web content analysis and modification for reducing cross ...journalstd.com/gallery/8-oct2019.pdf ·...

Web Content Analysis and Modification for Reducing Cross Site Scripting

Attacks.

1D.Veerabhadram1,G.Shiva Krishna and 3Shobini.B

1 Computer science and Engineering ,Swathi Institute of Technology & Sciences Near Ramoji Film

City Beside Kothagudem 'X' Roads, Hyderabad, India ,Telangana 501512

2 Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film

City Beside Kothagudem 'X' Roads, Hyderabad, India, Telangana 501512

3Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film

City Beside Kothagudem 'X' Roads, Hyderabad, India, Telangana 501512

,[email protected], [email protected]

Abstract

Web applications are vulnerable to various attacks if they are not designed well keeping

security in mind. Out of the attacks possible to web applications, it is understood that Cross

Site Scripting (XSS) is one of the attacks that is most common and causes potential risk. XSS

attack is caused when any genuine web site is subjected to injection of malicious script that

performs intended operations and let users do certain wrong things. Visitors of the web site

are exploited by the hackers with XSS attacks. With XSS various attacks are possible. They

include web cam activation, impersonation, phishing, key logging and identity theft. It is well

known that very famous web applications like Face book in the real word were subjected to

XSS attack. It reveals the significance of protecting web sites from such attacks. In this paper

we proposed a novel approach based on Content Security Policy (CSP) which has different

policies in order to handle XSS attacks. We built a web based application to be useful to

domain specific users. Then it is used for empirical study where different scripts are injected

and the results with different browsers are observed with and without CSP protection. The

results revealed that CSP is capable of preventing XSS attacks and useful to work with

browsers in order to protect web sites from XSS attacks.

Keywords – Web application, cross-site scripting attacks, content security policy, Document Object

Model

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 81

1. INTRODUCTION

Cross site scripting (XSS) is one of the attacks made by adversaries on web applications. As web

applications reside in web server and executed in server and browser, both client side and server side

approaches are possible to protect web sites against XSS attacks. XSS attacks are of two kinds. They

are known as persistent and non-persistent attacks. Persistent attacks are made by injecting script that

is malicious in nature and the script is permanently saved in server. On the other hand the non-

persistent attack is made by sending a URL which is malicious and contains script to be injected

temporarily. Prevention to both is very important to protect web applications in the real world.

Different approaches are found in the literature to protect web sites against XSS attacks. They include

server side approach [3], code-reuse based approach [5], pattern filtering approach [6], client side

solution against XSS attacks [10], Address bar based attack and prevention measures [11], document

structure integrity based solution [14] and Content Security Policy (CSP) approach [19]. Our work in

this paper is influenced by [19] where CSP is clearly defined. Our contributions in this paper are as

follows.

CSP based approach is followed to provide protection against persistent and non-persistent

XSS attacks.

A prototype application is built to be useful to domain specific users. However, it is protected

with CSP to prevent XSS attacks.

Empirical study is made with different browsers and found that with and without CSP

protection, browsers provide different performance. With CSP, they are able to protect web

sites against XSS attacks.

The remainder of the paper is structured as follows. Section 2 provides review of literature related to

state of the art on XSS. Section 3 presents the difference between persistentand non-persistent XSS

attacks with illustrations. Section 4 on the other hand presents the proposed methodology along with

the web application and its roles and interactions among them. Section 5 presents results of

experiments besides the prototype application. Section 6 provides useful insights in the form of

conclusions and also makes directions for possible work in future.

2. RELATED WORK

This section provides review of literature on XSS attacks. The dynamics of XSS attacks and its

prevention measures are explored in [1] for safeguarding web sites. In [2] vulnerabilities that arise in

web applications due to code injections are studied. It is understood that web sites that are having

vulnerabilities in design allow XSS attacks with ease. Server side approach to prevent XSS attacks is

the main focus in [3] where solution to the problem stems from server side approach. Web

applications do have critical security risks. Such risks are investigated and useful insights are given in

[4] while code reuse attacksand mitigation of XSS attacks is illustrated in [5].

A pattern filtering approach is employed in [6] for preventing XSS attacks that belong to persistent

category. In [7] a methodology is proposed to protect all documents that are made up of HTML

against XSS attacks. They also provide the apparatus that is used for prevention of the attacks.

Various defence mechanisms against XSS attacks is the focus in [8] while a survey of various

prevention measures for XSS attacks is provided in [9]. Application of computing phenomena for

preventing XSS attacks is explored in [10] in order to provide better security to web applications.

Another kind of XSS attacks known as add-on XSS attacks is explored in [11]. Such attacks are made

by abusing address bar of web browser. Browser enforced policies embedded into web browser are

studied in [12] for preventing XSS attacks. As web design is crucial for preventing attacks, in [13]

focus is given on the design of web site without XSS vulnerabilities. Document structure integrity is

the main approach in protecting web sites from XSS attacks in [14]. Worms also can be used to inject

XSS scripts. It is studied in the context of social networking in [15]. Browser based XSS script

injection protection is studied in [16] for built in security measures that stem from browser.

A client side approach to prevention of XSS attacks is provided in [17]. Different threat patterns are

provided in [18] order to understand XSS scripts and provide suitable solutions. In [19] there is details

CSP based protection against XSS. This work has influenced the work of this paper. In this paper both



ISSN : 0950-0707

Page No : 82

persistent and non-persistent XSS attacks are considered and they are prevented using CSP based

approach. It is evaluated by building a web based solution that helps browsers to protect against XSS

attacks.

3. CROSS SITE SCRIPTING

World Wide Web (WWW) is rich in web based applications. Such applications are able to drive

business of millions of companies across the globe. Having said this, it is possible that such

applications may be subjected to many attacks including SQL injection and XSS attacks to mention

few. This paper focuses on XSS attacks and the prevention of the same. XSS attacks are classified

into two categories known as persistent and non-persistent.

Figure1: Illustrates persistent cross-site scripting attack

As shown in Figure 1, the persistent XSS is illustrated where genuine users and attacker are involved.

Attacker injects bad script into a vulnerable but legitimate web site. When server saves that kind of

script, the web site behaves differently due to that script. This will cause issues to users of the web site

and the hackers may steal users’ valuable information. When users visit the web site and clicks any

link to which script is associated, it will run the script written by attacker and user will not get

intended server, rather gets something that is not intended.

Users visit

malicious

web page

Script is

stored in

server

Malicious

script is

injected

Legitimate

data is

returned

by script

Compromises

the victim

Attacker

Victims

Database server

Web site with

vulnerabilities



ISSN : 0950-0707

Page No : 83

Figure 2: Illustrates non-persistent cross-site scripting attack

As shown in Figure 2, the non-persistent XSS is illustrated where genuine users and attacker are

involved. Attacker here sends malicious link to legitimate users. When users click that URL, hidden

script is executed and the users do not get expected service. The rationale behind this is that the users

are hijacked to different activity that is useful to attacker.

4. PROPOSED METHODOLOGY

The proposed methodology involves making different content protection policies in the name of CSP

which makes the web applications secure from XSS attacks. The idea is to have CSP based solution

that makes browsers to perform well against XSS attacks. A web based solution is made for proof of

the concept. The web application is built to be useful to domain specific users. However, it is

subjected to persistent and non-persistent attacks in order to show the utility of the proposed

methodology. The DOM based XSS attack is considered as web applications are made using

document object model. The proposed application has four major roles. They are administrator,

remote user, attacker and web database. The attacker role is responsible to inject script into the web

site and test the ability of CSP approach to prevent attacks.

Victim’s

browser

executes

script

Data is sent

by browser

to attacker

Malicious

link is sent

Malicious

payload is

sent

Users visit or

click

malicious

links

Attacker

Victims

Web site with

vulnerabilities



ISSN : 0950-0707

Page No : 84

Figure 3: Overview of the proposed system

As shown in Figure 3, the remote user is the legitimate user who gets services from a web application.

However, when the attacker injects XSS script into web application, the users are miss-guided to

perform unintended operations causing potential damage to end users. Therefore users need to be

protected from such attacks. It is done using CSP approach in this paper. More on CSP approach can

be found in [19]. The script written and injected by the attacker is saved to database where web site is

saved. This will make it persistent XSS attack. On the other hand it is also possible to have a new

URL that has hidden script and the URL is sent to users in order to launch XSS attack. This kind of

attack is what known as non-persistent.

List all users and authorize, Add

Documents with category, doc title,

doc uses, doc content, and doc

image. List all documents with

images, List all cross site script

attackers, List all user’s posted

documents, List attacked

documents with attacker URL and

Recover data, List all documents

reviews, Find number documents

attacked in chart.

Register and Login, View

your Profile, View all

shared documents by the

admin and download,

Search documents by

content keyword and

download, Review about

doc content, View all doc

reviews.

Attack the file

contents

Web Data Base Admin

Remote User

Attacker



ISSN : 0950-0707

Page No : 85

Figure 4: Shows users and in system and their interaction

As shown in Figure 4, it is evident that the interaction among the users if provided. Attacker, end user,

administrator and web database are involved in the web application. A web application is built with

all these roles and the attacker role performs both persistent and non-persistent attacks to demonstrate

proof of the concept.

List all users and authorize, Add

Documents with category, doc title,

doc uses, doc content, doc image

List all documents with images, List all

cross site script attackers

List all users’ posted documents, List

attacked documents with attacker URL

and Recover data

List all documents reviews, Find number

documents attacked in chart

Register and Login, View your Profile

View all shared documents by the admin

and download

Search documents by content keyword

and download

Review about doc content, View all doc

reviews

Attack the Document

Web Data Base

Admin

Remote User

Attacker



ISSN : 0950-0707

Page No : 86

Figure 5: Sequence diagram

As shown Figure 5, it is evident that the interaction among the roles is presented with a time

sequence. There is interaction among users like admin, remote user and web database. However,

when attacker makes malicious XSS attacks, the proposed system based CSP comes into picture and

prevents the XSS attacks of the two kinds in order to safeguard users from malicious script effects.

Algorithm: Cross Site Scripting Prevention (XSSP)

Inputs: Web page source p, white list vector W, black list vector B, grey list vector G

Output: XSS attack prevention

1. Start

2. Initialize scripts vector S

Admin Web Data Base Remote User

Attacker

List all users and authorize

Register and login

View your Profile, View all shared

documents by the admin and

download

Add Documents with

category, doc title, doc uses,

doc content, and doc image

Search documents by

content keyword and

download

List all documents with images, List all

cross site script attackers, and List all

user’s uses, doc content, doc image

Review about doc content,

View all doc reviews

List attacked documents with

attacker URL and Recover data, List

all documents reviews

Review about doc content,

View all doc reviews

Attack the contents

Find number documents attacked in

Chart



ISSN : 0950-0707

Page No : 87

3. S=getScripts(p)

4. For each script s in S

5. IF s belongs to W Then

6. Add s to W

7. Else If s belongs to B

8. Add s to B

9. Else

10. Add s to G

11. End If

12. End For

As presented in Algorithm 1, the input web page source is subjected to extraction of scripts. Once all

the scripts are extracted, each one is verified against known blacklist and white list. Thus each script

goes to either blacklist or white list. In some cases, a script may go to grey list as well. Appropriate

decisions are taken to suppress suspected scripts from execution thus preventing XSS attack.

5. EXPERIMENTAL RESULTS

Experiments are made with the prototype application built. It is a web based application which

demonstrates proof of the concept. The application allows users to perform certain activities and

shows how vulnerable they are due to the injected XSS script into the web site. The results are

observed in terms of the number of XSS vectors created with the proposed CSP approach and without

CSP. The main UI of the application is as shown in Figure 6.

Figure 6: Main UI of the application



ISSN : 0950-0707

Page No : 88

The application provides features to show persistent and non-persistent attacks related to cross side

scripting. It also contains some domain specific functionality useful to intended users. However, it is

mainly used to show how the injected scripts are succeeded and how to prevent them with the

proposed CSP approach.

Methods

No. of XSS Vectors

Firefox Chrome Safari Opera

Without CSP

Protection 40 20 20 20

With CSP

Protection 0 0 0 0

Table 1: Results of experiments

As shown in Table 1, it is evident that four browsers are used for experiments an each browser has

different behaviour with and without CSP protection. The number of XSS vectors created for each

browser with and without CSP content protection is presented.

Figure 7: Experimental results

As shown in Figure 7, it is evident that the proposed content protection approach which is based on

DOM model is able to provide security to web site. It is able to eliminate XSS attacks. The browsers

used for empirical study are presented in horizontal axis and the vertical axis shows the number of

XSS vectors created when tested with attacks. Interestingly it is understood that Firefox is more

vulnerable than other browsers in the absence of the CSP protection. However, with CSP protection

all browsers performed well without a single XSS vector created. The results revealed that CSP

content protection proposed in this paper is useful and it can be employed along with browsers in

order to safeguard users from such attacks.



ISSN : 0950-0707

Page No : 89

6. CONCLUSIONS AND FUTURE WORK

In this paper, we proposed a content security policy based solution to XSS attacks. Since

cross-site scripting attacks cause damage to data and allows illegitimate access to content of

users, it is essential to eliminate such attacks. Document Object Model (DOM) is the model

used by web applications. This model is studied and suitable content protection policies are

built in order to safeguard interests of genuine users. Browsers are used to implement the

proposed CSP approach and empirical study revealed that they are able to prevent all XSS

attacks. If the CSP approach is not followed, the same browsers were found vulnerable to

XSS attacks. We built a prototype application to experiment with both persistent and non-

persistent XSS attacks. The results revealed that the proposed method is useful in protecting

web sites from such attacks. In future we intend to propose a new approach and compare with

CSP.

References

[1] Shashank Gupta and B. B. Gupta. (2015). Cross-Site Scripting (XSS) attacks and

defense mechanisms: classification and state-of-the-art. Int J Syst Assur Eng Manag,

p1- 19.

[2] M. Johns, “Code Injection Vulnerabilities in Web Applications—Exemplified at Cross-

Site Scripting,” PhD dissertation, Univ. of Passau, 2009; https://opus4.kobv.de/opus4-

uni-passau/frontdoor/index/index /docId/144.

[3] Shashank Gupta and B. B. Gupta. (2015). XSS-SAFE: A Server-Side Approach to Detect

and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code. Arab J Sci Eng,

p1-24.

[4] Open Web Application Security Project, “OWASP Top 10 – 2013: The TenMost Critical

Web Application Security Risks,” 2013; www.owasp

.org/index.php/Top10#OWASP_Top_10_for_2013.

[5] Sebastian Lekies, Krzysztof Kotowicz and Samuel Groß . (2017). Code-Reuse Aacks for

the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets, p1-15.

[6] I. Yusof and A.-S.K. Pathan, “Preventing Persistent Cross-Site Scripting (XSS) Attack by

Applying Pattern Filtering Approach,” Proc. 5th IEEE Conf.Information and

Communication Technologyfor the Muslim World (ICT4M14), 2014, pp. 1−6.



ISSN : 0950-0707

Page No : 90

[7] Olgierd Pieczul, Alexander McGloin and Ellen Zurko. (2015). METHOD AND

APPARATUS FOR PROTECTING MARKUPLANGUAGE DOCUMENT

AGAINST CROSS-SITE SCRIPTING ATTACK . International Business Machines

Corporation, p1-13.

[8] L.K. Shar and H.B.K. Tan, “Defending against Cross-Site Scripting Attacks,” Computer,

vol. 45, no. 3, 2012, pp. 55−62.

[9] V. Nithya, S. Lakshmana Pandian and C. Malarvizhi. (2015). A Survey on Detection and

Prevention of Cross-Site Scripting Attack. International Journal of Security and Its

Applications. 9 (3), p 139-152.

[10] E. Kirda et al., “Noxes: AClient-Side Solution for Mitigating Cross-Site Scripting

Attacks,” Proc. 21st Ann.ACM Symp. Applied Computing (SAC06), 2006, pp.

330−337.

[11] Yinzhi Cao, Chao Yang, Vaibhav Rastogi, Yan Chen and Guofei Gu. (2013). Abusing

Browser Address Bar for Fun and Profit - An Empirical Investigation of Add-on

Cross Site Scripting Attacks, p1-18.

[12] T. Jim, N. Swamy, and M. Hicks, “Defeating Script Injection Attacks with Browser-

Enforced Embedded Policies,” Proc. 16th Int’l ACM Conf. WorldWide Web

(WWW07), 2007, pp. 601−610.

[13] Ms. Daljit Kaur and Dr. Parminder Kaur. (2017). Cross-Site-Scripting Attacks and

Their Prevention during Development . International Journal of Engineering

Development and Research. 5 (3), p1-7.

[14] Y. Nadji, P. Saxena, and D. Song, “Document Structure Integrity: A Robust Basis for

Cross-Site Scripting Defense,” Proc. 6th Ann. Network & DistributedSystem Security

Symp.(NDSS09), 2009; www.cs.berkeley.edu/~dawn song/papers/2009%20dsi-

ndss09.pdf.

[15] Pooja Chaudhary, B.B.Gupta and Shashank Gupta . (2016). Cross-Site Scripting (XSS)

Worms in Online Social Network (OSN): Taxonomy and Defensive

Mechanisms. IEEE, p1-6.



ISSN : 0950-0707

Page No : 91

[16] M.T. Louw and V.N. Venkatakrishnan, “Blueprint: Robust Prevention of Cross-site

Scripting Attacks for Existing Browsers,” Proc. 30th IEEE Symp.Security and

Privacy (S&P09), 2009,

pp. 331−346.

[17] Akhil Nair, Pallavi Chame, Shital Gaikwad, Swapnil Ethape and Prof.Shikha Agarwal.

(2018). Prevention of Cross Site Scripting (XSS) and securing web application

atclient side. International Journal of Computer Applications. 3 (2), p1-4.

[18] ROHINI SULATYCKI and EDUARDO B. FERNANDEZ. (2015). A threat pattern for

the “Cross-Site Scripting (XSS)” attack, p1-8.

[19] Imran Yousof and Al-Sakib Khan Pathan (2016). Mitigating Cross-Site Scripting

Attacks with a Content Security Policy. IEEE, p56-63.



ISSN : 0950-0707

Page No : 92