XSS Defense: An Approach for Detecting and Preventing Cross Site Scripting Attacks

Authors

  • Gupta N Assistant Professor, CSE Dept Surya World, Tehsil Rajpura

Keywords:

Cross Site Scripting, Web Application Security, Web Application Attacks

Abstract

Web Applications provide wide range of services to its users in an easy and efficient manner. From the past few years web based attacks are increasing. Cross Site Scripting (XSS) is one of the major attacks found in web applications. In 2013, OWASP (Open Web Application Security Project) has ranked XSS third in the list of top 10 attacks found in web applications [11]. XSS attacks occur when an application takes insecure data and sends it to the browser without proper validation or escaping. This can result in hijacking of user sessions, defacing websites and redirecting the users to malicious sites. This paper presents a new XSS defense approach which is based on the OWASP guidelines available for prevention of XSS attacks. In this approach for XSS defense there is an XSS checker that will check for the unauthorized characters in each parameter in the input and block them on both client side and server side of a web application. Client side solutions reduces the run time overhead and server side solutions are more reliable as any attack occurring when request is going from client to server will be detected by server side solution only but it incurs runtime overhead. So a combination of both will be more robust as it can prevent most of the attacks and manage runtime overhead effectively. This approach is tested on a prototype. It is found that this approach covers major categories of XSS attacks i.e. reflected and stored and will require no additional frameworks.

References

T.Jim , N.Swamy and M.Hicks, “ Defending against Cross-Site Scripting Attacks with Browser-Enforced Embedded Policies,”Proc of the WWW,Banff,Alberta,May 2007,pp. 601-610.

Siddharth Tiwari, Richa Bansal, Divya Bansal, “Optimized Client Side Solution for Cross Site Scripting,” IEEE 16th International Conference on Networks, December 2008, pp.1-4.

M.T. Louw and V.N. Venkatakrishnan, “Blueprint: Robust Prevention of Cross-Site Scripting Attacks for Existing Browsers,”Proc. 30th IEEE Symp. Security and Privacy (SP 09), IEEE CS, 2009, pp. 331-346.

E. Kirda et al., “Client-Side Cross-Site Scripting Protection,”Computers & Security,”Proc of 21st ACM Symposium on Applied Computing, Oct. 2009, pp. 592-604.

H. Shahriar and M. Zulkernine, “MUTEC: Mutation-Based Testing of Cross Site Scripting,” Proc. 5th Int’l Workshop Software Eng. for

Secure Systems (SESS 09), IEEE, 2009, pp. 47-53.

P.wurzinger,C.Platzer,C.ludl,E.kirda and C.Kruegel, “SWAP:Mitigating XSS Attacks using Reverse Proxy, ”Proc. Of the SESS, Vancouver, Msy 2009,pp. 33-39.

S.Stamm, B.Sterne and G.Markham, “Reining in the Web with Content Security Policy,” Proc. of WWW, Releigh, North Carolina, April 2010, pp. 921-930.

R.Putthacharoen and P.Bunyatnoparat,” Protecting Cookies from Cross Site Script Attacks Using Dynamic Cookies Rewritng Technique,”Proc. of IEEE 13th International Conference on Advanced Communication Technology, Feb 2011,pp. 1090-1094.

Hossain Shahriar and Mohammad Zulkernine, “S2XS2: A Server Side Approach to Automatically Detect XSS Attacks ,”IEEE Ninth International Conference on Dependable,Automatic and secure computing,2011.

Takeshi Matsuda , Daiki Koizumi and Michio Sonoda, “Cross SiteScripting Attacks Detection Algorithm Based on the Appearance

Position of Characters”The 5th International Conference on Communications,Computers and Applications.Istanbul,Turkey, October 2012, pp.-65-70.

Open Web Application Security Project,Top 10, https://www.owasp.org/index.php/Top_10_2013-Top_10

Cross site scripting Wikipedia, http://en.wikipedia.org/wiki/Crosssite_scripting

Cross site scripting, accunetix,http://www.acunetix.com/websitesecurity/cross-sitescripting/

XSS PREVENTION RULES by OWASP, https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

BURP Suite http://portswigger.net/burp/

http://stattrek.com/chi-square-test/independence.aspx

http://www.unc.edu~farkouh/usefull/chi.html

Downloads

Published

2024-02-26

How to Cite

Gupta, N. (2024). XSS Defense: An Approach for Detecting and Preventing Cross Site Scripting Attacks. COMPUSOFT: An International Journal of Advanced Computer Technology, 4(03), 1564–1571. Retrieved from https://ijact.in/index.php/j/article/view/272

Issue

Vol. 4 No. 03 (2015): March

Section

Review Article

License

Copyright (c) 2015 COMPUSOFT: An International Journal of Advanced Computer Technology

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

©2023. COMPUSOFT: AN INTERNATIONAL OF ADVANCED COMPUTER TECHNOLOGY by COMPUSOFT PUBLICATION is licensed under a Creative Commons Attribution 4.0 International License. Based on a work at COMPUSOFT: AN INTERNATIONAL OF ADVANCED COMPUTER TECHNOLOGY. Permissions beyond the scope of this license may be available at Creative Commons Attribution 4.0 International Public License.

Similar Articles

1 2 3 4 5 6 7 8 9 10 > >> 

You may also start an advanced similarity search for this article.