Designing a XSS Defensive ... - researchers.mq.edu.au

DOI: 10.4018/JOEUC.2020100105

Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020

Copyright©2020,IGIGlobal.CopyingordistributinginprintorelectronicformswithoutwrittenpermissionofIGIGlobalisprohibited.

85

Designing a XSS Defensive Framework for Web Servers Deployed in the Existing Smart City InfrastructureBrij B. Gupta, National Institute of Technology, Kurukshetra, India & Asia University, Taiwan & Macquarie University, Australia

Pooja Chaudhary, National Institute of Technology, Kurukshetra, India

https://orcid.org/0000-0003-0766-0530

Shashank Gupta, Birla Institute of Technology and Science, Pilani, India

ABSTRACT

Cross-sitescriptingisoneofthenotableexceptionseffectingalmosteverywebapplication.Hence,thisarticleproposedaframeworktonegatetheimpactoftheXSSattackonwebserversdeployedinoneof themajor applicationsof the InternetofThings (IoT) i.e. the smart city environment.Theproposedframeworkimplements2approaches:first,itexecutesvulnerableflowtrackingforfilteringinjectedmaliciousscriptingcodeindynamicwebpages.Second,itaccomplishedtrustedremarkgenerationandvalidationforunveilinganysuspiciousactivityinstaticwebpages.Finally,thefilteredandmodifiedwebpageisinterfacedtotheuser.Theprototypeoftheframeworkhasbeenevaluatedonasuiteofreal-worldwebapplicationstodetectXSSattackmitigationcapability.TheperformanceanalysisoftheframeworkhasrevealedthatthisframeworkrecognizestheXSSwormswithverylowfalsepositives,falsenegativesandacceptableperformanceoverheadascomparedtoexistentXSSdefensivemethodologies.

KEyWORDSSmart City Cyber Security, Trusted Remark Statement Injection, Untrusted Javascript Code, XSS Attack

1. INTRODUCTION

Urbanizationandmigrationrequireglobaldevelopmentofeconomic,social,institutionalandphysicalinfrastructure.Consequently,itputspressureonthecity’sorganizationasrequestforresourceslikeeducation,healthcare,transportation,government,andsafetyexceedtheiravailability.Toovercometheseissues,citiesarefocusingontheutilizationoftechnologyi.e.becoming‘smart’.Smartcities(Ferraz&Ferraz,2014;Seth,2013)are thecities thatharness InformationandCommunicationTechnologytoautomateandenhanceservicesforimprovingthelivingstandardoftheircitizensandattainsustainabledevelopment.Thisconceptof“smartcities”istheoutcomeofthenewcomputingparadigm,thatis,InternetofThings.Internethasbeenrisenuptothelevelwhereeverythingnearbyusisconnectedandturnsouttobepartofsomeformofnetwork.Informally,wecandefineIoTasanetworkformedbydevicescapableofgenerating,sendingandreceivinginformationrelatedtoanybusiness,accessesbyanyperson,anytimeirrespectiveofthegeographicallocation.Technologyshouldbeusedtomakecitiessmartintermsoftheservicesprovidedsuchassmarttrafficcontrol,

Thisarticle,originallypublishedunderIGIGlobal’scopyrightonOctober1,2020willproceedwithpublicationasanOpenAccessarticlestartingonJanuary21,2021inthegoldOpenAccessjournal,JournalofOrganizationalandEndUserComputing(convertedtogoldOpen

AccessJanuary1,2021),andwillbedistributedunderthetermsoftheCreativeCommonsAttributionLicense(http://creativecommons.org/licenses/by/4.0/)whichpermitsunrestricteduse,distribution,andproductioninanymedium,providedtheauthoroftheoriginalworkand

originalpublicationsourceareproperlycredited.

https://orcid.org/0000-0003-0766-0530


86

smartparking,smarthealth-care,smart transportation,smartcitymanagementsystemlikewastemanagement,watermanagement,SmartStreetlightingandsoon(Hossain&Shamim,2018;Li,&Daming,2019).Therefore,inanutshell,smartcitymeanseverythingisembeddedwithsensorstoenablethemtointeractwiththeenvironment.SmartcitiescompriseofsomeofthemaincomponentsasillustratedinFigure1.Indeed,smartcityconcepthasgivenanewdirectionfornation’sgrowth;nevertheless,fortheexchangeofthedata,itutilizesserverinfrastructurewhichbringssomemajorchallenges also. Cyber security is the biggest challenge because people share large amount ofinformationcomprisingpersonalandprofessionalovertheInternet(Li,Jianzhong,2018;Almomani,Ammar,2013;Parada,Raúl,2018;Drennan,Judy,2019).Therearenumerouscyber-attacksthathavecontaminatedwebapplication.

Figure2showsdetailedarchitectureofthesmartcityandalsoshowswhattypeofattacksarelaunchedatwhichlayerinthearchitectureofsmartcity.ItmayincludeDDOS,phishing,XSS,SQLinjection,spammingetc.CodeinjectionvulnerabilitiesarethemostcommonanddangerousthreatonInternet.ItincludesCross-SiteScripting(XSS)(Chaudhary,Gupta,&Gupta,2019;Gupta&Gupta,2016a,2016b,2018b),SQLinjection,etc.XSSattack(Chaudhary,Gupta,&Gupta,2016;)isatypeofcodeinjectionattackinwhichadversaryinjectsmaliciousscriptcodeintothesourceprogramofthewebapplication,triggersmaliciousactionslikecookiestealing,sessionhijacking,dis-informationandsoon.Itcovers3types:PersistentXSS(Gupta&Gupta,2018d,2018e,2018f),

Figure 1. Smart city components


87

ReflectedXSS(Guptaetal.2017a,2018c)andDocumentObjectModel(DOM)basedXSSattack(Gupta,Gupta,&Chaudhary,2018a).

NumerousXSSdefensivesolutionshavebeenproposedbytheresearchersfordetectingandalleviatingtheeffectofXSSvulnerabilitiesfromthedifferentplatformsofWebapplications.XSSFilt(Pelizzi&Sekar,2012),aclient-sideXSSfiltercoulddiscovernon-persistentXSSvulnerabilities.ThisfilteridentifiesandthwartsportionsofaddressURLfromgivinganappearanceinwebpage.Thisfiltercouldalsodiscoverpartialscriptinsertions.XSSAuditor(Bates,Barth,&Jackson,2010)isafilterthatrealizesequallyextraordinaryperformanceaswellashighaccuracyviajammingscriptsfollowingtheHTMLparsingandpriortoexecution.Thefiltercansimplyspotthecomponentsoftheresponsewhichareconsideredasascript.BIXSAN(Chandra&Selvakumar,2011)comprisesofJavaScriptDetector,whichdiscoverstheexistenceofJavaScript,anHTMLparsetreeproducerwhichisusedtodiminishtheinconsistentperformanceofwebbrowserandfortherecognitionofstaticscripttagsforpermittinglegitimateHTMLsourcecode.ScriptGard(Saxena,Molnar,&Livshits,2011)isacomplementarytechniquethatpresumesthecollectionofaccuratesanitizersandinjectsthemtomatchtheparsingcontextofwebbrowser.

Anautomatedtechniqueproposedby(Livshits&Chong,2013)ofsanitizerplacementbystaticallyanalyzingthestreamofinfecteddataintheprogram.However,placementofsanitizerisstaticandsometimes changes to dynamicwherever required. JSand (Agten et al., 2012) is a server-drivenJavaScript-basedsandboxingsupport,whichimplementsaserver-specificpolicyontheinjectedscriptswithnorequirementoffilteringormodificationofscripts.Thetechniquefacilitatesthedeveloperofawebsitetosafelyincorporatethird-partyscripts,withnorequirementofdisorderlyalterationstobothclientandserver-sideinfrastructure.XSS-Guard(Bisht&Venkatakrishnan,2008)isatechniquethatdetectsthecollectionofscriptsthatawebapplicationintendstocreateforanyHTMLwebrequest.Thetechniquecreatesashadowwebpagetolearnthewebapplication’sintentforeveryHTTPwebresponse,includingthelegitimateandexpectedscripts.Anydivergencebetweentherealgenerated

Figure 2. Architecture of smart city with possible threats


88

webpageandtheshadowwebpagepointstowardsthepossiblescriptinclusions.However,mainissuewiththeseexistingtechniquesisthattheycannotsolvetheproblemofisolatingexecutableuntrustedJavaScriptcodefromtheremainingdataofHTMLwebpage.Moreover,thesearenotabletoeffectivelymakedistinguishbetweenvalidandinjectedJavaScriptcodeinthewebpage.SomeoftheexistingtechniquesdemandsmajoralterationsintheexistinginfrastructureofWebapplications.

1.1. Key ContributionsOnthebasisoftheseissues,authorshavedesignedaframeworkbasedonvulnerableflowanalysisand injection of trusted Remark statements in the web page. At the server-side, our frameworkperforms2mainfunctions:classificationofresponsewebpageintostaticanddynamicwebpage;andinjectionoftrustedremarksstatementsatthebordersofvalidJavaScriptcodepresentinthewebpage.TheseremarkshelpindifferentiatingmaliciousJavaScriptfromthevalidJavaScriptasitincludesfeaturesofvalidJavaScriptintheformofprotocolswithrandomlygeneratednonce.TheseprotocolsformthebasisofcomparisonbetweenJavaScriptcodestodetectXSSattack.Attheclient-side,itdetectstheXSSattackbyapplyingdifferenttechniquesforstaticanddynamicwebpage.Forstaticresponse,it,firstly,extractsscriptsandthenmakeacomparisonwiththeremark.Ifvarianceisfoundthen,itindicatesXSSattack.Fordynamicresponse,initially,itidentifiesvulnerablesourcebycompletingvulnerableflowanalysis.Then, itdeterminesthecontextof thismalicioussourcefollowedbyapplyingfilteringonitwiththehelpoffilteringAPIs.Finally,modifiedresponsewebpageisdisplayedtotheuser.

1.2. Outline of this PaperTherestofthepaperisorganizedasfollows:Insection2,wehaveintroducedourworkindetail.Implementationandevaluationofourworkarediscussedinsection3.Finally,section4concludesourworkanddiscussesfurtherscopeofwork.

2. PROPOSED WORK

ThispaperpresentsahybriddefensiveframeworktoprotecttheInternetusersfromXSSattack,insmartcityenvironment.Theserver-sideframework,initially,explorestherequestedwebapplicationtoextractallthewebpagesofthatwebapplication.Then,itstaticallyanalyzesthecontentofthewebpageandclassifiestheminto2types:dynamicwebpageandstaticwebpage,dependingonthepresenceofinputfieldinthewebpage,respectively.Furthermore,itreturnsthedynamicwebpagetothebrowserandinjectsremarkstatementsat thebeginningandendingofthevalidJavaScriptcodepresentinthestaticwebpage.ThisisdonetoensuretheproperdiscriminationbetweenvalidandmaliciousJavaScriptcode.Theclient-sideframeworkdynamicallyexecutesthetainttrackingtoidentifythepartofthemaliciousinjectedstringusedinthesensitivefunctionsinthesourcecodeofthedynamicwebpage.Then,itsubstitutesthetaintedstringvaluewiththetestingattackvectortoexploitXSSvulnerability.Ifattackissuccessfulthen,itfilteredoutthetaintedsourcewiththefilteringAPIs.Inaddition,itchecksforthevalidityofremarksstatementinthestaticwebpagetodetectXSSattack.Thenextsub-sectiondiscussestheabstractoverviewofourframework.

2.1. Abstract Design View of the FrameworkTheproposedframeworkworksinfourmainphases:1)staticallyclassifiesthewebpagesofthewebapplication;2)generatesremarkstatementscomprisingrandomlygeneratednoncesandfeaturesofvalidJavaScriptcodeblock;3)checksforthevalidityofinjectedremarkstatements,attheclient-side,todetectXSSattack.;4)dynamicallyperformsthetaintanalysisandperformsthefilteringonthetaintedstringvaluewiththefilteringAPIs.Figure3elaboratestheabstractdesignoverviewofourframework.


89

ThisframeworkalleviatesthepropagationofXSSwormbyperformingtwomainmechanisms:dynamictaintanalysisandremarkstatementsinjectionandvalidation.Payloadtesteraccomplishestheclassificationofwebpagesintodynamicandstaticwebpages.Hereinafter,dynamicwebpageundergoestaintanalysisprocedurewiththehelpofvulnerableflowidentificationcomponent.ExploitgeneratorcomponentisusedtoidentifysuspiciouswebpagewiththehelpofinsertingtestingattackpayloadatthetaintsourcelocationandlaunchtheXSSattack.Ifattackissuccessfulthen,itfiltersthemaliciousstringvalue.Otherwise,dynamicwebpageisfreefromXSSattack.StaticwebpagesareexaminedfortheidentificationofmaliciousinjectedJavaScriptcode.ThisisdonebyinjectingremarkstatementsattheborderofthevalidJavaScriptcodeblock.Remarkvariancedetectorseizesthewebpageand implementsanumberof tests todetectXSSattack.Firstly, it identifies ifanyJavaScriptcodeblockwithoutremarkstatementispresentornot.Ifpresentthen,itisconsideredasinjectedcodeandremovedfromtheresponse.Otherwise,ittestsforthevalidityofremarkstatementscomprisingrandomnonceandfeaturesofvalidJavaScriptcode.Ifanonceisincorrectthen,itisdeclaredasinjectedcode.Otherwise,itmatchesthesuspectedfeaturesofJavaScriptcodewiththefeaturesincludedintheremarkstatements.Ifanydeviationisfoundthen,itisconsideredasinjected.Finally,itchecksforthepresenceofanyduplicateremarkstatementstoidentifyremarkstatementsinsertedbytheattacker.IfitidentifiesthepresenceoftheinjectedJavaScriptcodeintheresponsethen,itisremovedfromtheresponsewebpagealongwiththeinjectedremarkstatements.Figure4highlightsthedetailedworkingprocedureofourframeworkintheformofflowchart.Hereinafter,thenextsub-sectionhighlightsthedetailedillustrationofourframework.

2.2. Detailed Design View of the Proposed FrameworkThis section furnishes thecomprehensivearchitecturaldetailofourhybrid framework.Figure5shows thedetaileddesignoverviewofourclient-serverXSSdefensive framework.Theoutlinedframeworkexecutesinfourhigh-levelphases:1)ClassificationofHTTPresponsewebpages;2)Remarkgeneration;3)Remarkvalidation;4)Exploitationandfilteringphase.

2.2.1 Classification of HTTP Response Web PageThekeygoaloftheserver-sideimplementationistoefficientlyclassifythegeneratedHTTPresponsewebpageandinsertremarkstatementsatthebordersoftheJavaScriptcode.Thekeycomponentswhichimplementtheseoperationsare:InternalWebpageTracing,Webpageretrieval,Payloadtester.2.2.1.1 Internal Web Page Tracing

Figure 3. Abstract design overview of client-server framework


90

Itisaserver-sidecomponentthatimplementsscanningofthewebpagetoextractallthewebpagesoftherequestedwebapplicationandsavethemforthelaterprocessing.OncethecliententerstherequestedURL then, it inevitably crawls thewebapplicationwith thehelpof a selenium-basedcrawler.Initially,ituprootsalltheinternalandexternalURIlinksfromtheresponsewebpageandthenmakesarequesttoretrieveallwebpagesfromtheserver.

Figure 4. Flow chart of our proposed framework


91

2.2.1.2. Web Page RetrievalItisaserver-sidecomponentwhichisresponsiblefortheextractionofrequestedwebpageofthewebapplication.Thiscomponentreceivesthelogprovidedbytheinternalwebpagetracingcomponentasitsinput.Then,itcheckstherequestedURLtoidentifythespecifiedwebpageofwebapplicationasrequestedbytheuser.Finally,itextractsthewebpagefromthelogandsuppliedittotheothercomponentforlaterprocessing.2.2.1.3. Payload TesterItsmainaimistoclassifythewebpageintotwocategories:dynamicwebpageandstaticwebpage.2.2.1.3.1. Dynamic Web PageWebpagewhichcontainsanytypeofinputfieldsuchassearchbox,commentbox,formfieldsandsoon.Payloadtesterhasclassifiedthesewebpagesasdynamicbecauseusercanenteruntrustedinputvalueintotheinputfield.Forinstance,webapplicationdemandingusertofillaformregardingpersonalinformationviaawebpage.

Figure 5. Comprehensive design overview of our proposed framework


92

2.2.1.3.2. Static Web PageStaticwebpagesarethewebpageswhicharereadonly.Itdoesnotcontainanyinputfieldtoreceiveuserinput.Forinstance,webpagecontainingaproductspecification.

Iftherequestedwebpagefallsunderthecategoryofdynamicwebpagethen,itisreturnedtotheclientforfurtherprocessing.Otherwise,staticwebpagesareforwardedtothetrustedremarkgenerationcomponentforlaterprocessing.

2.2.2. Remark Generation PhaseThisisthesecondphasewhichreceivesstaticwebpage.ThekeymottoofthisphaseistogeneratethetrustedremarkstatementthatistobeinjectedatthebeginningandendingofthevalidJavaScriptcodeblock.Thisisdonetoensurethatatthetimeofexecutionattheclient-side,browserisabletodistinguishbetweenlegitimateandmaliciousJavaScriptcodeinjectedbytheattacker.Toaccomplishthis,firstly,weuprootallthelegitimateJavaScriptcodeembeddedinthewebpage.Then,itanalyzeseachJavaScriptcodetofindouttheuniquefeaturesandembedthemintheprotocol.TheseprotocolsareinjectedintotheresponsewebpageatthestartingandendingofthevalidJavaScriptcodeblockintheencryptedform.Thekeymoduleswhichperformthisfunctionalityare:TrustedRemarkgenerationandencoding.Thesearedescribedbelow:2.2.2.1. Trusted Remarks GenerationThetrustedremarkstatementcomprisesofarandomlygeneratednonceandextractedfeaturesofthevalid JavaScript codeembedded in the staticwebpage.These featuresarewrapped into theprotocolsanditinjectstheseprotocolsintheremarksstatementforexecutiontimecheckingattheclient-side.Thismodulecomprisesthefollowingkeycomponents:ScriptExtractor,featureIdentifierandProtocolGeneration.2.2.2.1.1. Script ExtractorItisaserver-sidecomponentwhichperformstwomainfunctionalities:first,extractionoflegitimateJavaScriptcodeembeddedinthestaticwebpage.Second,injectionofinitialremarkstatementsatthestartingandendingofextractedJavaScriptcodeblock.Toaccomplishitsfirsttask,itutilizesHTMLparseri.e.HtmlUnit[34],toparsewebpageandextractJavaScriptcodeandstoretheminaseparatelog.Tocompleteitssecondtask,itinsertstheinitialremarkstatement(comprisesofrandomlygeneratednonce)intheextractedJavaScriptcode.Toachievethis,itmodifiesthelocationsinthesourcecodeofthewebpagewhereJavaScriptcodeispresent.Then,itstoresthemodifiedcodeintotheoriginalsourcecodeofthewebpage.Here,authorshaveexamine5caseswhereJavaScriptcodemaybepresentinthewebpage:1)inlinescripts;2)scriptsinclusionviaremotesourcefile;3)scriptsinclusionvialocalexternalsourcefile;4)scriptsinclusionviaeventhandlingcode;5)scriptinclusionviaURLattributevalue.Table1explainthesecasesandalsoshowhowitinjectstheremarkstatementsinitsinitialstage.Firstexample,showsainlinescriptinclusionwithmethodnamedasdocuments.cookie(“ABC”).ItinjectsremarkstatementatthestartingandendingoftheJavaScriptcodeblock.Initially,remarkstatementscompriseofarandomlygeneratednonce(a32-bitnumber)as/*N1*/.RemotelyaccessibleJavaScriptfilecannotbemodified;therefore,itinjectsremarkstatementwith<script>tagtoconvertthemintoinlinescriptcode(example2).JavaScriptcodeincludedinthelocalexternalfileishandledseparately.So,noremarkstatementwillbeinjectedforthem(example5).Thiswillreducetheoverheadofinjectingremarkstatements.2.2.2.1.2. Feature IdentifierItisaserver-sidecomponentwhichreceivesextractedJavaScriptcodelogasitsinput.Theaimofthiscomponentistoanalyzeeachscriptinthelogtoidentifytheuniquefeatures.Theseidentifiedfeaturesarethenusedfortheprotocolgeneration.ToinjectmaliciousJavaScriptcode,attackereither


93

modifiestheJavaScriptfunctiondefinitionwrittenbytheprogrammerorinjectsafunctioncalltomaliciouslywrittenfunction.Forinstance,considerthecodesnippetasshownbelow:<input type=”text” name= “username” value=”<%request.getParameter(“U_name”)%>”>

Here,nofilteringmechanismisappliedontheusernamebeforeitisusedintheresponsewebpage.Thus, thisfield isvulnerable to theXSSattack.Suppose,anadversary injectsamaliciousfunction as: <script>alert(“document.cookie”);</script>. Therefore, the original code becomes<input type=”text” name= “username” value=”<script>alert(“document.cookie”);</script>”>.Consequently,whenbrowserrendersthisresponsethenattackergetscookieinformationoftheuser.Therefore,functioncallandfunctiondefinitionpatternsareextractedoutfromthevalidJavaScriptcode,asitsuniquefeature.Table2illustratessomeoftheexamplesrelatedtotheprobablefeaturesofthevalidJavaScriptcodeincludingfunctioncallandfunctiondefinitionfeatures.Forexample,firstexampledescribestheinbuiltfunctioncallasMath.pow(4,5),werepresenttheprobablefeaturesas{pow,2,4,5}.Itmeansfunction‘pow’has2parameters4,5.Similarlyotherexamplesareshown.2.2.2.1.3. Protocol GenerationIt is a server-side component which is responsible for the encapsulation of extracted JavaScriptfeatures inprotocol.Theseprotocolsare thenincludedin the initial remarkstatement.This is toensure that legitimateJavaScriptpresent in theresponsewebpagecanbeproperlydistinguishedfromtheinjectedJavaScriptcodebycomparingtheirfeatureswithonesstoredinprotocol.Table3describesthescriptcode,protocolgenerationandremarkgeneration.ProtocolsarestoredbyusingProtocolID,type,nameandparamcount.Accordingtothenumberofparameters,paramfieldstorestheactualparameters.ModifiedremarksstatementcomprisesanonceandprotocolIDas/*N1,1*/.Infunctioncalltype,insteadofparamcount,weuseargcountandargfields.

2.2.2.2. EncodingThisisthelastworkingcomponentattheserver-sideofourframeworkwhichpreservestheintegrityoftheremarksstatementi.e.protocol.Ifrawformofremarkisexposedtobrowserthen,itmightbepossiblethatanattackermodifiestheprotocolssothatitreflectsfeaturessimilartolegitimateonebutactuallyaremalicious.Toaddressthisproblem,wetransformprotocolsintoencodedformatand

Table 1. JavaScript code with initial remark statement injected with different source type

Source type

Code instance Code with initial remarks

Inline <script>document.write(“ABC”);</script>

<script>/*N1*/document.write(“ABC”);/*N1*/</script>

Scriptcall(remotesite)

<scriptsrc=“http//www.example.com/exm.js”></script>

<script>/*N1*/</script><scriptsrc=“http//www.example.com/exm.js”></script><script>/*N1*/</script>

EventHandling

<bodyonLoad=“alert(“ABC”);”>…..</body> <bodyonLoad=/*N1*/alert(“ABC”);”/*N1*/>…</body>

URLpropertyvalue

<ahref=“javascript:window.alert(“ABC”)”> <ahref=/*N1*/javascript:window.alert(“ABC”)/*N1*/>

Externalscriptinjection

<scriptsrc=“external.js”></script> <scriptsrc=external.js></script>


94

thenembedthemintoremarkstatement.ItusesBase64encodingrepresentationtoachieveourgoal.Itstoresallencodedprotocolsinjectedinremarkstatementintoarepositoryforprocessingattheclient-side.Theseprotocolsaredecodedattheclient-sidebeforecomparisonoffeatures.

Allthe,aforementioned,phasesareimplementedattheserver-side.Intheentireprocessattheserver-side,initially,weclassifytheresponsewebpageintodynamicandstaticwebpage.Ifwebpageiscategorizedasdynamicwebpagethenitisforwardedattheclient-side.Otherwise,staticwebpageundergoestrustedremarkstatementinjectionprocess.Then,modifiedstaticwebpageisreturnedtotheuser.

2.2.3. Remark Validation PhaseHeretofore,ourproposedframeworkhaseffectivelyclassifiedresponsewebpageandinjecttrustedremarkstatementintostaticwebpage.Inthisphase,weperformtheanalysisofthestaticwebpagetodetectinjectedJavaScriptcodefortheidentificationofXSSattack.Thisphaseisaccountablefor

Table 2. Extracted probable features of the valid JavaScript code

Type Example Probable features

Inbuiltfunctioncall Math.pow(4,5) {pow,2,4,5}

Userdefinedfunctioncall

functionactive(a,b,c){..}; {active,3,a,b}

Nestedmethodcall(userdefined)

pro(3,pro(6,7)) {pro,2,3,{pro,2,6,7}}

Nestedmethodcall(inbuilt)

Math.pow(2,Math.min(3,4)) {pow,2,2,{min,2,3,4}}

Anonymousfunctioncall

varX=pro(a,b){…}; {X,2,a,b}

Hostobjectmethodcall

VarID=document.getElementByName(“value”);ID.innerHTML=“helloworld”;

{document.getElementByName,1,value}

Table 3. Protocol generation with modified remark statement

Script code Protocol generation Modified remarks

<script>varx=product(2,3);</script>

<protocolID>1</protocolID><type>def</type><name>product</name><paramcount>2</paramcount><param>2</param><param>3</param>

<script>/*N1,1*/varx=product(2,3)/*N1,1*/</script>

<bodyonLoad=“active(a,b)”>…</body>

<protocolID>2</protocolID><type>call</type><name>active</name><argcount>2</argcount><arg>a</arg><arg>b</arg>

<bodyonLoad=/*N2,2*/“active(a,b)”/*N2,2*/>..</body>

<ahref=“javascript:window.alert(document.cookie)”>

<protocolID>3</protocolID><type>call</type><name>window.alert</name><argcount>1</argcount><arg>document.cookie</arg>

<ahref=/*N3,3*/“javascript:window.alert(document.cookie)”/*N3,3*/>


95

theauthenticationoftheremarkstatement.Thekeycomponentstoaccomplishthistaskare:Parser,Scriptseparation,Decoding,andRemarkVarianceDetector.2.2.3.1. ParserItistheclient-sidecomponentwhichreceivesthestaticwebpagewiththeremarkstatement.ItisresponsibleforconstructionoftheParsedTree(PT)correspondingtothatwebpage.Itistoensurethatthebrowserrendersthewebpagecorrectly.Forinstance,considerthefollowingcodesnippetas shown in listing 1. In the above example, untrusted user input is applied at S_GET(‘name’)and$_GET(‘age’).TheparsetreegeneratedfortheabovecodesnippetisshowninFigure6.EachnodeofthetreerepresentsHTMLtagsortext.Thistreewillbeprocessedtodeterminescriptnodeembeddedintothewebpage.

Listing 1.ExampleshowsvulnerableHTMLcodeproducedbyvulnerableserver.<html> <body> <div name= “val” onClick= “my()”> Click Me!!! </div> <script> function my() { document.getElementByName(“val”).innerhtml= “hello” + “$_GET(‘name’)” + “you are” + “$_GET(‘age’)” + “years old”;} </script> </body></html>

2.2.3.2. Script SeparationThiscomponentisaclient-sideprocessinwhichparsetreeisprocessedtoidentifyallJavaScriptcodewithinjectedremarkstatement.Asshowninlisting1,userprovidestheuntrusteddatabythe$_GET[‘...’]variables.$_GETsupposedtoprovidethenameoftheuserwhoiscurrentlyloggedinand$_GETprovidestheageofthecorrespondinguser.Asnosanitizationprocedureisappliedonthesevariablesandaredirectlyprocessedbythebrowser,so,thesearevulnerabletotheXSSattack.Therefore,scriptsnodesmustbeseparatedfromtheresponsepage.Toeasethisproblem,itsearchesintheparsetreetocheckfortheopeningandclosingHTMLtags.Then,foreverycoupleofJavaScripttags(<script>….</script>),itinspectseachuniquepathbetweenopeningandclosingtagsbyusinggraphtraversalalgorithmsuchasDepthFirstSearch(DFS).EachidentifiedpathrepresentstheJavaScriptcodethatthewebpagecodemightresult.Figure7illustratesthealgorithmusedfortheScriptseparation.Thisalgorithmworksasfollows:Script_logisalogmaintainedtostoreallpossiblerecognizedJavaScriptcode includedin thewebpage.ThisalgorithmprocessesControlFlowGraph(CFG)asfollows:

Itexamineseachnode(v)inthegraph(V,E)tocheckitscontent.Ifitis<script>tag,thenitextractsthecontentofeachnodeinScript_logthatappearsduringthetraversalofuniquepath,untilanodewithcontent</script>isfound.Otherwise,ignorethecontentofthatnode.Finally,itoutputsScript_logcomprisingofJavaScriptcodethatawebpagemightresult.2.2.3.3. DecodingItisaclient-sideprocesstodecodethetrustedremarkstatementsinjectedatthebordersofthevalidJavaScriptcodepresentinthestaticwebpage.Inthesecondphaseofourframework,weperformencodingoftheremarkstatementtoensuretheintegrityoftheextractedfeaturesofvalidJavaScriptcode,storedinremarks.Inordertoperformacomparisonbetweentheseknownfeaturesandscriptpresentintheresponsewebpage,thereisaneedtotransformtheencodedfeaturesintorawform.Therefore,thiscomponentperformsthereversibleprocessofencoding,attheclient-side.Encoding,basically,buildsupamappingbetweencontenttypesfromthefeaturestoencodedvalueandstoresthesemappinginarepository.Indecodingprocess,thisrepositoryisusedtowhichperformreverse


96

mappingi.e.encodedvaluetooriginalcontenttype.ThiscomponentwillproducedecodefeaturesofthevalidJavaScriptcode,asitsoutputanditifforwardedtothenextcomponentforfurtherprocessing.2.2.3.4. Remark Variance DetectorItisaclient-sidecomponentwhichisresponsiblefordetectingthevarianceinthescriptfeaturesextractedatclient-sideandtheknownfeaturesofthevalidJavaScriptcodeextractedattheserver-side.Itreceivestwothingsasitsinput:decodedfeaturesandextractedscriptcode.Then,itchecksforwhetherscriptwithoutremarkispresentornot.Ifpresentthen,itisinjectedmaliciouscode.Otherwise,itchecksfortheremarkvalidity.Ifnonceisinvalidthen,itisindicatedasinjectedcode.Otherwise,itchecksforthevalidityoftheembeddedprotocols(i.e.comparethefeaturesstoredinitwiththeJavaScriptextractedfromtheresponsepage).Iffeaturesarevalidthen,responseisfreefromXSSattack,otherwise,itisconsideredasinjectedcode.Finally,iftheframeworkdetectedinjectedmaliciousJavaScriptcodethen,itisremovedfromtheresponsewebpageandmodifiedresponsewebpageisdisplayedtotheuser.Ifnoinjectedcodeisfoundthen,frameworkremovestheremarkstatementsfromtheresponsewebpageandresponseisforwardedtotheuser.Figure8representstheentireworkingprocessofthiscomponentintheformoftheflowchart.

2.2.4. Exploitation and Filtering PhaseThisisthelastphaseoftheframeworkattheclient-side.Theinputtothisphaseisthedynamicwebpage.Thekeygoalofthisphaseistoidentifythelocationofthetaintedsourceandthesensitivefunctionwhere thisvalue isused (i.e.determine thevulnerablepoints in thesourcecodeof theresponsewebpage).Moreover,itperformsfilteringonthetaintsourcetonegatetheeffectoftheinjectedmaliciousscriptatthesourcepoint.Finally,filteredresponseisdisplayedtotheuser.ThekeyComponentstoaccomplishtheentirefunctionalityofthisphaseare:DetermineVulnerableflow,ExploitGeneration,andFiltering.

Figure 6. Parse tree generated for the code shown in listing 1


97

2.2.4.1. Determine Vulnerable FlowThiscomponentisresponsibleforthedeterminationoftheflowofuntrusteduserdatafromsourcetothesensitivefunctionpresentintheresponsewebpage.WebapplicationismarkedasXSSfreeifitispossibletodecidetheoutputofwebpagestatically(i.e.staticJavaScript).Nevertheless,ifdynamicJavaScriptisgeneratedbythewebapplicationthatgeneratestheimproperlysanitizedcontent,then,attackercanutilizedthisvulnerabilitytoinjectsomemaliciouscode.Table4illustratesthevulnerablesourceandsinkslocationsusedinourframework.Forexample,considerthefollowingcodesnippetshownintheFigure9.Inthiscode,unameisdirectlyresultingfromtheparametervaluenameandisoutputtouserdeprivedofanyvalidationmechanism.

Adversarymayexploit thisvulnerabilitybyinjectingmaliciouscodeatnameparameterlike“<script>alert(document.cookie);</script>.Consequently, unamehold this JavaScript code andbrowserrendersattacker’sprovidedcode.Hence,thiscomponentextractstaintedsourceandsinkinformationas:taintsource(uname= request.getParametervalue(“name”)andtaintsink(document.write(tag)).ThisinformationisforwardedtothenextstepphasetodeterminethecontextandanalyzeitforthepresenceofXSSloopholes.

Figure 7. Algorithm implemented for JavaScript separation


98

2.2.4.2. Exploit GenerationThismoduleexaminesthevulnerableflowtoidentifyvulnerablesourceandsink.Then,itgeneratescontext-basedtestingattackpayloadthatcanbesimplyusedtoverifyvulnerablewebpages.It isachievedin3mainsteps:MaliciousFlowDecomposer,ContextRecognizerandTestingPayloadinjector.2.2.4.2.1. Malicious Flow DecomposerIt is thecomponentwhich receives the logs thatcontains informationabout thevulnerable flowpresentinthewebpage.Itextractsthefollowingfromthelog:1)TaintSourcewhichcontainsthe

Figure 8. Flow chart showing the working process of the remark variance detector


99

sourcetypeandthestringvalueinthesourceusedinsink.2)TaintSinkwhichdefinesthelocationwherestringvaluesuppliedbytheattackerisusedintheprogram.3)TaintIDwhichistheuniqueidentifiertoidentifyeachvulnerableflow.4)TaintURLwhichcontainstheURLofthewebpageinwhichvulnerableflowwasrevealed.2.2.4.2.2. Context RecognizerThiscomponentisresponsibleforthedeterminationofthecontextofthevulnerablesource.Itacceptstheinformationprovidedbythemaliciousflowdecomposerandthenusesittodeterminetheportionof the web page where vulnerable string value is injected. Figure 10 illustrates the algorithmimplementedforthisstep.Thisalgorithmworksasfollows:InputtotheabovealgorithmisthesetofIDsofuntrustedsourceT_ID.Con_logisalogmaintainedtostorecontextofeachuntrustedsource. For each tainted source TI∈ T_ID, it attached a context recognizer CR in the form asCI← (CR)TI.ThegeneratedoutputistheinternalrepresentationoftheextractedJavaScriptcodeembeddedwiththecontextrecognizerCRcorrespondstoeachuntrustedvariablepresentinit.Afterthis,itismergedwiththeCon_logasCon_log←CI∪ Con_log.ForeachCI∈Con_log,itgeneratesandsolvesthetypeconstraints.Here,Λ representsthetypeenvironmentthatperformsthemappingoftheJavaScriptvariabletotheContextrecognizerCR.Inthepathsensitivesystem,variable’scontextchangesfromonepointtootherpoint.Thus,tohandlethisissue,untrustedvariablesarerepresented

Table 4. Vulnerable source and sink location

Taint source Taint sink

Location document.URI,window.location,location.search,location.href,URL,document.location,baseURI,location.hash

location.href,location.pathname,location.port,location.protocol,location.search,location.assign,location.replace,location.hash,location.host

Link href,media,rel,rev,type link.innerhtml,link.namespaceURI,link.toString,style.

HTML Iframe,image,body,div,audio,video,em,form,input,style,var

InnerHTML,outerhtml,src,action,value,toString,defaultChecked,checked,selectedIndex,rel,write,writeln,script.innerhtml,textcontent.Crossorigin.

JavaScript Script,document,events. Src,eval,setTimeout,setInterval,baseURI,document.URL,document.cookie,document.scripts,onClick,onLoad,onChange,onMouseOver.

Storage Cookie,localStorage,sessionStorage Cookie,localStorage,sessionStorage

History - Current,next,previous,length,toSring

Window - defaultStatus,status,location,frames,innerHeight,innerWidth,localStorage.

Figure 9. Code snippet


100

throughthetypingjudgmentsasΛ e:CR.Itindicatesthatatanyprogramlocation,ehascontextrecognizerCRinthetypeenvironmentΛ .Finally,allCIvariableshavebeenassignedthecontextdynamicallyandproducethemodifiedlogCon_logasoutput.Thisstepprovidestaintedsourcewiththeiridentifiedcontext,inwhichbrowserinterpretsit.2.2.4.2.3. Testing Payload InjectorToexploitthevulnerabilitypresentinthewebpage,itsubstitutesattackvectorattheplaceoftaintedstring.Testingattackvectormustbe injectedaccording to thecontextof the taintedstring. It isachievedwiththehelpofavailablerepositoryofXSSattackvector.Then,thismodulevalidatesthesuccessfulexecutionoftheinjectedattackvector.Ifattackissuccessfulthen,TaintedIDandTaintSourceinformationisforwardedtothefilteringmodule,otherwise,webpageisnotvulnerableandisreturnedtotheuser.2.2.4.2.4. FilteringThiscomponentacceptsthetaintSourceandtaintedIDinformationasitsinput.ItappliesfilteringonthetaintedstringpresentatthetaintSourceinthewebpage,withthehelpofFilteringAPIs.Thisisdonetohalttheexecutionofinjectedmaliciousstringandtriggersmaliciouseffects.Figure11showsthealgorithmprocessedforthecompletionofthefilteringprocess.Theworkingprocedureofthisalgorithmisexplainedbelow:AlgorithmtakesCon_logasitsinputwhichstoresidentifiedcontextofalluntrustedJavaScriptvariable.FAPI_libistheexternallyavailablelibrarywhichstoresfilteringAPIscorrespondingtoeachmaliciouscontext.T_IDisthelistcomprisingtheIDsofeachtaintedsource.ForeachUntrustedSource(i.etaintedvalue)TI∈T_ID,itextractsthecontextofTIasXIfromtheCon_log.Then,itidentifiesforthecorrespondingFilteringAPI,fromtheFAPI_lib,withmatchingcontextandstoresitinFI.ItappliestheidentifiedfilteringAPIontheTIandstoreresultintotheYI.ItthenmergesYIwithFAPI_libasFAPI_lib←YI∪ FAPI_lib;finally,itembedsallsanitizedvariableintotheHTTPresponseandproduceHTTPresponsefortheuser.

3. IMPLEMENATION AND PERFORMANCE EVALUATION

Authorshaveimplementedtheirworkinjava,formitigatingtheeffectofXSSvulnerabilitiesfromthetestedsuiteofreal-worldwebapplications.Initially,AuthorshavemanuallyverifiedtheperformanceoftheframeworkagainstavailableXSSattackrepositories(HTML5SecurityCheatSheet,RSnake,2008,TechnicalAttackSheetforCrossSitePenetrationTests),whichincludesthelistofoldandnewXSSattackvectors.VeryfewXSSattackvectorswereabletobypasstheframework.AuthorshaveutilizedHtmlUnit(HtmlUnitparser)toinjecttheinitialtrustedremarkstatements.Toinjectremark,itmodifieslocationswhereJavaScriptcodeispresent(i.e.inline,eventhandling,etc.)andstorethemodifiedsourceprograminformationinMySQLdatabase.ToextractthefeaturesofvalidJavaScriptcode,AuthorshaveusedRhino(RhinoJavaScriptparser)JavaScriptparser.

3.1. Experimental EvaluationAuthorshavecategorizedtheXSSattackvectorsintofourmaincategoriesi.e.CharacterEncodingScripts (CES), Embedded Character Tags (ECT), Event Handlers (EH) and HTML QuoteEncapsulation(HQE).Table5illustratestheattackpatternsofthesecategoriesofXSSattackvectors.TheobservedresultsofourframeworkonfiverealworldHTML5webapplicationscorrespondingtochosencategoriesofXSSwormshasbeenshownintheFigure12-16.

AuthorshavealsocalculatedtheXSSdetectionrateofourframeworkbydividingthenumberofattacksdetected(i.e.#ofTruePositives)tothenumberofXSSattackvectorsinjectedoneachindividualHTML5webapplication.Table6highlightsthedetectionrateofallfivewebapplicationsw.r.t.individualcategoryofXSSworms.ItisclearlyreflectedfromtheTable6thatOsCommerceandBlogItobservedoverallhigherpercentagedetectionrateinallthefourcategoriesofXSSworms.


101

Inthenexttwosub-sections,authorshaveevaluatedtheperformanceanalysisoftheframeworkbyapplyingtwostatisticalanalysismethods:F-ScoreandF-test.

Figure 10. Algorithm implemented for the context recognizer


102

Figure 11. Algorithm for filtering process

Figure 12. Observed results on Simplecms


103

Table 5. Categories of XSS worms with their pattern examples

XSS Worm Category

Explanation Script Example

CES Thetechniquesofcharacterencodingareutilizedforexemplifyingadatabaseoftypescriptsthroughcertainencodingsystem.Suchtechniquesareutilizedforcalculation,datastoring,andbroadcastofdocumentedinfoandcouldbeutilizedforexploitingnumerousattacks.

%253cscript%253ealert(document.cookie)%253c/script%253e

ECT ThiscategoryofattackisgenerallyembeddedinsidethenormalsyntaxofJavaScriptcode.

<IMGSRC=”jav ascript:alert(‘XSS’);”>

EH Thesearenon-compulsorysystemcommandsintheformofscripts,whichonlyexecutewhenanalterationisobservedintheservicestate.

<inputonBlur=”alert(‘xss’)”type=”text”>

HQE ThiscategoryisgenerallyusedforexploitingtheXSSattackonwebapplicationsthatpermit“<script>”tagbutnot“<SCRIPTSRC...”

<scriptsrc=”data:text/javascript,alert(1)”></script>

Figure 13. Observed Results on OsCommerce


104

Figure 14. Observed Results on WebCalender

Figure 15. Observed Results on PunBB

Figure 16. Observed Results on BlogIt


105

3.2. Performance Analysis using F-ScoreAuthorshavepresenteddetailedperformanceanalysisofourframeworkbyconductingastatisticalanalysismethod (i.e.F-Score).Theanalysis conducted reveals thatour frameworkexhibitshighperformanceas theobservedvalueofF-Scores inall theplatformsofHTML5webapplicationsis0.9.Therefore, theproposedframeworkexhibits90%successrate inall thefiveHTML5webapplications.Table7highlightsthedetailedperformanceanalysisofourwork.

Precision=TruePositives TP

TruePositives TP False Positives FP

( )

( ) ( )+

Recall=TruePositives TP

TruePositives TP FalseNegatives FN

( )

( ) ( )+

FalsePositiveRate(FPR)=False Positves FP

False Positives FP TrueNegatives TN

( )

( ) ( )+

FalseNegativeRate(FNR)=FalseNegatives FN

FalseNegatives FN TruePositives TP

( )

( ) ( )+

F-Score=2

2

( )

( )

TruePositives

TruePositives FalseNegatives False Posit+ + iives

Table 6. Detection rate (in %age) of HTML5 web applications

Web Applications CES ECT EH HQE

Simplecms 88.8 86.8 88.0 86.3

OsCommerce 91.6 94.7 92.8 91.0

WebCalender 86.1 89.4 88.0 88.6

PunBB 88.8 86.8 85.7 88.6

BlogIt 88.8 86.8 92.8 88.6

Table 7. Performance analysis by calculating F-Score

Web Application Total # of TP

# of TN

# of FP

# of FN

Precision FPR FNR Recall F-Measure

SimpleCms 160 140 6 9 5 0.939 0.6 0.034 0.965 0.952

OsCommerce 160 148 2 4 6 0.973 0.67 0.038 0.961 0.927

WebCalender 160 141 8 6 5 0.959 0.428 0.034 0.965 0.962

PunBB 160 140 4 7 9 0.952 0.478 0.087 0.939 0.945

BlogIt 160 143 6 6 5 0.959 0.5 0.034 0.966 0.913


106

3.3. Performance Analysis Using F-Test HypothesisInordertoprovethatthenumberofXSSwormsdetectedislessthantothenumberofXSSattackvectorsinjected,weusetheF-testhypothesis,whichisdefinedas:

NullHypothesis(H0)=NumberofXSSwormsdetectedisequaltothenumberofXSSattackvectorsinjected.(S12=S22)

AlternateHypothesis(H1)=NumberofXSSwormsinjectedisgreaterthannumberofXSSattackvectorsdetected(S12<S22)

Table 8. Statistics of XSS Attack Vectors Applied

# of Malicious Scripts Injected (Xi)

(Xi - µ ) (Xi - µ )2 Standard Deviation S1 =

( ) / ( )Xi Ni

N

− −=∑ µ 21

1

1 1

158 2 4 3.162

160 4 16

156 0 0

154 -2 4

152 -4 16

Mean(µ )= Xi N/∑ 1 =156 ( )Xii

N

−=∑ µ1

12=40

Table 9. Statistics of XSS attack vectors detected

# of JS Attack Payload Detected (Xj)

(Xi - µ ) (Xi - µ )2 Standard Deviation S2 =

( ) / ( )Xi Ni

N� ��

�� 2

1

22 1

150 1 1 3.316

154 5 25

148 -1 1

148 -1 1

145 -4 16

Mean(µ )= Xi N/∑ 2=149 ( )Xii

N��

��

1

12=44


107

ThelevelofSignificanceis(α=0 05. ).ThedetailedanalysesofstatisticsofXSSattackwormsappliedanddetectedareillustratedintheTables8and9.AnalysisusingF-testisshowingbelow:

NumberofXSSWormsInjected(#ofObservation(N1))=5DegreeofFreedom(df1)=N1-1=4.NumberofXSSWormsDetected(#ofObservation(N2))=5DegreeofFreedom(df2)=N2-1=4.

WecancalculateF-Testas:FCALC=S12/S2

2=[(3.162)2/(3.316)2]=0.9092ThetabulatedvalueofF-Testatdf1=4,df2=4andα = 0 05. is

F( , , )df df1 2 1−α =F(4,4,0.95)=6.3882

ItisalreadyknownthattheNullhypothesisiscorrectifthetwovariancesareequalandconditionFCALC<F

( , , )df df1 2 1−α isfalse,however,inthiscase,sinceFCALC<F(4,4,0.95)istrue,therefore,thealternatehypothesis(H1)istruethatmeansthenumberofXSSwormsdetectedislessthannumberofXSSattackvectorsinjectedandanydifferenceinthesamplestandarddeviationisduetorandomerror.

3.4 Limitations of our WorkThissectiondiscussedaboutsomeofthelimitationsofourwork.

• VulnerabletoClickJackingandPhishingAttacks:Initially,theattackvectorcouldutilizethecapabilitiesofClickJackingorPhishingattacksforstealingsensitivecredentialsofuser.(e.g.user-id,password,etc.).Thisisbeyondthescopeofthiscurrentwork.Secondly,itcanalsobearguedthatastheattackvectorsareexecutingunderthelicenseofwebsite,thisisconsideredaneasywayfortheattackvectortoexploitsuchattacks.

• VulnerabletoDrive-byDownloadWorms:Finally,thisframeworkisalsoexposedtowormslikeKoobface,whichtransmitthebinariestothewebbrowserofvictimbyutilizingdrive-byexploits.Thiscategoryofattackisalsobeyondthescopeofthiswork.

Table 10. Comparison of existing work with our XSS defensive work

Techniques Parameters XSSFilt XSSAudior BIXSAN ScriptGard Livshits Jsand XSS-

Guard(Present

work)

AM Active Active Passive Passive Passive Passive Passive Active

MP Dynamic Static Static Static Dynamic Static Static Dynamic

TOXH Reflected Reflected Stored Reflected Reflected Stored Reflected Reflected,Stored

Ttrac ✗ ✗ ✗ ✗ ✓ ✓ ✓ ✓

CRW ✗ ✗ ✓ ✗ ✓ ✗ ✓ ✓

APPR ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✗

PSID ✓ ✗ ✗ ✓ ✗ ✗ ✗ ✓

SCM ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✓

SCMod ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✗


108

3.5 Comparative and Strengths of the Proposed WorkThissectiondiscussesthecomparisonofourframeworkwiththeotherrecentexistingXSSdefensivemethodologies.Table10comparestheexistingXSSdefensivemethodologieswithourworkbasedonnineusefulperformanceparameters:AM:AnalyzingMechanism,MP:MonitoringProcedure,TOXH:TypeofXSSWormHandled,Ttrac:TaintTracking,CRW:CodeRewriting,APPR:AutomatedPre-ProcessingRequired,PSID:PartialScriptInjectionDetection,SCM:SourceCodeMonitoringandSCMod:SourceCodeModifications.

Inaddition,recognitionofmaliciousscriptmethodsissimplyevadedbymostofthetechniques.Moreover,lotofpre-processingisrequiredintheexistingframeworkofwebapplicationsfortheirsuccessfulexecutionondifferentplatformsofwebbrowsersaswellaswebapplications.MostoftheexistingworkreliesontheconceptofexactJavaScriptinjection;however,theycouldnotabletodetectthepartialinjectionofXSSworms.

ThisframeworksimplyisolatestheuntrustedJavaScriptcodefromtheactualdatabyexecutingtheprocessofcoderewriting,thatisnothandledbymostoftheexistingXSSdefensivetechniques.Inaddition, theproposedframeworkexecutestheruntimemonitoringontheJavaScriptcodefordetermining thedependencybetween the taintedsourceandsinkfunctions in theprogramcode.Moreover,contextofuntrustedvariablesembeddedinsuchcodeisdetermined.Now,here,insteadofperformingcontext-sensitivesanitizationonsuchvariables,ourframeworkperformsthedeepstringanalysisonsuchvariablesfortrackingtheirtaintedflow.Theexaminationoftaintedvariableswillbecarriedoutinordertodeterminewhetheritmayfunctionasvulnerablepointornot.Theexistingworkperformsthecontext-sensitivesanitizationonsuchvariables.

4. CONCLUSION

Digitalization in every aspect of life demands more technological advancements for providinginformationanytimeanywhere.Thismaterializesthevisionofmakingcities“smarter”.Undoubtedly,thisdevelopmentinducesmultiplebenefitstothepeople;nevertheless,itbringstolightmultiplethreatslikeXSS.Therefore,thispaperdescribedatechniquetoprotectusersfromXSSattack.Thisisachievedthroughclassifyingresponsewebpageintostaticanddynamicwebpages.StaticwebpagesareprocessedbyinjectingandverifyingtrustedremarkstatementstodetectpersistentXSSattack.Moreover,itaccomplishesvulnerableflowanalysisfollowedbyfilteringoftaintedstring,fordeterminingXSSattackindynamicwebpages.Authorshaveimplementedtheframeworkusingjavadevelopmentframeworkandhasevaluateditsdetectioncapabilityonfivereal-worldwebapplications.Theresultsrevealedlowfalsenegativeratewithtolerableperformanceoverheadduetoinjectionandremovalofremarks.

ACKNOWLEDGMENT

ThispublicationisanoutcomeoftheR&DworkundertakenundertheprojectsYFRF,VisvesvarayaPhDSchemeofMinistryofElectronics&InformationTechnology,GovernmentofIndiaandbeingimplementedbyDigitalIndiaCorporation.


109

REFERENCES

Agten,P.,VanAcker,S.,Brondsema,Y.,Phung,P.H.,Desmet,L.,&Piessens,F.(2012,December).JSand:completeclient-sidesandboxingof third-partyJavaScriptwithoutbrowsermodifications.InProceedings of the 28th Annual Computer Security Applications Conference(pp.1-10).ACM.doi:10.1145/2420950.2420952

Almomani,A.et al..(2013).Phishingdynamicevolvingneuralfuzzyframeworkforonlinedetectionzero-dayphishingemail.Indian Journal of Science and Technology,6(1),3960–3964.

Bates, D., Barth, A., & Jackson, C. (2010, April). Regular expressions considered harmful in client-sideXSS filters. In Proceedings of the 19th international conference on World wide web (pp. 91-100). ACM.doi:10.1145/1772690.1772701

Bisht, P., & Venkatakrishnan, V. N. (2008, July). XSS-GUARD: precise dynamic prevention of cross-sitescriptingattacks.InProceedings of theInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(pp.23-43).Springer.doi:10.1007/978-3-540-70542-0_2

Chandra,V.S.,&Selvakumar,S.(2011).BIXSAN:BrowserIndependentXSSSanitizerforpreventionofXSSattacks.Software Engineering Notes,36(5),1–7.doi:10.1145/1968587.1968603

Chaudhary,P.,Gupta,B.B.,&Gupta,S.(2018).DefendingtheOSN-basedwebapplicationsfromXSSattacksusingdynamicjavascriptcodeandcontentisolation.InQuality, IT and Business Operations(pp.107–119).Singapore:Springer.doi:10.1007/978-981-10-5577-5_9

Chaudhary,P.,Gupta,B.B.,&Gupta,S.(2019).AFrameworkforPreservingthePrivacyofOnlineUsersAgainstXSSWormsonOnlineSocialNetwork.International Journal of Information Technology and Web Engineering,14(1),85–111.doi:10.4018/IJITWE.2019010105

Chaudhary,P.,Gupta,S.,&Gupta,B.B.(2016).AuditingDefenseagainstXSSWormsinOnlineSocialNetwork-BasedWebApplications.InHandbookofResearchonModernCryptographicSolutionsforComputerandCyberSecurity(pp.216-245).Hershey,PA:IGIGlobal.doi:10.4018/978-1-5225-0105-3.ch010

Drennan,J.,Sullivan,G.,&Previte,J.(2006).Privacy,riskperception,andexpertonlinebehavior:Anexploratorystudyofhouseholdendusers.Journal of Organizational and End User Computing,18(1),1–22.doi:10.4018/joeuc.2006010101

Ferraz,F.S.,&Ferraz,C.A.G.(2014,December).Smartcitysecurityissues:depictinginformationsecurityissuesintheroleofanurbanenvironment.InProceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing(pp.842-847).IEEE.doi:10.1109/UCC.2014.137

Gupta,B.B.,Gupta,S.,&Chaudhary,P.(2017a).Enhancingthebrowser-sidecontext-awaresanitizationofsuspiciousHTML5codeforhaltingtheDOM-basedXSSvulnerabilitiesincloud.[IJCAC].International Journal of Cloud Applications and Computing,7(1),1–31.doi:10.4018/IJCAC.2017010101

Gupta,S.,&Gupta,B.B.(2016a).Aninfrastructure-basedframeworkforthealleviationofJavaScriptwormsfromOSNinmobilecloudplatforms.InProceedings of theInternational conference on network and system security(pp.98-109).Cham:Springer.doi:10.1007/978-3-319-46298-1_7

Gupta,S.,&Gupta,B.B. (2016b).EnhancedXSSdefensive framework forweb applicationsdeployed inthevirtualmachinesofcloudcomputingenvironment.Procedia Technology,24,1595–1602.doi:10.1016/j.protcy.2016.05.152

Gupta,S.,&Gupta,B.B.(2017b).SmartXSSattacksurveillancesystemforOSNinvirtualizedintelligencenetworkofnodesoffogcomputing.International Journal of Web Services Research,14(4),1–32.doi:10.4018/IJWSR.2017100101

Gupta,S.,&Gupta,B.B.(2018b).Robustinjectionpoint-basedframeworkformodernapplicationsagainstXSSvulnerabilitiesinonlinesocialnetworks.International Journal of Information and Computer Security,10(2-3),170–200.doi:10.1504/IJICS.2018.091455

Gupta,S.,&Gupta,B.B.(2018c).RAJIVE:RestrictingtheabuseofJavaScriptinjectionvulnerabilitiesonclouddatacentrebysensingtheviolationinexpectedworkflowofwebapplications.International Journal of Innovative Computing and Applications,9(1),13–36.doi:10.1504/IJICA.2018.090822

http://dx.doi.org/10.1145/2420950.2420952

http://dx.doi.org/10.1145/1772690.1772701

http://dx.doi.org/10.1007/978-3-540-70542-0_2

http://dx.doi.org/10.1145/1968587.1968603

http://dx.doi.org/10.1007/978-981-10-5577-5_9

http://dx.doi.org/10.4018/IJITWE.2019010105

http://dx.doi.org/10.4018/978-1-5225-0105-3.ch010

http://dx.doi.org/10.4018/joeuc.2006010101

http://dx.doi.org/10.4018/joeuc.2006010101

http://dx.doi.org/10.1109/UCC.2014.137

http://dx.doi.org/10.4018/IJCAC.2017010101

http://dx.doi.org/10.1007/978-3-319-46298-1_7

http://dx.doi.org/10.1016/j.protcy.2016.05.152

http://dx.doi.org/10.1016/j.protcy.2016.05.152

http://dx.doi.org/10.4018/IJWSR.2017100101

http://dx.doi.org/10.4018/IJWSR.2017100101

http://dx.doi.org/10.1504/IJICS.2018.091455

http://dx.doi.org/10.1504/IJICA.2018.090822


110

Gupta,S.,&Gupta,B.B.(2018d).EvaluationandmonitoringofXSSdefensivesolutions:Asurvey,openresearchissuesandfuturedirections.Journal of Ambient Intelligence and Humanized Computing,1–29.

Gupta,S.,&Gupta,B.B.(2018e).POND:Polishingtheexecutionofnestedcontext-familiarruntimedynamicparsing and sanitisationofXSSwormsononline edge servers of fog computing. International Journal of Innovative Computing and Applications,9(2),116–129.doi:10.1504/IJICA.2018.092588

Gupta,S.,&Gupta,B.B.(2018f).Arobustserver-sidejavascriptfeatureinjection-baseddesignforJSPwebapplicationsagainstXSSvulnerabilities.InCyber Security:Proceedings of CSI 2015(pp.459-465).SpringerSingapore.doi:10.1007/978-981-10-8536-9_43

Gupta,S.,Gupta,B.B.,&Chaudhary,P.(2018a).HuntingforDOM-BasedXSSvulnerabilitiesinmobilecloud-basedonlinesocialnetwork.Future Generation Computer Systems,79,319–336.doi:10.1016/j.future.2017.05.038

Hossain,M.S.,Muhammad,G.,Abdul,W.,Song,B.,&Gupta,B.B. (2018).Cloud-assistedsecurevideotransmission and sharing framework for smart cities. Future Generation Computer Systems, 83, 596–606.doi:10.1016/j.future.2017.03.029

HTML5SecurityCheatSheet.(n.d.).Retrievedfromhttps://html5sec.org/

HtmlUnitparser.(n.d.).Retrievedfromhttps://sourceforge.net/projects/htmlunit/files/htmlunit/

Li,D.,Deng,L.,BhooshanGupta,B.,Wang,H.,&Choi,C.(2019).AnovelCNNbasedsecurityguaranteedimage watermarking generation scenario for smart city applications. Information Sciences, 479, 432–447.doi:10.1016/j.ins.2018.02.060

Li,J.,Yu,C.,Gupta,B.B.,&Ren,X.(2018).ColorimagewatermarkingschemebasedonquaternionHadamardtransform and Schur decomposition. Multimedia Tools and Applications, 77(4), 4545–4561. doi:10.1007/s11042-017-4452-0

Livshits, B., & Chong, S. (2013, January). Towards fully automatic placement of security sanitizers anddeclassifiers.ACM SIGPLAN Notices,48(1),385–398.doi:10.1145/2480359.2429115

Parada, R., Melià-Seguí, J., & Pous, R. (2018). Anomaly Detection Using RFID-Based InformationManagementinanIoTContext.Journal of Organizational and End User Computing,30(3),1–23.doi:10.4018/JOEUC.2018070101

Pelizzi,R.,&Sekar,R.(2012).Protection,usabilityandimprovementsinreflectedXSSfilters.InProceedings of the 7th ACM Symposium on Information, Computer and Communications Security (p. 5). ACM.doi:10.1145/2414456.2414458

Rhino JavaScript parser. (n.d.). Retrieved from https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Download_Rhino

XSSRSnake.(2008).CheatSheet.Retrievedfromhttps://n0p.net/penguicon/php_app_sec/mirror/xss.html

Saxena,P.,Molnar,D.,&Livshits,B.(2011,October).SCRIPTGARD:automaticcontext-sensitivesanitizationforlarge-scalelegacywebapplications.InProceedings of the 18th ACM conference on Computer and communications security(pp.601-614).ACM.doi:10.1145/2046707.2046776

Sen,M.,Dutt,A.,Agarwal,S.,&Nath,A.(2013,April).Issuesofprivacyandsecurityintheroleofsoftwareinsmartcities.InProceedings of the2013 International Conference on Communication Systems and Network Technologies(pp.518-523).IEEE.doi:10.1109/CSNT.2013.113

TechnicalAttackSheetforCrossSitePenetrationTests.(n.d.).Retrievedfromhttp://www.vulnerability-lab.com/resources/documents/531.txt

http://dx.doi.org/10.1504/IJICA.2018.092588

http://dx.doi.org/10.1007/978-981-10-8536-9_43

http://dx.doi.org/10.1016/j.future.2017.05.038

http://dx.doi.org/10.1016/j.future.2017.03.029

https://html5sec.org/

https://sourceforge.net/projects/htmlunit/files/htmlunit/

http://dx.doi.org/10.1016/j.ins.2018.02.060

http://dx.doi.org/10.1007/s11042-017-4452-0

http://dx.doi.org/10.1007/s11042-017-4452-0

http://dx.doi.org/10.1145/2480359.2429115

http://dx.doi.org/10.4018/JOEUC.2018070101

http://dx.doi.org/10.4018/JOEUC.2018070101

http://dx.doi.org/10.1145/2414456.2414458

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Download_Rhino

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Download_Rhino

https://n0p.net/penguicon/php_app_sec/mirror/xss.html

http://dx.doi.org/10.1145/2046707.2046776

http://dx.doi.org/10.1109/CSNT.2013.113

http://www.vulnerability-lab.com/resources/documents/531.txt

http://www.vulnerability-lab.com/resources/documents/531.txt


111

B. B. Gupta received PhD degree from Indian Institute of Technology Roorkee, India in the area of information security. He has published more than 250 research papers in international journals and conferences of high repute. He has visited several countries to present his research work. His biography has published in the Marquis Who’s Who in the World, 2012. At present, he is working as an Assistant Professor in the Department of Computer Engineering, National Institute of Technology Kurukshetra, India. His research interest includes information security, cyber security, cloud computing, web security, intrusion detection, computer networks and phishing.

Pooja Chaudhary is currently pursuing her PhD degree in Information and Cyber security from National Institute of Technology, Kurukshetra, Haryana, India. She has completed her M.Tech in Computer Engineering from National Institute of Technology, Kurukshetra. She has received her B.Tech degree in Computer Science and Engineering from Bharat Institute of Technology, Meerut, Affiliated to Uttar Pradesh Technical University, India. Her areas of interest include online social network security, Big Data analysis and security, database security, and cyber security.

Shashank Gupta is currently working as an Assistant Professor in Computer Science and Information Systems Division at Birla Institute of Technology and Science, Pilani, Rajasthan, India. He has done his PhD under the supervision of Dr. B. B. Gupta in Department of Computer Engineering specialization in Web Security at National Institute of Technology Kurukshetra, Haryana, India. Recently, he was working as an Assistant Professor in the Department of Computer Science and Engineering at Jaypee Institute of Information Technology (JIIT), Noida, Sec-128. Prior to this, he has also served his duties as an Assistant Professor in the Department of IT at Model Institute of Engineering and Technology (MIET), Jammu. He has completed M.Tech. in the Department of Computer Science and Engineering Specialization in Information Security from Central University of Rajasthan, Ajmer, India. He has also done his graduation in Bachelor of Engineering (B.E.) in Department of Information Technology from Padmashree Dr. D.Y. Patil Institute of Engineering and Technology Affiliated to Pune University, India. He has also spent two months in the Department of Computer Science and IT, University of Jammu for completing a portion of Post-graduation thesis work. He bagged the 1st Cash Prize in Poster Presentation at National Level in the category of ICT Applications in Techspardha’2015 and 2016 event organized by National Institute of Kurukshetra, Haryana. He has numerous online publications in International Journals and Conferences including IEEE, Elsevier, ACM, Springer, Wiley, Elsevier, IGI-Global, etc., along with several book chapters. He is also serving as reviewer for numerous peer-reviewed Journals and conferences of high repute. He is also a professional member of IEEE and ACM. His research area of interest includes web security, cross-site scripting (XSS) attacks, online social network security, cloud security, fog computing and theory of computation.

Documents

Designing a XSS Defensive ... - researchers.mq.edu.au