Cross-site scripting (XSS) attacks and mitigation: A survey

Abstract The results of the Cisco 2018 Annual Security Report show that all analyzed web applications have at least one vulnerability. It also shows that web attacks are becoming more frequent, specific and sophisticated. According to this report, 40% of all attack attempts lead to a method known as Cross-Site Scripting (XSS), which was the most widely used technique. According to the OWASP Top 10 - 2017 security risk, this type of attack is ranked No. 7, and it is noted that XSS is present in approximately two thirds of all web applications. This attack occurs when a malicious user uses a web application to execute or send malicious code on another user’s computer. Also, Cross Site Scripting is a type of cyber attack by which vulnerabilities are searched in a web application to introduce a harmful script. This implies that user information can be affected by stealing cookies, phishing, or attacking a company’s entire network. In this context, we have analyzed a total of 67 documents to collect information of the tools and methods that the scientific community has used to detect and mitigate these type of attack. It has been hypothesized that the trend in the proposal of traditional methods to mitigate XSS attacks is greater than the proposals that use some artificial intelligence technique. Our results show that the trend is increasing in the proposals that analyze the content of web pages (13.20%), as well as those that serve as a toolkit for web browsers (16.98%). Also, we have found that there is a low tendency in the use of artificial intelligence techniques to detect or mitigate this attack, using Web Classifiers (9.43%).

[1]  Syed Nisar Bukhari,et al.  Reducing attack surface corresponding to Type 1 cross-site scripting attacks using secure development life cycle practices , 2018, 2018 Fourth International Conference on Advances in Electrical, Electronics, Information, Communication and Bio-Informatics (AEEICB).

[2]  Franz Wotawa,et al.  XSS pattern for attack modeling in testing , 2013, 2013 8th International Workshop on Automation of Software Test (AST).

[3]  Mahesh Chandra Govil,et al.  XSSDM: Towards detection and mitigation of cross-site scripting vulnerabilities in web applications , 2015, 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[4]  Bazara I. A. Barry,et al.  Developing a security model to protect websites from cross-site scripting attacks using ZEND framework application , 2013, 2013 INTERNATIONAL CONFERENCE ON COMPUTING, ELECTRICAL AND ELECTRONIC ENGINEERING (ICCEEE).

[5]  Dake He,et al.  Model Checking for the Defense against Cross-Site Scripting Attacks , 2012, 2012 International Conference on Computer Science and Service System.

[6]  Kwangjo Kim,et al.  Preventing Abuse of Cookies Stolen by XSS , 2013, 2013 Eighth Asia Joint Conference on Information Security.

[7]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.

[8]  Ivan Dolnák Content Security Policy (CSP) as countermeasure to Cross Site Scripting (XSS) attacks , 2017, 2017 15th International Conference on Emerging eLearning Technologies and Applications (ICETA).

[9]  Ahmad Raza Khan,et al.  A comprehensive research on Xss scripting attacks on different domains and their verticals , 2015, 2015 4th International Conference on Computer Science and Network Technology (ICCSNT).

[10]  Lwin Khin Shar,et al.  Auditing the XSS defence features implemented in web application programs , 2012, IET Softw..

[11]  Mahesh Chandra Govil,et al.  Text-mining based predictive model to detect XSS vulnerable files in web applications , 2015, 2015 Annual IEEE India Conference (INDICON).

[12]  Huangcun Zeng,et al.  Research on Developing an Attack and Defense Lab Environment for Cross Site Scripting Education in Higher Vocational Colleges , 2013, 2013 International Conference on Computational and Information Sciences.

[13]  C. Malarvizhi,et al.  A Survey on Detection and Prevention of Cross-Site Scripting Attack , 2015 .

[14]  Blerim Rexha,et al.  Impact of secure programming on web application vulnerabilities , 2015, 2015 IEEE International Conference on Computer Graphics, Vision and Information Security (CGVIS).

[15]  Rui Ma,et al.  A Dynamic Detection Technique for XSS Vulnerabilities , 2018, 2018 4th Annual International Conference on Network and Information Systems for Computers (ICNISC).

[16]  Xiaoguang Mao,et al.  Detecting DOM-Sourced Cross-Site Scripting in Browser Extensions , 2017, 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[17]  Brij Bhooshan Gupta,et al.  JS-SAN: defense mechanism for HTML5-based web applications against javascript code injection vulnerabilities , 2016, Secur. Commun. Networks.

[18]  Brij Bhooshan Gupta,et al.  XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud , 2018, Multimedia Tools and Applications.

[19]  M. Ponnavaikko,et al.  XSS Application Worms: New Internet Infestation and Optimized Protective Measures , 2007 .

[20]  Inna Skarga-Bandurova,et al.  Cross-Site Scripting for Graphic Data: Vulnerabilities and Prevention , 2019, 2019 10th International Conference on Dependable Systems, Services and Technologies (DESSERT).

[21]  Michele Bugliesi,et al.  A Supervised Learning Approach to Protect Client Authentication on the Web , 2015, ACM Trans. Web.

[22]  Manuel Sucunuta,et al.  Implementation of techniques and OWASP security recommendations to avoid SQL and XSS attacks using J2EE and WS-Security , 2017, 2017 12th Iberian Conference on Information Systems and Technologies (CISTI).

[23]  Al-Sakib Khan Pathan,et al.  Preventing persistent Cross-Site Scripting (XSS) attack by applying pattern filtering approach , 2014, The 5th International Conference on Information and Communication Technology for The Muslim World (ICT4M).

[24]  Seong Oun Hwang,et al.  Large-Scale Detection of DOM-Based XSS Based on Publisher and Subscriber Model , 2016, 2016 International Conference on Computational Science and Computational Intelligence (CSCI).

[25]  Franz Wotawa,et al.  PURITY: A Planning-based secURITY Testing Tool , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security - Companion.

[26]  C. M. Frenz,et al.  XSSmon: A Perl based IDS for the detection of potential XSS attacks , 2012, 2012 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[27]  Dan Wang,et al.  A XSS Vulnerability Detection Approach Based on Simulating Browser Behavior , 2015, ICISS 2015.

[28]  Girdhari Singh,et al.  Program , 2014, 2014 10th International Conference on Innovations in Information Technology (IIT).

[29]  Xiaoguang Mao,et al.  DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[30]  Bernard L. Menezes,et al.  Two for the price of one: A combined browser defense against XSS and clickjacking , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[31]  Patrick Traynor,et al.  One-time cookies: Preventing session hijacking attacks with stateless authentication tokens , 2012, TOIT.

[32]  Brij Bhooshan Gupta,et al.  Enhancing the Browser-Side Context-Aware Sanitization of Suspicious HTML5 Code for Halting the DOM-Based XSS Vulnerabilities in Cloud , 2017, Int. J. Cloud Appl. Comput..

[33]  Mahesh Chandra Govil,et al.  Predicting Cross-Site Scripting (XSS) security vulnerabilities in web applications , 2015, 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE).

[34]  Jinxin You,et al.  Improved CSRFGuard for CSRF attacks defense on Java EE platform , 2014, 2014 9th International Conference on Computer Science & Education.

[35]  Xiaoqi Jia,et al.  Improved N-gram approach for cross-site scripting detection in Online Social Network , 2015, 2015 Science and Information Conference (SAI).

[36]  Dhruba Kumar Bhattacharyya,et al.  Detection of Cross-Site Scripting Attack under Multiple Scenarios , 2015, Comput. J..

[37]  Shingo Yamaguchi,et al.  XSS detection with automatic view isolation on online social network , 2016, 2016 IEEE 5th Global Conference on Consumer Electronics.

[38]  Samik Basu,et al.  Detecting Cross-Site Scripting Vulnerability Using Concolic Testing , 2013, 2013 10th International Conference on Information Technology: New Generations.

[39]  Girdhari Singh,et al.  Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey , 2014, International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2014).

[40]  Eduardo Souto,et al.  ETSSDetector: A Tool to Automatically Detect Cross-Site Scripting Vulnerabilities , 2014, 2014 IEEE 13th International Symposium on Network Computing and Applications.

[41]  Bhawna Mewara,et al.  Enhanced browser defense for reflected Cross-Site Scripting , 2014, Proceedings of 3rd International Conference on Reliability, Infocom Technologies and Optimization.

[42]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[43]  Murat Karabatak,et al.  A proposed approach for preventing cross-site scripting , 2018, 2018 6th International Symposium on Digital Forensic and Security (ISDFS).

[44]  Ping Chen,et al.  Research and Implementation of Cross-site Scripting Defense Method Based on Moving Target Defense Technology , 2018, 2018 5th International Conference on Systems and Informatics (ICSAI).

[45]  Rui Wang,et al.  Machine Learning Based Cross-Site Scripting Detection in Online Social Network , 2014, 2014 IEEE Intl Conf on High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE 11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS).

[46]  Pamela Flores,et al.  Cookie Scout: An Analytic Model for Prevention of Cross-Site Scripting (XSS) Using a Cookie Classifier , 2018, ICITS.

[47]  Steven J. Murdoch Hardened Stateless Session Cookies , 2008, Security Protocols Workshop.

[48]  Shuyuan Jin,et al.  XSS Vulnerability Detection Using Optimized Attack Vector Repertory , 2015, 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[49]  Xiaohong Li,et al.  TT-XSS: A novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting , 2017, J. Parallel Distributed Comput..

[50]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[51]  Biswajit Panja,et al.  Handling cross site scripting attacks using cache check to reduce webpage rendering time with elimination of sanitization and filtering in light weight mobile web browser , 2015, 2015 First Conference on Mobile and Secure Services (MOBISECSERV).

[52]  Brij B. Gupta,et al.  XSS-SAFE: A Server-Side Approach to Detect and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code , 2016 .

[53]  Ossama B. Al-Khurafi,et al.  Survey of Web Application Vulnerability Attacks , 2015, 2015 4th International Conference on Advanced Computer Science Applications and Technologies (ACSAT).

[54]  Christoforos Ntantogian,et al.  Bypassing XSS Auditor: Taking advantage of badly written PHP code , 2014, 2014 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT).

[55]  Yan Zhang,et al.  Detecting cross site scripting vulnerabilities introduced by HTML5 , 2014, 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE).

[56]  Zhang Wei,et al.  Analysis and prevention for cross-site scripting attack based on encoding , 2013, 2013 IEEE 4th International Conference on Electronics Information and Emergency Communication.

[57]  Ryuya Uda,et al.  Classification of XSS Attacks by Machine Learning with Frequency of Appearance and Co-occurrence , 2019, 2019 53rd Annual Conference on Information Sciences and Systems (CISS).

[58]  Nalini A. Mhetre,et al.  A novel approach for detection of SQL injection and cross site scripting attacks , 2015, 2015 International Conference on Pervasive Computing (ICPC).

[59]  Ashish Kumar,et al.  XSS vulnerability assessment and prevention in web application , 2016, 2016 2nd International Conference on Next Generation Computing Technologies (NGCT).

[60]  Faheem Akhtar,et al.  MLPXSS: An Integrated XSS-Based Attack Detection Scheme in Web Applications Using Multilayer Perceptron Technique , 2019, IEEE Access.

[61]  Balachander Krishnamurthy,et al.  Half-Baked Cookies: Hardening Cookie-Based Authentication for the Modern Web , 2016, AsiaCCS.

[62]  Gurpreet Kaur,et al.  Defense Against HTML5 XSS Attack Vectors: A Nested Context-Aware Sanitization Technique , 2018, 2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence).

[63]  Sanjay Rawat,et al.  XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[64]  G. Shanmugasundaram,et al.  A study on removal techniques of Cross-Site Scripting from web applications , 2015, 2015 International Conference on Computation of Power, Energy, Information and Communication (ICCPEIC).

[65]  Hossain Shahriar,et al.  Design and development of Anti-XSS proxy , 2013, 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013).

[66]  Lwin Khin Shar,et al.  Towards a Hybrid Framework for Detecting Input Manipulation Vulnerabilities , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[67]  G. Meera Gandhi,et al.  An automaton based approach for forestalling cross site scripting attacks in web application , 2015, 2015 Seventh International Conference on Advanced Computing (ICoAC).

[68]  Deris Stiawan,et al.  Payload recognition and detection of Cross Site Scripting attack , 2017, 2017 2nd International Conference on Anti-Cyber Crimes (ICACC).

[69]  Michele Bugliesi,et al.  Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication , 2014, WWW.

[70]  R. Johari,et al.  A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection , 2012, 2012 International Conference on Communication Systems and Network Technologies.

[71]  S. Kranthi,et al.  Attacks on Web Application Caused by Cross Site Scripting , 2018, 2018 Second International Conference on Electronics, Communication and Aerospace Technology (ICECA).

[72]  Pavol Zavarsky,et al.  Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities , 2015, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST).

[73]  Akshay Mathur,et al.  A Google Chromium Browser Extension for Detecting XSS Attack in HTML5 Based Websites , 2018, 2018 IEEE International Conference on Electro/Information Technology (EIT).

[74]  Manish Dixit,et al.  Cross site scripting (XSS) attack detection using intrustion detection system , 2017, 2017 International Conference on Intelligent Computing and Control Systems (ICICCS).

[75]  Deepak C. Karia,et al.  Impact analysis of preventing cross site scripting and SQL injection attacks on web application , 2015, 2015 IEEE Bombay Section Symposium (IBSS).

[76]  Brij Bhooshan Gupta,et al.  PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications , 2015, Conf. Computing Frontiers.

[77]  Emerson R. Murphy-Hill,et al.  Automatic Web Security Unit Testing: XSS Vulnerability Detection , 2016, 2016 IEEE/ACM 11th International Workshop in Automation of Software Test (AST).

[78]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[79]  Chih-Hung Wang,et al.  A New Cross-Site Scripting Detection Mechanism Integrated with HTML5 and CORS Properties by Using Browser Extensions , 2016, 2016 International Computer Symposium (ICS).

[80]  Marco Vieira,et al.  Finding SQL Injection and Cross Site Scripting Vulnerabilities with Diverse Static Analysis Tools , 2018, 2018 14th European Dependable Computing Conference (EDCC).

[81]  M. A. Pund,et al.  Recent attack prevention techniques in web service applications , 2016, 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT).