback-Leibler Distance for Text Categorization , 2003, ECIR.

[4]  M. Khouja The single-period (news-vendor) problem: literature review and suggestions for future research , 1999 .

[5]  Didier Dubois,et al.  Possibility Theory as a Basis for Qualitative Decision Theory , 1995, IJCAI.

[6]  Peijun Guo Private Real Estate Investment Analysis within a One-Shot Decision Framework , 2010 .

[7]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[8]  Mohammad Zulkernine,et al.  MUTEC: Mutation-based testing of Cross Site Scripting , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[9]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[10]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[11]  Ronald R. Yager A Foundation for a Theory of Possibility , 1980, Cybern. Syst..

[12]  Thomas M. Cover,et al.  Elements of information theory (2. ed.) , 2006 .

[13]  Hiroshi Doi,et al.  An Implementation of the Binding Mechanism in the Web Browser for Preventing XSS Attacks: Introducing the Bind-Value Headers , 2009, 2009 International Conference on Availability, Reliability and Security.

[14]  Masayuki Numao,et al.  Kullback-Leibler Divergence Based Kernel SOM for Visualization of Damage Process on Fuel Cells , 2010, 2010 22nd IEEE International Conference on Tools with Artificial Intelligence.

[15]  Kevin F. McCardle,et al.  The Competitive Newsboy , 1997, Oper. Res..

[16]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[17]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[18]  Peijun Guo One-shot decision approach and its application to duopoly market , 2010, Int. J. Inf. Decis. Sci..

[19]  Hermann Ney,et al.  On structuring probabilistic dependences in stochastic language modelling , 1994, Comput. Speech Lang..

[20]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[21]  Ezequiel Gutesman,et al.  A dynamic technique for enhancing the security and privacy of web applications , 2007 .

[22]  Avinash C. Kak,et al.  API-Based and Information-Theoretic Metrics for Measuring the Quality of Software Modularization , 2007 .

[23]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[24]  Lwin Khin Shar,et al.  Auditing the XSS defence features implemented in web application programs , 2012, IET Softw..

[25]  Peijun Guo One-Shot Decision Theory , 2011, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[26]  C. M. Frenz,et al.  XSSmon: A Perl based IDS for the detection of potential XSS attacks , 2012, 2012 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[27]  John A. Clark,et al.  Information-Theoretic Detection of Masquerade Mimicry Attacks , 2010, 2010 Fourth International Conference on Network and System Security.

[28]  Mohammad Zulkernine,et al.  S2XS2: A Server Side Approach to Automatically Detect XSS Attacks , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[29]  Frederick Jelinek,et al.  Interpolated estimation of Markov source parameters from sparse data , 1980 .

[30]  Ying Wang,et al.  Differential Kullback-Leibler Divergence Based Anomaly Detection Scheme in Sensor Networks , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[31]  ChengXiang Zhai,et al.  Risk minimization and language modeling in text retrieval dissertation abstract , 2002, SIGF.

[32]  Maqbool Dada,et al.  Pricing and the Newsvendor Problem: A Review with Extensions , 1999, Oper. Res..

[33]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[34]  Evan L. Porteus,et al.  A Fractiles Perspective to the Joint Price/Quantity Newsvendor Model , 2006, Manag. Sci..

[35]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.