Information Theoretic XSS Attack Detection in Web Applications

Cross-Site Scripting (XSS) has been ranked among the top three vulnerabilities over the last few years. XSS vulnerability allows an attacker to inject arbitrary JavaScript code that can be executed in the victim's browser to cause unwanted behaviors and security breaches. Despite the presence of many mitigation approaches, the discovery of XSS is still widespread among today's web applications. As a result, there is a need to improve existing solutions and to develop novel attack detection techniques. This paper proposes a proxy-level XSS attack detection approach based on a popular information-theoretic measure known as Kullback-Leibler Divergence (KLD). Legitimate JavaScript code present in an application should remain similar or very close to the JavaScript code present in a rendered web page. A deviation between the two can be an indication of an XSS attack. This paper applies a back-off smoothing technique to effectively detect the presence of malicious JavaScript code in response pages. The proposed approach has been applied for a number of open-source PHP web applications containing XSS vulnerabilities. The initial results show that the approach can effectively detect XSS attacks and suffer from low false positive rate through proper choice of threshold values of KLD. Further, the performance overhead has been found to be negligible.

[1]  Thomas M. Cover,et al.  Elements of information theory (2. ed.) , 2006 .

[2]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[3]  Ljiljana Milic Single-Rate Discrete-Time Signals and Systems: Background Review , 2009 .

[4]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[5]  Hermann Ney,et al.  On structuring probabilistic dependences in stochastic language modelling , 1994, Comput. Speech Lang..

[6]  Ljiljana Milic,et al.  Multirate Filtering for Digital Signal Processing: MATLAB Applications , 2008 .

[7]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[8]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[9]  Mohammad Zulkernine,et al.  S2XS2: A Server Side Approach to Automatically Detect XSS Attacks , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[10]  Frederick Jelinek,et al.  Interpolated estimation of Markov source parameters from sparse data , 1980 .

[11]  Mohammad Zulkernine,et al.  Mitigating program security vulnerabilities: Approaches and challenges , 2012, CSUR.

[12]  Izzat Alsmadi Software Development Methodologies for Cloud Computing , 2013 .

[13]  Brigitte Bigi,et al.  Using Kullback-Leibler Distance for Text Categorization , 2003, ECIR.

[14]  Mohammad Zulkernine,et al.  MUTEC: Mutation-based testing of Cross Site Scripting , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[15]  Ezequiel Gutesman,et al.  A dynamic technique for enhancing the security and privacy of web applications , 2007 .

[16]  Ying Wang,et al.  Differential Kullback-Leibler Divergence Based Anomaly Detection Scheme in Sensor Networks , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[17]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[18]  Hiroshi Doi,et al.  An Implementation of the Binding Mechanism in the Web Browser for Preventing XSS Attacks: Introducing the Bind-Value Headers , 2009, 2009 International Conference on Availability, Reliability and Security.

[19]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[20]  Aderemi A. Atayero,et al.  Integrated Models for Information Communication Systems and Networks: Design and Development , 2013 .

[21]  Jan Tudor Assurance white paper: Web Application Vulnerability Statistics 2013 , 2013 .

[22]  Erika Asnina,et al.  Model-Driven Domain Analysis and Software Development - Architectures and Functions , 2010 .

[23]  Masayuki Numao,et al.  Kullback-Leibler Divergence Based Kernel SOM for Visualization of Damage Process on Fuel Cells , 2010, 2010 22nd IEEE International Conference on Tools with Artificial Intelligence.

[24]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[25]  Hossain Shahriar,et al.  Design and development of Anti-XSS proxy , 2013, 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013).

[26]  Jan Tudor,et al.  Web Application Vulnerability Statistics 2013 , 2013 .

[27]  Hugo Ribeiro,et al.  Systematic Use of Software Development Patterns through a Multilevel and Multistage Classification , 2011, Model-Driven Domain Analysis and Software Development.

[28]  Artem V. Garmashev,et al.  Numerical Methods of Multifractal Analysis in Information Communication Systems and Networks , 2013 .

[29]  C. M. Frenz,et al.  XSSmon: A Perl based IDS for the detection of potential XSS attacks , 2012, 2012 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[30]  John A. Clark,et al.  Information-Theoretic Detection of Masquerade Mimicry Attacks , 2010, 2010 Fourth International Conference on Network and System Security.

[31]  Avinash C. Kak,et al.  API-Based and Information-Theoretic Metrics for Measuring the Quality of Software Modularization , 2007 .

[32]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[33]  ChengXiang Zhai,et al.  Risk minimization and language modeling in text retrieval dissertation abstract , 2002, SIGF.

[34]  Lwin Khin Shar,et al.  Auditing the XSS defence features implemented in web application programs , 2012, IET Softw..