Cross Site Scripting
SoS Newsletter- Advanced Book Block
A type of computer security vulnerability typically found in Web applications, Cross-site scripting (XSS) enables attackers to inject client-side script into Web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same origin policy. Consequences may range from petty nuisance to significant security risk, depending on the value of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. A frequent method of attack, research is being conducted on methods to prevent, detect, and mitigate XXS attacks.
- Abgrall, Erwan; Traon, Yves Le; Gombault, Sylvain; Monperrus, Martin, "Empirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting: An Urgent Need for Systematic Security Regression Testing," Software Testing, Verification and Validation Workshops (ICSTW), 2014 IEEE Seventh International Conference on , vol., no., pp.34,41, March 31 2014-April 4 2014. (ID#:14-1636) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6825636&isnumber=6825623 One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have evolved to support new features. In this paper, we explore whether the evolution of web browsers is done using systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions. We use XSS attack vectors as unit test cases and we propose a new method supported by a tool to address this XSS vector testing issue. The analysis on a decade releases of most popular web browsers including mobile ones shows an urgent need of XSS regression testing. We advocate the use of a shared security testing benchmark as a good practice and propose a first set of publicly available XSS vectors as a basis to ensure that security is not sacrificed when a new version is delivered. Keywords: Browsers; HTML; Mobile communication; Payloads; Security; Testing; Vectors; XSS; browser; regression; security; testing; web
- Bozic, Josip; Wotawa, Franz, "Security Testing Based on Attack Patterns," Software Testing, Verification and Validation Workshops (ICSTW), 2014 IEEE Seventh International Conference on , vol., no., pp.4,11, March 31 2014-April 4 2014. (ID#:14-1637) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6825631&isnumber=6825623 Testing for security related issues is an important task of growing interest due to the vast amount of applications and services available over the internet. In practice testing for security often is performed manually with the consequences of higher costs, and no integration of security testing with today's agile software development processes. In order to bring security testing into practice, many different approaches have been suggested including fuzz testing and model-based testing approaches. Most of these approaches rely on models of the system or the application domain. In this paper we suggest to formalize attack patterns from which test cases can be generated and even executed automatically. Hence, testing for known attacks can be easily integrated into software development processes where automated testing, e.g., for daily builds, is a requirement. The approach makes use of UML state charts. Besides discussing the approach, we illustrate the approach using a case study. Keywords: Adaptation models; Databases; HTML; Security; Software; Testing; Unified modeling language; Attack pattern; SQL injection; UML state machine; cross-site scripting; model-based testing; security testing
- Aydin, Abdulbaki; Alkhalaf, Muath; Bultan, Tevfik, "Automated Test Generation from Vulnerability Signatures," Software Testing, Verification and Validation (ICST), 2014 IEEE Seventh International Conference on , vol., no., pp.193,202, March 31 2014-April 4 2014. (ID#:14-1638) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6823881&isnumber=6823846 Web applications need to validate and sanitize user inputs in order to avoid attacks such as Cross Site Scripting (XSS) and SQL Injection. Writing string manipulation code for input validation and sanitization is an error-prone process leading to many vulnerabilities in real-world web applications. Automata-based static string analysis techniques can be used to automatically compute vulnerability signatures (represented as automata) that characterize all the inputs that can exploit a vulnerability. However, there are several factors that limit the applicability of static string analysis techniques in general: 1) undesirability of static string analysis requires the use of approximations leading to false positives, 2) static string analysis tools do not handle all string operations, 3) dynamic nature of the scripting languages makes static analysis difficult. In this paper, we show that vulnerability signatures computed for deliberately insecure web applications (developed for demonstrating different types of vulnerabilities) can be used to generate test cases for other applications. Given a vulnerability signature represented as an automaton, we present algorithms for test case generation based on state, transition, and path coverage. These automatically generated test cases can be used to test applications that are not analyzable statically, and to discover attack strings that demonstrate how the vulnerabilities can be exploited. Keywords: automata-based test generation; string analysis; validation and sanitization; vulnerability signatures
- Erwan Abgrall, Yves Le Traon, Sylvain Gombault, Martin Monperrus, "Empirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting: An Urgent Need for Systematic Security Regression Testing," ICSTW '14 Proceedings of the 2014 IEEE International Conference on Software Testing, Verification, and Validation Workshops, March 2014, (pages 34-41}. (ID#:14-1639) Available at: http://dl.acm.org/citation.cfm?id=2624300.2624420&coll=DL&dl=GUIDE&CFID=479068957&CFTOKEN=54071302 This publication distinguishes Cross-Site Scripting (XSS) as a significant threat to web applications. The authors of this publication discuss advancements in several web browsers (IE, Netscape, Chrome, Firefox), and attempt to determine if systematic security regression testing was used. The browsers are evaluated on their current vulnerability to XSS, followed by an assessment using XSS attack vectors as test cases. Results indicate that XSS regression testing should be applied immediately to popularly used web browsers, including mobile browsers. The authors strongly recommend regular use of a shared security testing benchmark, and promote a set of baseline XSS vectors, available for public use.
- Ben Stock, Martin Johns, "Protecting Users Against XSS-Based Password Manager Abuse," ASIA CCS '14 Proceedings of the 9th ACM Symposium On Information, Computer And Communications Security, June 2014, (Pages 183-194). (ID#:14-1640) Available at: http://dl.acm.org/citation.cfm?id=2590296.2590336&coll=DL&dl=GUIDE&CFID=479068957&CFTOKEN=54071302 This paper highlights the vulnerability concern with password managers. Intended to alleviate the tediousness of password authentication, password managers automatically supply previously-entered passwords in web pages. This creates chances for Cross-Site Scripting attacks to occur, as password managers merely use clear-text to insert passwords, obtainable by JavaScript. This paper offers a survey of characteristics in password fields for current password manager functionalities. The authors of this paper present an alternative password manager architecture, which defends against identified attacks.
- M. I. P. Salas, E. Martins, "Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security," Electronic Notes in Theoretical Computer Science (ENTCS) archive Volume 302, February, 2014, (Pages 133-154). (ID#:14-1641) Available at: http://dl.acm.org/citation.cfm?id=2583134.2583367&coll=DL&dl=GUIDE&CFID=479068957&CFTOKEN=54071302 The authors of this paper highlight existing Web services vulnerability to Cross-Site Scripting attacks (XSS). With a view to bolster XSS vulnerability detection, the authors propose utilizing Penetration Testing and Fault Injection to simulate XSS attacks. Coupled with WS-Security (WSS) and Security Tokens, this simulation method allows for identification of sender, enabling legitimate access control to communication exchange. Results indicate that WSInject, the tested fault injection tool, can be successfully used to detect XSS attack vulnerability.
- Fabien Duchene, Sanjay Rawat, Jean-Luc Richier, Roland Groz, "KameleonFuzz: Evolutionary Fuzzing For Black-Box XSS Detection," CODASPY '14 Proceedings of the 4th ACM conference on Data and Application Security And Privacy, March 2014, (Pages 37-48). (ID#:14-1642) Available at: http://dl.acm.org/citation.cfm?id=2557547.2557550&coll=DL&dl=GUIDE&CFID=479068957&CFTOKEN=54071302 This paper addresses the concept of fuzz testing, the automated generation and deployment of malformed inputs to a web application, so that a vulnerability or bug may be discovered. The authors of this publication propose KameleonFuzz, a black-box Cross-Site Scripting (XSS) web application fuzzer that can propagate malicious inputs, as well as report its proximity to exposing a vulnerability. A double taint inference allows for notification of successful or unsuccessful exploitation attempts.
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.