Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
DOI: 10.4018/JOEUC.2020100105
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
Copyright©2020,IGIGlobal.CopyingordistributinginprintorelectronicformswithoutwrittenpermissionofIGIGlobalisprohibited.
85
Designing a XSS Defensive Framework for Web Servers Deployed in the Existing Smart City InfrastructureBrij B. Gupta, National Institute of Technology, Kurukshetra, India & Asia University, Taiwan & Macquarie University, Australia
Pooja Chaudhary, National Institute of Technology, Kurukshetra, India
https://orcid.org/0000-0003-0766-0530
Shashank Gupta, Birla Institute of Technology and Science, Pilani, India
ABSTRACT
Cross-sitescriptingisoneofthenotableexceptionseffectingalmosteverywebapplication.Hence,thisarticleproposedaframeworktonegatetheimpactoftheXSSattackonwebserversdeployedinoneof themajor applicationsof the InternetofThings (IoT) i.e. the smart city environment.Theproposedframeworkimplements2approaches:first,itexecutesvulnerableflowtrackingforfilteringinjectedmaliciousscriptingcodeindynamicwebpages.Second,itaccomplishedtrustedremarkgenerationandvalidationforunveilinganysuspiciousactivityinstaticwebpages.Finally,thefilteredandmodifiedwebpageisinterfacedtotheuser.Theprototypeoftheframeworkhasbeenevaluatedonasuiteofreal-worldwebapplicationstodetectXSSattackmitigationcapability.TheperformanceanalysisoftheframeworkhasrevealedthatthisframeworkrecognizestheXSSwormswithverylowfalsepositives,falsenegativesandacceptableperformanceoverheadascomparedtoexistentXSSdefensivemethodologies.
KEyWORDSSmart City Cyber Security, Trusted Remark Statement Injection, Untrusted Javascript Code, XSS Attack
1. INTRODUCTION
Urbanizationandmigrationrequireglobaldevelopmentofeconomic,social,institutionalandphysicalinfrastructure.Consequently,itputspressureonthecity’sorganizationasrequestforresourceslikeeducation,healthcare,transportation,government,andsafetyexceedtheiravailability.Toovercometheseissues,citiesarefocusingontheutilizationoftechnologyi.e.becoming‘smart’.Smartcities(Ferraz&Ferraz,2014;Seth,2013)are thecities thatharness InformationandCommunicationTechnologytoautomateandenhanceservicesforimprovingthelivingstandardoftheircitizensandattainsustainabledevelopment.Thisconceptof“smartcities”istheoutcomeofthenewcomputingparadigm,thatis,InternetofThings.Internethasbeenrisenuptothelevelwhereeverythingnearbyusisconnectedandturnsouttobepartofsomeformofnetwork.Informally,wecandefineIoTasanetworkformedbydevicescapableofgenerating,sendingandreceivinginformationrelatedtoanybusiness,accessesbyanyperson,anytimeirrespectiveofthegeographicallocation.Technologyshouldbeusedtomakecitiessmartintermsoftheservicesprovidedsuchassmarttrafficcontrol,
Thisarticle,originallypublishedunderIGIGlobal’scopyrightonOctober1,2020willproceedwithpublicationasanOpenAccessarticlestartingonJanuary21,2021inthegoldOpenAccessjournal,JournalofOrganizationalandEndUserComputing(convertedtogoldOpen
AccessJanuary1,2021),andwillbedistributedunderthetermsoftheCreativeCommonsAttributionLicense(http://creativecommons.org/licenses/by/4.0/)whichpermitsunrestricteduse,distribution,andproductioninanymedium,providedtheauthoroftheoriginalworkand
originalpublicationsourceareproperlycredited.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
86
smartparking,smarthealth-care,smart transportation,smartcitymanagementsystemlikewastemanagement,watermanagement,SmartStreetlightingandsoon(Hossain&Shamim,2018;Li,&Daming,2019).Therefore,inanutshell,smartcitymeanseverythingisembeddedwithsensorstoenablethemtointeractwiththeenvironment.SmartcitiescompriseofsomeofthemaincomponentsasillustratedinFigure1.Indeed,smartcityconcepthasgivenanewdirectionfornation’sgrowth;nevertheless,fortheexchangeofthedata,itutilizesserverinfrastructurewhichbringssomemajorchallenges also. Cyber security is the biggest challenge because people share large amount ofinformationcomprisingpersonalandprofessionalovertheInternet(Li,Jianzhong,2018;Almomani,Ammar,2013;Parada,Raúl,2018;Drennan,Judy,2019).Therearenumerouscyber-attacksthathavecontaminatedwebapplication.
Figure2showsdetailedarchitectureofthesmartcityandalsoshowswhattypeofattacksarelaunchedatwhichlayerinthearchitectureofsmartcity.ItmayincludeDDOS,phishing,XSS,SQLinjection,spammingetc.CodeinjectionvulnerabilitiesarethemostcommonanddangerousthreatonInternet.ItincludesCross-SiteScripting(XSS)(Chaudhary,Gupta,&Gupta,2019;Gupta&Gupta,2016a,2016b,2018b),SQLinjection,etc.XSSattack(Chaudhary,Gupta,&Gupta,2016;)isatypeofcodeinjectionattackinwhichadversaryinjectsmaliciousscriptcodeintothesourceprogramofthewebapplication,triggersmaliciousactionslikecookiestealing,sessionhijacking,dis-informationandsoon.Itcovers3types:PersistentXSS(Gupta&Gupta,2018d,2018e,2018f),
Figure 1. Smart city components
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
87
ReflectedXSS(Guptaetal.2017a,2018c)andDocumentObjectModel(DOM)basedXSSattack(Gupta,Gupta,&Chaudhary,2018a).
NumerousXSSdefensivesolutionshavebeenproposedbytheresearchersfordetectingandalleviatingtheeffectofXSSvulnerabilitiesfromthedifferentplatformsofWebapplications.XSSFilt(Pelizzi&Sekar,2012),aclient-sideXSSfiltercoulddiscovernon-persistentXSSvulnerabilities.ThisfilteridentifiesandthwartsportionsofaddressURLfromgivinganappearanceinwebpage.Thisfiltercouldalsodiscoverpartialscriptinsertions.XSSAuditor(Bates,Barth,&Jackson,2010)isafilterthatrealizesequallyextraordinaryperformanceaswellashighaccuracyviajammingscriptsfollowingtheHTMLparsingandpriortoexecution.Thefiltercansimplyspotthecomponentsoftheresponsewhichareconsideredasascript.BIXSAN(Chandra&Selvakumar,2011)comprisesofJavaScriptDetector,whichdiscoverstheexistenceofJavaScript,anHTMLparsetreeproducerwhichisusedtodiminishtheinconsistentperformanceofwebbrowserandfortherecognitionofstaticscripttagsforpermittinglegitimateHTMLsourcecode.ScriptGard(Saxena,Molnar,&Livshits,2011)isacomplementarytechniquethatpresumesthecollectionofaccuratesanitizersandinjectsthemtomatchtheparsingcontextofwebbrowser.
Anautomatedtechniqueproposedby(Livshits&Chong,2013)ofsanitizerplacementbystaticallyanalyzingthestreamofinfecteddataintheprogram.However,placementofsanitizerisstaticandsometimes changes to dynamicwherever required. JSand (Agten et al., 2012) is a server-drivenJavaScript-basedsandboxingsupport,whichimplementsaserver-specificpolicyontheinjectedscriptswithnorequirementoffilteringormodificationofscripts.Thetechniquefacilitatesthedeveloperofawebsitetosafelyincorporatethird-partyscripts,withnorequirementofdisorderlyalterationstobothclientandserver-sideinfrastructure.XSS-Guard(Bisht&Venkatakrishnan,2008)isatechniquethatdetectsthecollectionofscriptsthatawebapplicationintendstocreateforanyHTMLwebrequest.Thetechniquecreatesashadowwebpagetolearnthewebapplication’sintentforeveryHTTPwebresponse,includingthelegitimateandexpectedscripts.Anydivergencebetweentherealgenerated
Figure 2. Architecture of smart city with possible threats
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
88
webpageandtheshadowwebpagepointstowardsthepossiblescriptinclusions.However,mainissuewiththeseexistingtechniquesisthattheycannotsolvetheproblemofisolatingexecutableuntrustedJavaScriptcodefromtheremainingdataofHTMLwebpage.Moreover,thesearenotabletoeffectivelymakedistinguishbetweenvalidandinjectedJavaScriptcodeinthewebpage.SomeoftheexistingtechniquesdemandsmajoralterationsintheexistinginfrastructureofWebapplications.
1.1. Key ContributionsOnthebasisoftheseissues,authorshavedesignedaframeworkbasedonvulnerableflowanalysisand injection of trusted Remark statements in the web page. At the server-side, our frameworkperforms2mainfunctions:classificationofresponsewebpageintostaticanddynamicwebpage;andinjectionoftrustedremarksstatementsatthebordersofvalidJavaScriptcodepresentinthewebpage.TheseremarkshelpindifferentiatingmaliciousJavaScriptfromthevalidJavaScriptasitincludesfeaturesofvalidJavaScriptintheformofprotocolswithrandomlygeneratednonce.TheseprotocolsformthebasisofcomparisonbetweenJavaScriptcodestodetectXSSattack.Attheclient-side,itdetectstheXSSattackbyapplyingdifferenttechniquesforstaticanddynamicwebpage.Forstaticresponse,it,firstly,extractsscriptsandthenmakeacomparisonwiththeremark.Ifvarianceisfoundthen,itindicatesXSSattack.Fordynamicresponse,initially,itidentifiesvulnerablesourcebycompletingvulnerableflowanalysis.Then, itdeterminesthecontextof thismalicioussourcefollowedbyapplyingfilteringonitwiththehelpoffilteringAPIs.Finally,modifiedresponsewebpageisdisplayedtotheuser.
1.2. Outline of this PaperTherestofthepaperisorganizedasfollows:Insection2,wehaveintroducedourworkindetail.Implementationandevaluationofourworkarediscussedinsection3.Finally,section4concludesourworkanddiscussesfurtherscopeofwork.
2. PROPOSED WORK
ThispaperpresentsahybriddefensiveframeworktoprotecttheInternetusersfromXSSattack,insmartcityenvironment.Theserver-sideframework,initially,explorestherequestedwebapplicationtoextractallthewebpagesofthatwebapplication.Then,itstaticallyanalyzesthecontentofthewebpageandclassifiestheminto2types:dynamicwebpageandstaticwebpage,dependingonthepresenceofinputfieldinthewebpage,respectively.Furthermore,itreturnsthedynamicwebpagetothebrowserandinjectsremarkstatementsat thebeginningandendingofthevalidJavaScriptcodepresentinthestaticwebpage.ThisisdonetoensuretheproperdiscriminationbetweenvalidandmaliciousJavaScriptcode.Theclient-sideframeworkdynamicallyexecutesthetainttrackingtoidentifythepartofthemaliciousinjectedstringusedinthesensitivefunctionsinthesourcecodeofthedynamicwebpage.Then,itsubstitutesthetaintedstringvaluewiththetestingattackvectortoexploitXSSvulnerability.Ifattackissuccessfulthen,itfilteredoutthetaintedsourcewiththefilteringAPIs.Inaddition,itchecksforthevalidityofremarksstatementinthestaticwebpagetodetectXSSattack.Thenextsub-sectiondiscussestheabstractoverviewofourframework.
2.1. Abstract Design View of the FrameworkTheproposedframeworkworksinfourmainphases:1)staticallyclassifiesthewebpagesofthewebapplication;2)generatesremarkstatementscomprisingrandomlygeneratednoncesandfeaturesofvalidJavaScriptcodeblock;3)checksforthevalidityofinjectedremarkstatements,attheclient-side,todetectXSSattack.;4)dynamicallyperformsthetaintanalysisandperformsthefilteringonthetaintedstringvaluewiththefilteringAPIs.Figure3elaboratestheabstractdesignoverviewofourframework.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
89
ThisframeworkalleviatesthepropagationofXSSwormbyperformingtwomainmechanisms:dynamictaintanalysisandremarkstatementsinjectionandvalidation.Payloadtesteraccomplishestheclassificationofwebpagesintodynamicandstaticwebpages.Hereinafter,dynamicwebpageundergoestaintanalysisprocedurewiththehelpofvulnerableflowidentificationcomponent.ExploitgeneratorcomponentisusedtoidentifysuspiciouswebpagewiththehelpofinsertingtestingattackpayloadatthetaintsourcelocationandlaunchtheXSSattack.Ifattackissuccessfulthen,itfiltersthemaliciousstringvalue.Otherwise,dynamicwebpageisfreefromXSSattack.StaticwebpagesareexaminedfortheidentificationofmaliciousinjectedJavaScriptcode.ThisisdonebyinjectingremarkstatementsattheborderofthevalidJavaScriptcodeblock.Remarkvariancedetectorseizesthewebpageand implementsanumberof tests todetectXSSattack.Firstly, it identifies ifanyJavaScriptcodeblockwithoutremarkstatementispresentornot.Ifpresentthen,itisconsideredasinjectedcodeandremovedfromtheresponse.Otherwise,ittestsforthevalidityofremarkstatementscomprisingrandomnonceandfeaturesofvalidJavaScriptcode.Ifanonceisincorrectthen,itisdeclaredasinjectedcode.Otherwise,itmatchesthesuspectedfeaturesofJavaScriptcodewiththefeaturesincludedintheremarkstatements.Ifanydeviationisfoundthen,itisconsideredasinjected.Finally,itchecksforthepresenceofanyduplicateremarkstatementstoidentifyremarkstatementsinsertedbytheattacker.IfitidentifiesthepresenceoftheinjectedJavaScriptcodeintheresponsethen,itisremovedfromtheresponsewebpagealongwiththeinjectedremarkstatements.Figure4highlightsthedetailedworkingprocedureofourframeworkintheformofflowchart.Hereinafter,thenextsub-sectionhighlightsthedetailedillustrationofourframework.
2.2. Detailed Design View of the Proposed FrameworkThis section furnishes thecomprehensivearchitecturaldetailofourhybrid framework.Figure5shows thedetaileddesignoverviewofourclient-serverXSSdefensive framework.Theoutlinedframeworkexecutesinfourhigh-levelphases:1)ClassificationofHTTPresponsewebpages;2)Remarkgeneration;3)Remarkvalidation;4)Exploitationandfilteringphase.
2.2.1 Classification of HTTP Response Web PageThekeygoaloftheserver-sideimplementationistoefficientlyclassifythegeneratedHTTPresponsewebpageandinsertremarkstatementsatthebordersoftheJavaScriptcode.Thekeycomponentswhichimplementtheseoperationsare:InternalWebpageTracing,Webpageretrieval,Payloadtester.2.2.1.1 Internal Web Page Tracing
Figure 3. Abstract design overview of client-server framework
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
90
Itisaserver-sidecomponentthatimplementsscanningofthewebpagetoextractallthewebpagesoftherequestedwebapplicationandsavethemforthelaterprocessing.OncethecliententerstherequestedURL then, it inevitably crawls thewebapplicationwith thehelpof a selenium-basedcrawler.Initially,ituprootsalltheinternalandexternalURIlinksfromtheresponsewebpageandthenmakesarequesttoretrieveallwebpagesfromtheserver.
Figure 4. Flow chart of our proposed framework
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
91
2.2.1.2. Web Page RetrievalItisaserver-sidecomponentwhichisresponsiblefortheextractionofrequestedwebpageofthewebapplication.Thiscomponentreceivesthelogprovidedbytheinternalwebpagetracingcomponentasitsinput.Then,itcheckstherequestedURLtoidentifythespecifiedwebpageofwebapplicationasrequestedbytheuser.Finally,itextractsthewebpagefromthelogandsuppliedittotheothercomponentforlaterprocessing.2.2.1.3. Payload TesterItsmainaimistoclassifythewebpageintotwocategories:dynamicwebpageandstaticwebpage.2.2.1.3.1. Dynamic Web PageWebpagewhichcontainsanytypeofinputfieldsuchassearchbox,commentbox,formfieldsandsoon.Payloadtesterhasclassifiedthesewebpagesasdynamicbecauseusercanenteruntrustedinputvalueintotheinputfield.Forinstance,webapplicationdemandingusertofillaformregardingpersonalinformationviaawebpage.
Figure 5. Comprehensive design overview of our proposed framework
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
92
2.2.1.3.2. Static Web PageStaticwebpagesarethewebpageswhicharereadonly.Itdoesnotcontainanyinputfieldtoreceiveuserinput.Forinstance,webpagecontainingaproductspecification.
Iftherequestedwebpagefallsunderthecategoryofdynamicwebpagethen,itisreturnedtotheclientforfurtherprocessing.Otherwise,staticwebpagesareforwardedtothetrustedremarkgenerationcomponentforlaterprocessing.
2.2.2. Remark Generation PhaseThisisthesecondphasewhichreceivesstaticwebpage.ThekeymottoofthisphaseistogeneratethetrustedremarkstatementthatistobeinjectedatthebeginningandendingofthevalidJavaScriptcodeblock.Thisisdonetoensurethatatthetimeofexecutionattheclient-side,browserisabletodistinguishbetweenlegitimateandmaliciousJavaScriptcodeinjectedbytheattacker.Toaccomplishthis,firstly,weuprootallthelegitimateJavaScriptcodeembeddedinthewebpage.Then,itanalyzeseachJavaScriptcodetofindouttheuniquefeaturesandembedthemintheprotocol.TheseprotocolsareinjectedintotheresponsewebpageatthestartingandendingofthevalidJavaScriptcodeblockintheencryptedform.Thekeymoduleswhichperformthisfunctionalityare:TrustedRemarkgenerationandencoding.Thesearedescribedbelow:2.2.2.1. Trusted Remarks GenerationThetrustedremarkstatementcomprisesofarandomlygeneratednonceandextractedfeaturesofthevalid JavaScript codeembedded in the staticwebpage.These featuresarewrapped into theprotocolsanditinjectstheseprotocolsintheremarksstatementforexecutiontimecheckingattheclient-side.Thismodulecomprisesthefollowingkeycomponents:ScriptExtractor,featureIdentifierandProtocolGeneration.2.2.2.1.1. Script ExtractorItisaserver-sidecomponentwhichperformstwomainfunctionalities:first,extractionoflegitimateJavaScriptcodeembeddedinthestaticwebpage.Second,injectionofinitialremarkstatementsatthestartingandendingofextractedJavaScriptcodeblock.Toaccomplishitsfirsttask,itutilizesHTMLparseri.e.HtmlUnit[34],toparsewebpageandextractJavaScriptcodeandstoretheminaseparatelog.Tocompleteitssecondtask,itinsertstheinitialremarkstatement(comprisesofrandomlygeneratednonce)intheextractedJavaScriptcode.Toachievethis,itmodifiesthelocationsinthesourcecodeofthewebpagewhereJavaScriptcodeispresent.Then,itstoresthemodifiedcodeintotheoriginalsourcecodeofthewebpage.Here,authorshaveexamine5caseswhereJavaScriptcodemaybepresentinthewebpage:1)inlinescripts;2)scriptsinclusionviaremotesourcefile;3)scriptsinclusionvialocalexternalsourcefile;4)scriptsinclusionviaeventhandlingcode;5)scriptinclusionviaURLattributevalue.Table1explainthesecasesandalsoshowhowitinjectstheremarkstatementsinitsinitialstage.Firstexample,showsainlinescriptinclusionwithmethodnamedasdocuments.cookie(“ABC”).ItinjectsremarkstatementatthestartingandendingoftheJavaScriptcodeblock.Initially,remarkstatementscompriseofarandomlygeneratednonce(a32-bitnumber)as/*N1*/.RemotelyaccessibleJavaScriptfilecannotbemodified;therefore,itinjectsremarkstatementwith<script>tagtoconvertthemintoinlinescriptcode(example2).JavaScriptcodeincludedinthelocalexternalfileishandledseparately.So,noremarkstatementwillbeinjectedforthem(example5).Thiswillreducetheoverheadofinjectingremarkstatements.2.2.2.1.2. Feature IdentifierItisaserver-sidecomponentwhichreceivesextractedJavaScriptcodelogasitsinput.Theaimofthiscomponentistoanalyzeeachscriptinthelogtoidentifytheuniquefeatures.Theseidentifiedfeaturesarethenusedfortheprotocolgeneration.ToinjectmaliciousJavaScriptcode,attackereither
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
93
modifiestheJavaScriptfunctiondefinitionwrittenbytheprogrammerorinjectsafunctioncalltomaliciouslywrittenfunction.Forinstance,considerthecodesnippetasshownbelow:<input type=”text” name= “username” value=”<%request.getParameter(“U_name”)%>”>
Here,nofilteringmechanismisappliedontheusernamebeforeitisusedintheresponsewebpage.Thus, thisfield isvulnerable to theXSSattack.Suppose,anadversary injectsamaliciousfunction as: <script>alert(“document.cookie”);</script>. Therefore, the original code becomes<input type=”text” name= “username” value=”<script>alert(“document.cookie”);</script>”>.Consequently,whenbrowserrendersthisresponsethenattackergetscookieinformationoftheuser.Therefore,functioncallandfunctiondefinitionpatternsareextractedoutfromthevalidJavaScriptcode,asitsuniquefeature.Table2illustratessomeoftheexamplesrelatedtotheprobablefeaturesofthevalidJavaScriptcodeincludingfunctioncallandfunctiondefinitionfeatures.Forexample,firstexampledescribestheinbuiltfunctioncallasMath.pow(4,5),werepresenttheprobablefeaturesas{pow,2,4,5}.Itmeansfunction‘pow’has2parameters4,5.Similarlyotherexamplesareshown.2.2.2.1.3. Protocol GenerationIt is a server-side component which is responsible for the encapsulation of extracted JavaScriptfeatures inprotocol.Theseprotocolsare thenincludedin the initial remarkstatement.This is toensure that legitimateJavaScriptpresent in theresponsewebpagecanbeproperlydistinguishedfromtheinjectedJavaScriptcodebycomparingtheirfeatureswithonesstoredinprotocol.Table3describesthescriptcode,protocolgenerationandremarkgeneration.ProtocolsarestoredbyusingProtocolID,type,nameandparamcount.Accordingtothenumberofparameters,paramfieldstorestheactualparameters.ModifiedremarksstatementcomprisesanonceandprotocolIDas/*N1,1*/.Infunctioncalltype,insteadofparamcount,weuseargcountandargfields.
2.2.2.2. EncodingThisisthelastworkingcomponentattheserver-sideofourframeworkwhichpreservestheintegrityoftheremarksstatementi.e.protocol.Ifrawformofremarkisexposedtobrowserthen,itmightbepossiblethatanattackermodifiestheprotocolssothatitreflectsfeaturessimilartolegitimateonebutactuallyaremalicious.Toaddressthisproblem,wetransformprotocolsintoencodedformatand
Table 1. JavaScript code with initial remark statement injected with different source type
Source type
Code instance Code with initial remarks
Inline <script>document.write(“ABC”);</script>
<script>/*N1*/document.write(“ABC”);/*N1*/</script>
Scriptcall(remotesite)
<scriptsrc=“http//www.example.com/exm.js”></script>
<script>/*N1*/</script><scriptsrc=“http//www.example.com/exm.js”></script><script>/*N1*/</script>
EventHandling
<bodyonLoad=“alert(“ABC”);”>…..</body> <bodyonLoad=/*N1*/alert(“ABC”);”/*N1*/>…</body>
URLpropertyvalue
<ahref=“javascript:window.alert(“ABC”)”> <ahref=/*N1*/javascript:window.alert(“ABC”)/*N1*/>
Externalscriptinjection
<scriptsrc=“external.js”></script> <scriptsrc=external.js></script>
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
94
thenembedthemintoremarkstatement.ItusesBase64encodingrepresentationtoachieveourgoal.Itstoresallencodedprotocolsinjectedinremarkstatementintoarepositoryforprocessingattheclient-side.Theseprotocolsaredecodedattheclient-sidebeforecomparisonoffeatures.
Allthe,aforementioned,phasesareimplementedattheserver-side.Intheentireprocessattheserver-side,initially,weclassifytheresponsewebpageintodynamicandstaticwebpage.Ifwebpageiscategorizedasdynamicwebpagethenitisforwardedattheclient-side.Otherwise,staticwebpageundergoestrustedremarkstatementinjectionprocess.Then,modifiedstaticwebpageisreturnedtotheuser.
2.2.3. Remark Validation PhaseHeretofore,ourproposedframeworkhaseffectivelyclassifiedresponsewebpageandinjecttrustedremarkstatementintostaticwebpage.Inthisphase,weperformtheanalysisofthestaticwebpagetodetectinjectedJavaScriptcodefortheidentificationofXSSattack.Thisphaseisaccountablefor
Table 2. Extracted probable features of the valid JavaScript code
Type Example Probable features
Inbuiltfunctioncall Math.pow(4,5) {pow,2,4,5}
Userdefinedfunctioncall
functionactive(a,b,c){..}; {active,3,a,b}
Nestedmethodcall(userdefined)
pro(3,pro(6,7)) {pro,2,3,{pro,2,6,7}}
Nestedmethodcall(inbuilt)
Math.pow(2,Math.min(3,4)) {pow,2,2,{min,2,3,4}}
Anonymousfunctioncall
varX=pro(a,b){…}; {X,2,a,b}
Hostobjectmethodcall
VarID=document.getElementByName(“value”);ID.innerHTML=“helloworld”;
{document.getElementByName,1,value}
Table 3. Protocol generation with modified remark statement
Script code Protocol generation Modified remarks
<script>varx=product(2,3);</script>
<protocolID>1</protocolID><type>def</type><name>product</name><paramcount>2</paramcount><param>2</param><param>3</param>
<script>/*N1,1*/varx=product(2,3)/*N1,1*/</script>
<bodyonLoad=“active(a,b)”>…</body>
<protocolID>2</protocolID><type>call</type><name>active</name><argcount>2</argcount><arg>a</arg><arg>b</arg>
<bodyonLoad=/*N2,2*/“active(a,b)”/*N2,2*/>..</body>
<ahref=“javascript:window.alert(document.cookie)”>
<protocolID>3</protocolID><type>call</type><name>window.alert</name><argcount>1</argcount><arg>document.cookie</arg>
<ahref=/*N3,3*/“javascript:window.alert(document.cookie)”/*N3,3*/>
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
95
theauthenticationoftheremarkstatement.Thekeycomponentstoaccomplishthistaskare:Parser,Scriptseparation,Decoding,andRemarkVarianceDetector.2.2.3.1. ParserItistheclient-sidecomponentwhichreceivesthestaticwebpagewiththeremarkstatement.ItisresponsibleforconstructionoftheParsedTree(PT)correspondingtothatwebpage.Itistoensurethatthebrowserrendersthewebpagecorrectly.Forinstance,considerthefollowingcodesnippetas shown in listing 1. In the above example, untrusted user input is applied at S_GET(‘name’)and$_GET(‘age’).TheparsetreegeneratedfortheabovecodesnippetisshowninFigure6.EachnodeofthetreerepresentsHTMLtagsortext.Thistreewillbeprocessedtodeterminescriptnodeembeddedintothewebpage.
Listing 1.ExampleshowsvulnerableHTMLcodeproducedbyvulnerableserver.<html> <body> <div name= “val” onClick= “my()”> Click Me!!! </div> <script> function my() { document.getElementByName(“val”).innerhtml= “hello” + “$_GET(‘name’)” + “you are” + “$_GET(‘age’)” + “years old”;} </script> </body></html>
2.2.3.2. Script SeparationThiscomponentisaclient-sideprocessinwhichparsetreeisprocessedtoidentifyallJavaScriptcodewithinjectedremarkstatement.Asshowninlisting1,userprovidestheuntrusteddatabythe$_GET[‘...’]variables.$_GETsupposedtoprovidethenameoftheuserwhoiscurrentlyloggedinand$_GETprovidestheageofthecorrespondinguser.Asnosanitizationprocedureisappliedonthesevariablesandaredirectlyprocessedbythebrowser,so,thesearevulnerabletotheXSSattack.Therefore,scriptsnodesmustbeseparatedfromtheresponsepage.Toeasethisproblem,itsearchesintheparsetreetocheckfortheopeningandclosingHTMLtags.Then,foreverycoupleofJavaScripttags(<script>….</script>),itinspectseachuniquepathbetweenopeningandclosingtagsbyusinggraphtraversalalgorithmsuchasDepthFirstSearch(DFS).EachidentifiedpathrepresentstheJavaScriptcodethatthewebpagecodemightresult.Figure7illustratesthealgorithmusedfortheScriptseparation.Thisalgorithmworksasfollows:Script_logisalogmaintainedtostoreallpossiblerecognizedJavaScriptcode includedin thewebpage.ThisalgorithmprocessesControlFlowGraph(CFG)asfollows:
Itexamineseachnode(v)inthegraph(V,E)tocheckitscontent.Ifitis<script>tag,thenitextractsthecontentofeachnodeinScript_logthatappearsduringthetraversalofuniquepath,untilanodewithcontent</script>isfound.Otherwise,ignorethecontentofthatnode.Finally,itoutputsScript_logcomprisingofJavaScriptcodethatawebpagemightresult.2.2.3.3. DecodingItisaclient-sideprocesstodecodethetrustedremarkstatementsinjectedatthebordersofthevalidJavaScriptcodepresentinthestaticwebpage.Inthesecondphaseofourframework,weperformencodingoftheremarkstatementtoensuretheintegrityoftheextractedfeaturesofvalidJavaScriptcode,storedinremarks.Inordertoperformacomparisonbetweentheseknownfeaturesandscriptpresentintheresponsewebpage,thereisaneedtotransformtheencodedfeaturesintorawform.Therefore,thiscomponentperformsthereversibleprocessofencoding,attheclient-side.Encoding,basically,buildsupamappingbetweencontenttypesfromthefeaturestoencodedvalueandstoresthesemappinginarepository.Indecodingprocess,thisrepositoryisusedtowhichperformreverse
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
96
mappingi.e.encodedvaluetooriginalcontenttype.ThiscomponentwillproducedecodefeaturesofthevalidJavaScriptcode,asitsoutputanditifforwardedtothenextcomponentforfurtherprocessing.2.2.3.4. Remark Variance DetectorItisaclient-sidecomponentwhichisresponsiblefordetectingthevarianceinthescriptfeaturesextractedatclient-sideandtheknownfeaturesofthevalidJavaScriptcodeextractedattheserver-side.Itreceivestwothingsasitsinput:decodedfeaturesandextractedscriptcode.Then,itchecksforwhetherscriptwithoutremarkispresentornot.Ifpresentthen,itisinjectedmaliciouscode.Otherwise,itchecksfortheremarkvalidity.Ifnonceisinvalidthen,itisindicatedasinjectedcode.Otherwise,itchecksforthevalidityoftheembeddedprotocols(i.e.comparethefeaturesstoredinitwiththeJavaScriptextractedfromtheresponsepage).Iffeaturesarevalidthen,responseisfreefromXSSattack,otherwise,itisconsideredasinjectedcode.Finally,iftheframeworkdetectedinjectedmaliciousJavaScriptcodethen,itisremovedfromtheresponsewebpageandmodifiedresponsewebpageisdisplayedtotheuser.Ifnoinjectedcodeisfoundthen,frameworkremovestheremarkstatementsfromtheresponsewebpageandresponseisforwardedtotheuser.Figure8representstheentireworkingprocessofthiscomponentintheformoftheflowchart.
2.2.4. Exploitation and Filtering PhaseThisisthelastphaseoftheframeworkattheclient-side.Theinputtothisphaseisthedynamicwebpage.Thekeygoalofthisphaseistoidentifythelocationofthetaintedsourceandthesensitivefunctionwhere thisvalue isused (i.e.determine thevulnerablepoints in thesourcecodeof theresponsewebpage).Moreover,itperformsfilteringonthetaintsourcetonegatetheeffectoftheinjectedmaliciousscriptatthesourcepoint.Finally,filteredresponseisdisplayedtotheuser.ThekeyComponentstoaccomplishtheentirefunctionalityofthisphaseare:DetermineVulnerableflow,ExploitGeneration,andFiltering.
Figure 6. Parse tree generated for the code shown in listing 1
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
97
2.2.4.1. Determine Vulnerable FlowThiscomponentisresponsibleforthedeterminationoftheflowofuntrusteduserdatafromsourcetothesensitivefunctionpresentintheresponsewebpage.WebapplicationismarkedasXSSfreeifitispossibletodecidetheoutputofwebpagestatically(i.e.staticJavaScript).Nevertheless,ifdynamicJavaScriptisgeneratedbythewebapplicationthatgeneratestheimproperlysanitizedcontent,then,attackercanutilizedthisvulnerabilitytoinjectsomemaliciouscode.Table4illustratesthevulnerablesourceandsinkslocationsusedinourframework.Forexample,considerthefollowingcodesnippetshownintheFigure9.Inthiscode,unameisdirectlyresultingfromtheparametervaluenameandisoutputtouserdeprivedofanyvalidationmechanism.
Adversarymayexploit thisvulnerabilitybyinjectingmaliciouscodeatnameparameterlike“<script>alert(document.cookie);</script>.Consequently, unamehold this JavaScript code andbrowserrendersattacker’sprovidedcode.Hence,thiscomponentextractstaintedsourceandsinkinformationas:taintsource(uname= request.getParametervalue(“name”)andtaintsink(document.write(tag)).ThisinformationisforwardedtothenextstepphasetodeterminethecontextandanalyzeitforthepresenceofXSSloopholes.
Figure 7. Algorithm implemented for JavaScript separation
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
98
2.2.4.2. Exploit GenerationThismoduleexaminesthevulnerableflowtoidentifyvulnerablesourceandsink.Then,itgeneratescontext-basedtestingattackpayloadthatcanbesimplyusedtoverifyvulnerablewebpages.It isachievedin3mainsteps:MaliciousFlowDecomposer,ContextRecognizerandTestingPayloadinjector.2.2.4.2.1. Malicious Flow DecomposerIt is thecomponentwhich receives the logs thatcontains informationabout thevulnerable flowpresentinthewebpage.Itextractsthefollowingfromthelog:1)TaintSourcewhichcontainsthe
Figure 8. Flow chart showing the working process of the remark variance detector
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
99
sourcetypeandthestringvalueinthesourceusedinsink.2)TaintSinkwhichdefinesthelocationwherestringvaluesuppliedbytheattackerisusedintheprogram.3)TaintIDwhichistheuniqueidentifiertoidentifyeachvulnerableflow.4)TaintURLwhichcontainstheURLofthewebpageinwhichvulnerableflowwasrevealed.2.2.4.2.2. Context RecognizerThiscomponentisresponsibleforthedeterminationofthecontextofthevulnerablesource.Itacceptstheinformationprovidedbythemaliciousflowdecomposerandthenusesittodeterminetheportionof the web page where vulnerable string value is injected. Figure 10 illustrates the algorithmimplementedforthisstep.Thisalgorithmworksasfollows:InputtotheabovealgorithmisthesetofIDsofuntrustedsourceT_ID.Con_logisalogmaintainedtostorecontextofeachuntrustedsource. For each tainted source TI∈ T_ID, it attached a context recognizer CR in the form asCI← (CR)TI.ThegeneratedoutputistheinternalrepresentationoftheextractedJavaScriptcodeembeddedwiththecontextrecognizerCRcorrespondstoeachuntrustedvariablepresentinit.Afterthis,itismergedwiththeCon_logasCon_log←CI∪ Con_log.ForeachCI∈Con_log,itgeneratesandsolvesthetypeconstraints.Here,Λ representsthetypeenvironmentthatperformsthemappingoftheJavaScriptvariabletotheContextrecognizerCR.Inthepathsensitivesystem,variable’scontextchangesfromonepointtootherpoint.Thus,tohandlethisissue,untrustedvariablesarerepresented
Table 4. Vulnerable source and sink location
Taint source Taint sink
Location document.URI,window.location,location.search,location.href,URL,document.location,baseURI,location.hash
location.href,location.pathname,location.port,location.protocol,location.search,location.assign,location.replace,location.hash,location.host
Link href,media,rel,rev,type link.innerhtml,link.namespaceURI,link.toString,style.
HTML Iframe,image,body,div,audio,video,em,form,input,style,var
InnerHTML,outerhtml,src,action,value,toString,defaultChecked,checked,selectedIndex,rel,write,writeln,script.innerhtml,textcontent.Crossorigin.
JavaScript Script,document,events. Src,eval,setTimeout,setInterval,baseURI,document.URL,document.cookie,document.scripts,onClick,onLoad,onChange,onMouseOver.
Storage Cookie,localStorage,sessionStorage Cookie,localStorage,sessionStorage
History - Current,next,previous,length,toSring
Window - defaultStatus,status,location,frames,innerHeight,innerWidth,localStorage.
Figure 9. Code snippet
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
100
throughthetypingjudgmentsasΛ e:CR.Itindicatesthatatanyprogramlocation,ehascontextrecognizerCRinthetypeenvironmentΛ .Finally,allCIvariableshavebeenassignedthecontextdynamicallyandproducethemodifiedlogCon_logasoutput.Thisstepprovidestaintedsourcewiththeiridentifiedcontext,inwhichbrowserinterpretsit.2.2.4.2.3. Testing Payload InjectorToexploitthevulnerabilitypresentinthewebpage,itsubstitutesattackvectorattheplaceoftaintedstring.Testingattackvectormustbe injectedaccording to thecontextof the taintedstring. It isachievedwiththehelpofavailablerepositoryofXSSattackvector.Then,thismodulevalidatesthesuccessfulexecutionoftheinjectedattackvector.Ifattackissuccessfulthen,TaintedIDandTaintSourceinformationisforwardedtothefilteringmodule,otherwise,webpageisnotvulnerableandisreturnedtotheuser.2.2.4.2.4. FilteringThiscomponentacceptsthetaintSourceandtaintedIDinformationasitsinput.ItappliesfilteringonthetaintedstringpresentatthetaintSourceinthewebpage,withthehelpofFilteringAPIs.Thisisdonetohalttheexecutionofinjectedmaliciousstringandtriggersmaliciouseffects.Figure11showsthealgorithmprocessedforthecompletionofthefilteringprocess.Theworkingprocedureofthisalgorithmisexplainedbelow:AlgorithmtakesCon_logasitsinputwhichstoresidentifiedcontextofalluntrustedJavaScriptvariable.FAPI_libistheexternallyavailablelibrarywhichstoresfilteringAPIscorrespondingtoeachmaliciouscontext.T_IDisthelistcomprisingtheIDsofeachtaintedsource.ForeachUntrustedSource(i.etaintedvalue)TI∈T_ID,itextractsthecontextofTIasXIfromtheCon_log.Then,itidentifiesforthecorrespondingFilteringAPI,fromtheFAPI_lib,withmatchingcontextandstoresitinFI.ItappliestheidentifiedfilteringAPIontheTIandstoreresultintotheYI.ItthenmergesYIwithFAPI_libasFAPI_lib←YI∪ FAPI_lib;finally,itembedsallsanitizedvariableintotheHTTPresponseandproduceHTTPresponsefortheuser.
3. IMPLEMENATION AND PERFORMANCE EVALUATION
Authorshaveimplementedtheirworkinjava,formitigatingtheeffectofXSSvulnerabilitiesfromthetestedsuiteofreal-worldwebapplications.Initially,AuthorshavemanuallyverifiedtheperformanceoftheframeworkagainstavailableXSSattackrepositories(HTML5SecurityCheatSheet,RSnake,2008,TechnicalAttackSheetforCrossSitePenetrationTests),whichincludesthelistofoldandnewXSSattackvectors.VeryfewXSSattackvectorswereabletobypasstheframework.AuthorshaveutilizedHtmlUnit(HtmlUnitparser)toinjecttheinitialtrustedremarkstatements.Toinjectremark,itmodifieslocationswhereJavaScriptcodeispresent(i.e.inline,eventhandling,etc.)andstorethemodifiedsourceprograminformationinMySQLdatabase.ToextractthefeaturesofvalidJavaScriptcode,AuthorshaveusedRhino(RhinoJavaScriptparser)JavaScriptparser.
3.1. Experimental EvaluationAuthorshavecategorizedtheXSSattackvectorsintofourmaincategoriesi.e.CharacterEncodingScripts (CES), Embedded Character Tags (ECT), Event Handlers (EH) and HTML QuoteEncapsulation(HQE).Table5illustratestheattackpatternsofthesecategoriesofXSSattackvectors.TheobservedresultsofourframeworkonfiverealworldHTML5webapplicationscorrespondingtochosencategoriesofXSSwormshasbeenshownintheFigure12-16.
AuthorshavealsocalculatedtheXSSdetectionrateofourframeworkbydividingthenumberofattacksdetected(i.e.#ofTruePositives)tothenumberofXSSattackvectorsinjectedoneachindividualHTML5webapplication.Table6highlightsthedetectionrateofallfivewebapplicationsw.r.t.individualcategoryofXSSworms.ItisclearlyreflectedfromtheTable6thatOsCommerceandBlogItobservedoverallhigherpercentagedetectionrateinallthefourcategoriesofXSSworms.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
101
Inthenexttwosub-sections,authorshaveevaluatedtheperformanceanalysisoftheframeworkbyapplyingtwostatisticalanalysismethods:F-ScoreandF-test.
Figure 10. Algorithm implemented for the context recognizer
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
102
Figure 11. Algorithm for filtering process
Figure 12. Observed results on Simplecms
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
103
Table 5. Categories of XSS worms with their pattern examples
XSS Worm Category
Explanation Script Example
CES Thetechniquesofcharacterencodingareutilizedforexemplifyingadatabaseoftypescriptsthroughcertainencodingsystem.Suchtechniquesareutilizedforcalculation,datastoring,andbroadcastofdocumentedinfoandcouldbeutilizedforexploitingnumerousattacks.
%253cscript%253ealert(document.cookie)%253c/script%253e
ECT ThiscategoryofattackisgenerallyembeddedinsidethenormalsyntaxofJavaScriptcode.
<IMGSRC=”jav	ascript:alert(‘XSS’);”>
EH Thesearenon-compulsorysystemcommandsintheformofscripts,whichonlyexecutewhenanalterationisobservedintheservicestate.
<inputonBlur=”alert(‘xss’)”type=”text”>
HQE ThiscategoryisgenerallyusedforexploitingtheXSSattackonwebapplicationsthatpermit“<script>”tagbutnot“<SCRIPTSRC...”
<scriptsrc=”data:text/javascript,alert(1)”></script>
Figure 13. Observed Results on OsCommerce
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
104
Figure 14. Observed Results on WebCalender
Figure 15. Observed Results on PunBB
Figure 16. Observed Results on BlogIt
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
105
3.2. Performance Analysis using F-ScoreAuthorshavepresenteddetailedperformanceanalysisofourframeworkbyconductingastatisticalanalysismethod (i.e.F-Score).Theanalysis conducted reveals thatour frameworkexhibitshighperformanceas theobservedvalueofF-Scores inall theplatformsofHTML5webapplicationsis0.9.Therefore, theproposedframeworkexhibits90%successrate inall thefiveHTML5webapplications.Table7highlightsthedetailedperformanceanalysisofourwork.
Precision=TruePositives TP
TruePositives TP False Positives FP
( )
( ) ( )+
Recall=TruePositives TP
TruePositives TP FalseNegatives FN
( )
( ) ( )+
FalsePositiveRate(FPR)=False Positves FP
False Positives FP TrueNegatives TN
( )
( ) ( )+
FalseNegativeRate(FNR)=FalseNegatives FN
FalseNegatives FN TruePositives TP
( )
( ) ( )+
F-Score=2
2
( )
( )
TruePositives
TruePositives FalseNegatives False Posit+ + iives
Table 6. Detection rate (in %age) of HTML5 web applications
Web Applications CES ECT EH HQE
Simplecms 88.8 86.8 88.0 86.3
OsCommerce 91.6 94.7 92.8 91.0
WebCalender 86.1 89.4 88.0 88.6
PunBB 88.8 86.8 85.7 88.6
BlogIt 88.8 86.8 92.8 88.6
Table 7. Performance analysis by calculating F-Score
Web Application Total # of TP
# of TN
# of FP
# of FN
Precision FPR FNR Recall F-Measure
SimpleCms 160 140 6 9 5 0.939 0.6 0.034 0.965 0.952
OsCommerce 160 148 2 4 6 0.973 0.67 0.038 0.961 0.927
WebCalender 160 141 8 6 5 0.959 0.428 0.034 0.965 0.962
PunBB 160 140 4 7 9 0.952 0.478 0.087 0.939 0.945
BlogIt 160 143 6 6 5 0.959 0.5 0.034 0.966 0.913
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
106
3.3. Performance Analysis Using F-Test HypothesisInordertoprovethatthenumberofXSSwormsdetectedislessthantothenumberofXSSattackvectorsinjected,weusetheF-testhypothesis,whichisdefinedas:
NullHypothesis(H0)=NumberofXSSwormsdetectedisequaltothenumberofXSSattackvectorsinjected.(S12=S22)
AlternateHypothesis(H1)=NumberofXSSwormsinjectedisgreaterthannumberofXSSattackvectorsdetected(S12<S22)
Table 8. Statistics of XSS Attack Vectors Applied
# of Malicious Scripts Injected (Xi)
(Xi - µ ) (Xi - µ )2 Standard Deviation S1 =
( ) / ( )Xi Ni
N
− −=∑ µ 21
1
1 1
158 2 4 3.162
160 4 16
156 0 0
154 -2 4
152 -4 16
Mean(µ )= Xi N/∑ 1 =156 ( )Xii
N
−=∑ µ1
12=40
Table 9. Statistics of XSS attack vectors detected
# of JS Attack Payload Detected (Xj)
(Xi - µ ) (Xi - µ )2 Standard Deviation S2 =
( ) / ( )Xi Ni
N� ��
�� 2
1
22 1
150 1 1 3.316
154 5 25
148 -1 1
148 -1 1
145 -4 16
Mean(µ )= Xi N/∑ 2=149 ( )Xii
N��
��
1
12=44
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
107
ThelevelofSignificanceis(α=0 05. ).ThedetailedanalysesofstatisticsofXSSattackwormsappliedanddetectedareillustratedintheTables8and9.AnalysisusingF-testisshowingbelow:
NumberofXSSWormsInjected(#ofObservation(N1))=5DegreeofFreedom(df1)=N1-1=4.NumberofXSSWormsDetected(#ofObservation(N2))=5DegreeofFreedom(df2)=N2-1=4.
WecancalculateF-Testas:FCALC=S12/S2
2=[(3.162)2/(3.316)2]=0.9092ThetabulatedvalueofF-Testatdf1=4,df2=4andα = 0 05. is
F( , , )df df1 2 1−α =F(4,4,0.95)=6.3882
ItisalreadyknownthattheNullhypothesisiscorrectifthetwovariancesareequalandconditionFCALC<F
( , , )df df1 2 1−α isfalse,however,inthiscase,sinceFCALC<F(4,4,0.95)istrue,therefore,thealternatehypothesis(H1)istruethatmeansthenumberofXSSwormsdetectedislessthannumberofXSSattackvectorsinjectedandanydifferenceinthesamplestandarddeviationisduetorandomerror.
3.4 Limitations of our WorkThissectiondiscussedaboutsomeofthelimitationsofourwork.
• VulnerabletoClickJackingandPhishingAttacks:Initially,theattackvectorcouldutilizethecapabilitiesofClickJackingorPhishingattacksforstealingsensitivecredentialsofuser.(e.g.user-id,password,etc.).Thisisbeyondthescopeofthiscurrentwork.Secondly,itcanalsobearguedthatastheattackvectorsareexecutingunderthelicenseofwebsite,thisisconsideredaneasywayfortheattackvectortoexploitsuchattacks.
• VulnerabletoDrive-byDownloadWorms:Finally,thisframeworkisalsoexposedtowormslikeKoobface,whichtransmitthebinariestothewebbrowserofvictimbyutilizingdrive-byexploits.Thiscategoryofattackisalsobeyondthescopeofthiswork.
Table 10. Comparison of existing work with our XSS defensive work
Techniques Parameters XSSFilt XSSAudior BIXSAN ScriptGard Livshits Jsand XSS-
Guard(Present
work)
AM Active Active Passive Passive Passive Passive Passive Active
MP Dynamic Static Static Static Dynamic Static Static Dynamic
TOXH Reflected Reflected Stored Reflected Reflected Stored Reflected Reflected,Stored
Ttrac ✗ ✗ ✗ ✗ ✓ ✓ ✓ ✓
CRW ✗ ✗ ✓ ✗ ✓ ✗ ✓ ✓
APPR ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✗
PSID ✓ ✗ ✗ ✓ ✗ ✗ ✗ ✓
SCM ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✓
SCMod ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✗
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
108
3.5 Comparative and Strengths of the Proposed WorkThissectiondiscussesthecomparisonofourframeworkwiththeotherrecentexistingXSSdefensivemethodologies.Table10comparestheexistingXSSdefensivemethodologieswithourworkbasedonnineusefulperformanceparameters:AM:AnalyzingMechanism,MP:MonitoringProcedure,TOXH:TypeofXSSWormHandled,Ttrac:TaintTracking,CRW:CodeRewriting,APPR:AutomatedPre-ProcessingRequired,PSID:PartialScriptInjectionDetection,SCM:SourceCodeMonitoringandSCMod:SourceCodeModifications.
Inaddition,recognitionofmaliciousscriptmethodsissimplyevadedbymostofthetechniques.Moreover,lotofpre-processingisrequiredintheexistingframeworkofwebapplicationsfortheirsuccessfulexecutionondifferentplatformsofwebbrowsersaswellaswebapplications.MostoftheexistingworkreliesontheconceptofexactJavaScriptinjection;however,theycouldnotabletodetectthepartialinjectionofXSSworms.
ThisframeworksimplyisolatestheuntrustedJavaScriptcodefromtheactualdatabyexecutingtheprocessofcoderewriting,thatisnothandledbymostoftheexistingXSSdefensivetechniques.Inaddition, theproposedframeworkexecutestheruntimemonitoringontheJavaScriptcodefordetermining thedependencybetween the taintedsourceandsinkfunctions in theprogramcode.Moreover,contextofuntrustedvariablesembeddedinsuchcodeisdetermined.Now,here,insteadofperformingcontext-sensitivesanitizationonsuchvariables,ourframeworkperformsthedeepstringanalysisonsuchvariablesfortrackingtheirtaintedflow.Theexaminationoftaintedvariableswillbecarriedoutinordertodeterminewhetheritmayfunctionasvulnerablepointornot.Theexistingworkperformsthecontext-sensitivesanitizationonsuchvariables.
4. CONCLUSION
Digitalization in every aspect of life demands more technological advancements for providinginformationanytimeanywhere.Thismaterializesthevisionofmakingcities“smarter”.Undoubtedly,thisdevelopmentinducesmultiplebenefitstothepeople;nevertheless,itbringstolightmultiplethreatslikeXSS.Therefore,thispaperdescribedatechniquetoprotectusersfromXSSattack.Thisisachievedthroughclassifyingresponsewebpageintostaticanddynamicwebpages.StaticwebpagesareprocessedbyinjectingandverifyingtrustedremarkstatementstodetectpersistentXSSattack.Moreover,itaccomplishesvulnerableflowanalysisfollowedbyfilteringoftaintedstring,fordeterminingXSSattackindynamicwebpages.Authorshaveimplementedtheframeworkusingjavadevelopmentframeworkandhasevaluateditsdetectioncapabilityonfivereal-worldwebapplications.Theresultsrevealedlowfalsenegativeratewithtolerableperformanceoverheadduetoinjectionandremovalofremarks.
ACKNOWLEDGMENT
ThispublicationisanoutcomeoftheR&DworkundertakenundertheprojectsYFRF,VisvesvarayaPhDSchemeofMinistryofElectronics&InformationTechnology,GovernmentofIndiaandbeingimplementedbyDigitalIndiaCorporation.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
109
REFERENCES
Agten,P.,VanAcker,S.,Brondsema,Y.,Phung,P.H.,Desmet,L.,&Piessens,F.(2012,December).JSand:completeclient-sidesandboxingof third-partyJavaScriptwithoutbrowsermodifications.InProceedings of the 28th Annual Computer Security Applications Conference(pp.1-10).ACM.doi:10.1145/2420950.2420952
Almomani,A.et al..(2013).Phishingdynamicevolvingneuralfuzzyframeworkforonlinedetectionzero-dayphishingemail.Indian Journal of Science and Technology,6(1),3960–3964.
Bates, D., Barth, A., & Jackson, C. (2010, April). Regular expressions considered harmful in client-sideXSS filters. In Proceedings of the 19th international conference on World wide web (pp. 91-100). ACM.doi:10.1145/1772690.1772701
Bisht, P., & Venkatakrishnan, V. N. (2008, July). XSS-GUARD: precise dynamic prevention of cross-sitescriptingattacks.InProceedings of theInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(pp.23-43).Springer.doi:10.1007/978-3-540-70542-0_2
Chandra,V.S.,&Selvakumar,S.(2011).BIXSAN:BrowserIndependentXSSSanitizerforpreventionofXSSattacks.Software Engineering Notes,36(5),1–7.doi:10.1145/1968587.1968603
Chaudhary,P.,Gupta,B.B.,&Gupta,S.(2018).DefendingtheOSN-basedwebapplicationsfromXSSattacksusingdynamicjavascriptcodeandcontentisolation.InQuality, IT and Business Operations(pp.107–119).Singapore:Springer.doi:10.1007/978-981-10-5577-5_9
Chaudhary,P.,Gupta,B.B.,&Gupta,S.(2019).AFrameworkforPreservingthePrivacyofOnlineUsersAgainstXSSWormsonOnlineSocialNetwork.International Journal of Information Technology and Web Engineering,14(1),85–111.doi:10.4018/IJITWE.2019010105
Chaudhary,P.,Gupta,S.,&Gupta,B.B.(2016).AuditingDefenseagainstXSSWormsinOnlineSocialNetwork-BasedWebApplications.InHandbookofResearchonModernCryptographicSolutionsforComputerandCyberSecurity(pp.216-245).Hershey,PA:IGIGlobal.doi:10.4018/978-1-5225-0105-3.ch010
Drennan,J.,Sullivan,G.,&Previte,J.(2006).Privacy,riskperception,andexpertonlinebehavior:Anexploratorystudyofhouseholdendusers.Journal of Organizational and End User Computing,18(1),1–22.doi:10.4018/joeuc.2006010101
Ferraz,F.S.,&Ferraz,C.A.G.(2014,December).Smartcitysecurityissues:depictinginformationsecurityissuesintheroleofanurbanenvironment.InProceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing(pp.842-847).IEEE.doi:10.1109/UCC.2014.137
Gupta,B.B.,Gupta,S.,&Chaudhary,P.(2017a).Enhancingthebrowser-sidecontext-awaresanitizationofsuspiciousHTML5codeforhaltingtheDOM-basedXSSvulnerabilitiesincloud.[IJCAC].International Journal of Cloud Applications and Computing,7(1),1–31.doi:10.4018/IJCAC.2017010101
Gupta,S.,&Gupta,B.B.(2016a).Aninfrastructure-basedframeworkforthealleviationofJavaScriptwormsfromOSNinmobilecloudplatforms.InProceedings of theInternational conference on network and system security(pp.98-109).Cham:Springer.doi:10.1007/978-3-319-46298-1_7
Gupta,S.,&Gupta,B.B. (2016b).EnhancedXSSdefensive framework forweb applicationsdeployed inthevirtualmachinesofcloudcomputingenvironment.Procedia Technology,24,1595–1602.doi:10.1016/j.protcy.2016.05.152
Gupta,S.,&Gupta,B.B.(2017b).SmartXSSattacksurveillancesystemforOSNinvirtualizedintelligencenetworkofnodesoffogcomputing.International Journal of Web Services Research,14(4),1–32.doi:10.4018/IJWSR.2017100101
Gupta,S.,&Gupta,B.B.(2018b).Robustinjectionpoint-basedframeworkformodernapplicationsagainstXSSvulnerabilitiesinonlinesocialnetworks.International Journal of Information and Computer Security,10(2-3),170–200.doi:10.1504/IJICS.2018.091455
Gupta,S.,&Gupta,B.B.(2018c).RAJIVE:RestrictingtheabuseofJavaScriptinjectionvulnerabilitiesonclouddatacentrebysensingtheviolationinexpectedworkflowofwebapplications.International Journal of Innovative Computing and Applications,9(1),13–36.doi:10.1504/IJICA.2018.090822
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
110
Gupta,S.,&Gupta,B.B.(2018d).EvaluationandmonitoringofXSSdefensivesolutions:Asurvey,openresearchissuesandfuturedirections.Journal of Ambient Intelligence and Humanized Computing,1–29.
Gupta,S.,&Gupta,B.B.(2018e).POND:Polishingtheexecutionofnestedcontext-familiarruntimedynamicparsing and sanitisationofXSSwormsononline edge servers of fog computing. International Journal of Innovative Computing and Applications,9(2),116–129.doi:10.1504/IJICA.2018.092588
Gupta,S.,&Gupta,B.B.(2018f).Arobustserver-sidejavascriptfeatureinjection-baseddesignforJSPwebapplicationsagainstXSSvulnerabilities.InCyber Security:Proceedings of CSI 2015(pp.459-465).SpringerSingapore.doi:10.1007/978-981-10-8536-9_43
Gupta,S.,Gupta,B.B.,&Chaudhary,P.(2018a).HuntingforDOM-BasedXSSvulnerabilitiesinmobilecloud-basedonlinesocialnetwork.Future Generation Computer Systems,79,319–336.doi:10.1016/j.future.2017.05.038
Hossain,M.S.,Muhammad,G.,Abdul,W.,Song,B.,&Gupta,B.B. (2018).Cloud-assistedsecurevideotransmission and sharing framework for smart cities. Future Generation Computer Systems, 83, 596–606.doi:10.1016/j.future.2017.03.029
HTML5SecurityCheatSheet.(n.d.).Retrievedfromhttps://html5sec.org/
HtmlUnitparser.(n.d.).Retrievedfromhttps://sourceforge.net/projects/htmlunit/files/htmlunit/
Li,D.,Deng,L.,BhooshanGupta,B.,Wang,H.,&Choi,C.(2019).AnovelCNNbasedsecurityguaranteedimage watermarking generation scenario for smart city applications. Information Sciences, 479, 432–447.doi:10.1016/j.ins.2018.02.060
Li,J.,Yu,C.,Gupta,B.B.,&Ren,X.(2018).ColorimagewatermarkingschemebasedonquaternionHadamardtransform and Schur decomposition. Multimedia Tools and Applications, 77(4), 4545–4561. doi:10.1007/s11042-017-4452-0
Livshits, B., & Chong, S. (2013, January). Towards fully automatic placement of security sanitizers anddeclassifiers.ACM SIGPLAN Notices,48(1),385–398.doi:10.1145/2480359.2429115
Parada, R., Melià-Seguí, J., & Pous, R. (2018). Anomaly Detection Using RFID-Based InformationManagementinanIoTContext.Journal of Organizational and End User Computing,30(3),1–23.doi:10.4018/JOEUC.2018070101
Pelizzi,R.,&Sekar,R.(2012).Protection,usabilityandimprovementsinreflectedXSSfilters.InProceedings of the 7th ACM Symposium on Information, Computer and Communications Security (p. 5). ACM.doi:10.1145/2414456.2414458
Rhino JavaScript parser. (n.d.). Retrieved from https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Download_Rhino
XSSRSnake.(2008).CheatSheet.Retrievedfromhttps://n0p.net/penguicon/php_app_sec/mirror/xss.html
Saxena,P.,Molnar,D.,&Livshits,B.(2011,October).SCRIPTGARD:automaticcontext-sensitivesanitizationforlarge-scalelegacywebapplications.InProceedings of the 18th ACM conference on Computer and communications security(pp.601-614).ACM.doi:10.1145/2046707.2046776
Sen,M.,Dutt,A.,Agarwal,S.,&Nath,A.(2013,April).Issuesofprivacyandsecurityintheroleofsoftwareinsmartcities.InProceedings of the2013 International Conference on Communication Systems and Network Technologies(pp.518-523).IEEE.doi:10.1109/CSNT.2013.113
TechnicalAttackSheetforCrossSitePenetrationTests.(n.d.).Retrievedfromhttp://www.vulnerability-lab.com/resources/documents/531.txt
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
111
B. B. Gupta received PhD degree from Indian Institute of Technology Roorkee, India in the area of information security. He has published more than 250 research papers in international journals and conferences of high repute. He has visited several countries to present his research work. His biography has published in the Marquis Who’s Who in the World, 2012. At present, he is working as an Assistant Professor in the Department of Computer Engineering, National Institute of Technology Kurukshetra, India. His research interest includes information security, cyber security, cloud computing, web security, intrusion detection, computer networks and phishing.
Pooja Chaudhary is currently pursuing her PhD degree in Information and Cyber security from National Institute of Technology, Kurukshetra, Haryana, India. She has completed her M.Tech in Computer Engineering from National Institute of Technology, Kurukshetra. She has received her B.Tech degree in Computer Science and Engineering from Bharat Institute of Technology, Meerut, Affiliated to Uttar Pradesh Technical University, India. Her areas of interest include online social network security, Big Data analysis and security, database security, and cyber security.
Shashank Gupta is currently working as an Assistant Professor in Computer Science and Information Systems Division at Birla Institute of Technology and Science, Pilani, Rajasthan, India. He has done his PhD under the supervision of Dr. B. B. Gupta in Department of Computer Engineering specialization in Web Security at National Institute of Technology Kurukshetra, Haryana, India. Recently, he was working as an Assistant Professor in the Department of Computer Science and Engineering at Jaypee Institute of Information Technology (JIIT), Noida, Sec-128. Prior to this, he has also served his duties as an Assistant Professor in the Department of IT at Model Institute of Engineering and Technology (MIET), Jammu. He has completed M.Tech. in the Department of Computer Science and Engineering Specialization in Information Security from Central University of Rajasthan, Ajmer, India. He has also done his graduation in Bachelor of Engineering (B.E.) in Department of Information Technology from Padmashree Dr. D.Y. Patil Institute of Engineering and Technology Affiliated to Pune University, India. He has also spent two months in the Department of Computer Science and IT, University of Jammu for completing a portion of Post-graduation thesis work. He bagged the 1st Cash Prize in Poster Presentation at National Level in the category of ICT Applications in Techspardha’2015 and 2016 event organized by National Institute of Kurukshetra, Haryana. He has numerous online publications in International Journals and Conferences including IEEE, Elsevier, ACM, Springer, Wiley, Elsevier, IGI-Global, etc., along with several book chapters. He is also serving as reviewer for numerous peer-reviewed Journals and conferences of high repute. He is also a professional member of IEEE and ACM. His research area of interest includes web security, cross-site scripting (XSS) attacks, online social network security, cloud security, fog computing and theory of computation.