Biblio

Cross-site scripting (XSS) attack is a kind of code injection that allows an attacker to inject malicious scripts code into a trusted web application. When a user tries to request the injected web page, he is not aware that the malicious script code might be affecting his computer. Nowadays, attackers are targeting the web applications that holding a sensitive data (e.g., bank transaction, e-mails, healthcare, and e-banking) to steal users' information and gain full access to the data which make the web applications to be more vulnerable. In this research, we applied three approaches to find a solution to this most challenging attacks issues. In the first approach, we implemented Random Forest (RF), Logistic Regression (LR), k-Nearest Neighbors (k-NN), and Support Vector Machine (SVM) algorithms to discover and classify XSS attack. In the second approach, we implemented the Content Security Policy (CSP) approach to detect XSS attacks in real-time. In the last approach, we propose a new approach that combines the Web Application Firewall (WAF), Intrusion Detection System (IDS), and Intrusion Prevention System (IPS) to detect and prevent XSS attack in real-time. Our experiment results demonstrated the high performance of AI algorithms. The CSP approach shows the results for the detection system report in real-time. In the third approach, we got more expected system results that make our third model system a more powerful tool to address this research problem than the other two approaches.

Considering the amount of time we spend on the internet, web pages have evolved over a period of time with rapid progression and momentum. With such advancement, we find ourselves fronting a few hostile ideologies, breaching the security levels of webpages as such. The most hazardous of them all is XSS, known as Cross-Site Scripting, is one of the attacks which frequently occur in website-based applications. Cross-Site Scripting (XSS) attacks happen when malicious data enters a web application through an untrusted source. The spam attacks happen in the form of Wall posts, News feed, Message spam and mostly when a user is open to download content of webpages. This paper investigates the use of machine learning to build classifiers to allow the detection of XSS. Establishing our approach, we target the detection modus operandi of XSS attack via two features: URLs and JavaScript. To predict the level of XSS threat, we will be using four machine learning algorithms (SVM, KNN, Random forest and Logistic Regression). Proposing these classified algorithms, webpages will be branded as malicious or benign. After assessing and calculating the dataset features, we concluded that the Random Forest Classifier performed most accurately with the lowest False Positive Rate of 0.34. This precision will ensure a method much efficient to evaluate threatening XSS for the smooth functioning of the system.

This paper studies the principle of vulnerability generation and mechanism of cross-site scripting attack, designs a dynamic cross-site scripting vulnerabilities detection technique based on existing theories of black box vulnerabilities detection. The dynamic detection process contains five steps: crawler, feature construct, attacks simulation, results detection and report generation. Crawling strategy in crawler module and constructing algorithm in feature construct module are key points of this detection process. Finally, according to the detection technique proposed in this paper, a detection tool is accomplished in Linux using python language to detect web applications. Experiments were launched to verify the results and compare with the test results of other existing tools, analyze the usability, advantages and disadvantages of the detection method above, confirm the feasibility of applying dynamic detection technique to cross-site scripting vulnerabilities detection.

The root cause of cross-site scripting(XSS) attack is that the JavaScript engine can't distinguish between the JavaScript code in Web application and the JavaScript code injected by attackers. Moving Target Defense (MTD) is a novel technique that aim to defeat attacks by frequently changing the system configuration so that attackers can't catch the status of the system. This paper describes the design and implement of a XSS defense method based on Moving Target Defense technology. This method adds a random attribute to each unsafe element in Web application to distinguish between the JavaScript code in Web application and the JavaScript code injected by attackers and uses a security check function to verify the random attribute, if there is no random attribute or the random attribute value is not correct in a HTML (Hypertext Markup Language) element, the execution of JavaScript code will be prevented. The experiment results show that the method can effectively prevent XSS attacks and have little impact on the system performance.

The advent of HTML 5 revives the life of cross-site scripting attack (XSS) in the web. Cross Document Messaging, Local Storage, Attribute Abuse, Input Validation, Inline Multimedia and SVG emerge as likely targets for serious threats. Introduction of various new tags and attributes can be potentially manipulated to exploit the data on a dynamic website. The XSS attack manages to retain a spot in all the OWASP Top 10 security risks released over the past decade and placed in the seventh spot in OWASP Top 10 of 2017. It is known that XSS attempts to execute scripts with untrusted data without proper validation between websites. XSS executes scripts in the victim's browser which can hijack user sessions, deface websites, or redirect the user to the malicious site. This paper focuses on the development of a browser extension for the popular Google Chromium browser that keeps track of various attack vectors. These vectors primarily include tags and attributes of HTML 5 that may be used maliciously. The developed plugin alerts users whenever a possibility of XSS attack is discovered when a user accesses a particular website.

In many client-facing applications, a vulnerability in any part can compromise the entire application. This paper describes the design and implementation of Passe, a system that protects a data store from unintended data leaks and unauthorized writes even in the face of application compromise. Passe automatically splits (previously shared-memory-space) applications into sandboxed processes. Passe limits communication between those components and the types of accesses each component can make to shared storage, such as a backend database. In order to limit components to their least privilege, Passe uses dynamic analysis on developer-supplied end-to-end test cases to learn data and control-flow relationships between database queries and previous query results, and it then strongly enforces those relationships. Our prototype of Passe acts as a drop-in replacement for the Django web framework. By running eleven unmodified, off-the-shelf applications in Passe, we demonstrate its ability to provide strong security guarantees-Passe correctly enforced 96% of the applications' policies-with little additional overhead. Additionally, in the web-specific setting of the prototype, we also mitigate the cross-component effects of cross-site scripting (XSS) attacks by combining browser HTML5 sandboxing techniques with our automatic component separation.