web content analysis and modification for reducing cross ...journalstd.com/gallery/8-oct2019.pdf ·...
TRANSCRIPT
Web Content Analysis and Modification for Reducing Cross Site Scripting
Attacks.
1D.Veerabhadram1,G.Shiva Krishna and 3Shobini.B
1 Computer science and Engineering ,Swathi Institute of Technology & Sciences Near Ramoji Film
City Beside Kothagudem 'X' Roads, Hyderabad, India ,Telangana 501512
2 Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film
City Beside Kothagudem 'X' Roads, Hyderabad, India, Telangana 501512
3Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film
City Beside Kothagudem 'X' Roads, Hyderabad, India, Telangana 501512
,[email protected], [email protected]
Abstract
Web applications are vulnerable to various attacks if they are not designed well keeping
security in mind. Out of the attacks possible to web applications, it is understood that Cross
Site Scripting (XSS) is one of the attacks that is most common and causes potential risk. XSS
attack is caused when any genuine web site is subjected to injection of malicious script that
performs intended operations and let users do certain wrong things. Visitors of the web site
are exploited by the hackers with XSS attacks. With XSS various attacks are possible. They
include web cam activation, impersonation, phishing, key logging and identity theft. It is well
known that very famous web applications like Face book in the real word were subjected to
XSS attack. It reveals the significance of protecting web sites from such attacks. In this paper
we proposed a novel approach based on Content Security Policy (CSP) which has different
policies in order to handle XSS attacks. We built a web based application to be useful to
domain specific users. Then it is used for empirical study where different scripts are injected
and the results with different browsers are observed with and without CSP protection. The
results revealed that CSP is capable of preventing XSS attacks and useful to work with
browsers in order to protect web sites from XSS attacks.
Keywords – Web application, cross-site scripting attacks, content security policy, Document Object
Model
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 81
1. INTRODUCTION
Cross site scripting (XSS) is one of the attacks made by adversaries on web applications. As web
applications reside in web server and executed in server and browser, both client side and server side
approaches are possible to protect web sites against XSS attacks. XSS attacks are of two kinds. They
are known as persistent and non-persistent attacks. Persistent attacks are made by injecting script that
is malicious in nature and the script is permanently saved in server. On the other hand the non-
persistent attack is made by sending a URL which is malicious and contains script to be injected
temporarily. Prevention to both is very important to protect web applications in the real world.
Different approaches are found in the literature to protect web sites against XSS attacks. They include
server side approach [3], code-reuse based approach [5], pattern filtering approach [6], client side
solution against XSS attacks [10], Address bar based attack and prevention measures [11], document
structure integrity based solution [14] and Content Security Policy (CSP) approach [19]. Our work in
this paper is influenced by [19] where CSP is clearly defined. Our contributions in this paper are as
follows.
CSP based approach is followed to provide protection against persistent and non-persistent
XSS attacks.
A prototype application is built to be useful to domain specific users. However, it is protected
with CSP to prevent XSS attacks.
Empirical study is made with different browsers and found that with and without CSP
protection, browsers provide different performance. With CSP, they are able to protect web
sites against XSS attacks.
The remainder of the paper is structured as follows. Section 2 provides review of literature related to
state of the art on XSS. Section 3 presents the difference between persistentand non-persistent XSS
attacks with illustrations. Section 4 on the other hand presents the proposed methodology along with
the web application and its roles and interactions among them. Section 5 presents results of
experiments besides the prototype application. Section 6 provides useful insights in the form of
conclusions and also makes directions for possible work in future.
2. RELATED WORK
This section provides review of literature on XSS attacks. The dynamics of XSS attacks and its
prevention measures are explored in [1] for safeguarding web sites. In [2] vulnerabilities that arise in
web applications due to code injections are studied. It is understood that web sites that are having
vulnerabilities in design allow XSS attacks with ease. Server side approach to prevent XSS attacks is
the main focus in [3] where solution to the problem stems from server side approach. Web
applications do have critical security risks. Such risks are investigated and useful insights are given in
[4] while code reuse attacksand mitigation of XSS attacks is illustrated in [5].
A pattern filtering approach is employed in [6] for preventing XSS attacks that belong to persistent
category. In [7] a methodology is proposed to protect all documents that are made up of HTML
against XSS attacks. They also provide the apparatus that is used for prevention of the attacks.
Various defence mechanisms against XSS attacks is the focus in [8] while a survey of various
prevention measures for XSS attacks is provided in [9]. Application of computing phenomena for
preventing XSS attacks is explored in [10] in order to provide better security to web applications.
Another kind of XSS attacks known as add-on XSS attacks is explored in [11]. Such attacks are made
by abusing address bar of web browser. Browser enforced policies embedded into web browser are
studied in [12] for preventing XSS attacks. As web design is crucial for preventing attacks, in [13]
focus is given on the design of web site without XSS vulnerabilities. Document structure integrity is
the main approach in protecting web sites from XSS attacks in [14]. Worms also can be used to inject
XSS scripts. It is studied in the context of social networking in [15]. Browser based XSS script
injection protection is studied in [16] for built in security measures that stem from browser.
A client side approach to prevention of XSS attacks is provided in [17]. Different threat patterns are
provided in [18] order to understand XSS scripts and provide suitable solutions. In [19] there is details
CSP based protection against XSS. This work has influenced the work of this paper. In this paper both
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 82
persistent and non-persistent XSS attacks are considered and they are prevented using CSP based
approach. It is evaluated by building a web based solution that helps browsers to protect against XSS
attacks.
3. CROSS SITE SCRIPTING
World Wide Web (WWW) is rich in web based applications. Such applications are able to drive
business of millions of companies across the globe. Having said this, it is possible that such
applications may be subjected to many attacks including SQL injection and XSS attacks to mention
few. This paper focuses on XSS attacks and the prevention of the same. XSS attacks are classified
into two categories known as persistent and non-persistent.
Figure1: Illustrates persistent cross-site scripting attack
As shown in Figure 1, the persistent XSS is illustrated where genuine users and attacker are involved.
Attacker injects bad script into a vulnerable but legitimate web site. When server saves that kind of
script, the web site behaves differently due to that script. This will cause issues to users of the web site
and the hackers may steal users’ valuable information. When users visit the web site and clicks any
link to which script is associated, it will run the script written by attacker and user will not get
intended server, rather gets something that is not intended.
Users visit
malicious
web page
Script is
stored in
server
Malicious
script is
injected
Legitimate
data is
returned
by script
Compromises
the victim
Attacker
Victims
Database server
Web site with
vulnerabilities
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 83
Figure 2: Illustrates non-persistent cross-site scripting attack
As shown in Figure 2, the non-persistent XSS is illustrated where genuine users and attacker are
involved. Attacker here sends malicious link to legitimate users. When users click that URL, hidden
script is executed and the users do not get expected service. The rationale behind this is that the users
are hijacked to different activity that is useful to attacker.
4. PROPOSED METHODOLOGY
The proposed methodology involves making different content protection policies in the name of CSP
which makes the web applications secure from XSS attacks. The idea is to have CSP based solution
that makes browsers to perform well against XSS attacks. A web based solution is made for proof of
the concept. The web application is built to be useful to domain specific users. However, it is
subjected to persistent and non-persistent attacks in order to show the utility of the proposed
methodology. The DOM based XSS attack is considered as web applications are made using
document object model. The proposed application has four major roles. They are administrator,
remote user, attacker and web database. The attacker role is responsible to inject script into the web
site and test the ability of CSP approach to prevent attacks.
Victim’s
browser
executes
script
Data is sent
by browser
to attacker
Malicious
link is sent
Malicious
payload is
sent
Users visit or
click
malicious
links
Attacker
Victims
Web site with
vulnerabilities
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 84
Figure 3: Overview of the proposed system
As shown in Figure 3, the remote user is the legitimate user who gets services from a web application.
However, when the attacker injects XSS script into web application, the users are miss-guided to
perform unintended operations causing potential damage to end users. Therefore users need to be
protected from such attacks. It is done using CSP approach in this paper. More on CSP approach can
be found in [19]. The script written and injected by the attacker is saved to database where web site is
saved. This will make it persistent XSS attack. On the other hand it is also possible to have a new
URL that has hidden script and the URL is sent to users in order to launch XSS attack. This kind of
attack is what known as non-persistent.
List all users and authorize, Add
Documents with category, doc title,
doc uses, doc content, and doc
image. List all documents with
images, List all cross site script
attackers, List all user’s posted
documents, List attacked
documents with attacker URL and
Recover data, List all documents
reviews, Find number documents
attacked in chart.
Register and Login, View
your Profile, View all
shared documents by the
admin and download,
Search documents by
content keyword and
download, Review about
doc content, View all doc
reviews.
Attack the file
contents
Web Data Base Admin
Remote User
Attacker
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 85
Figure 4: Shows users and in system and their interaction
As shown in Figure 4, it is evident that the interaction among the users if provided. Attacker, end user,
administrator and web database are involved in the web application. A web application is built with
all these roles and the attacker role performs both persistent and non-persistent attacks to demonstrate
proof of the concept.
List all users and authorize, Add
Documents with category, doc title,
doc uses, doc content, doc image
List all documents with images, List all
cross site script attackers
List all users’ posted documents, List
attacked documents with attacker URL
and Recover data
List all documents reviews, Find number
documents attacked in chart
Register and Login, View your Profile
View all shared documents by the admin
and download
Search documents by content keyword
and download
Review about doc content, View all doc
reviews
Attack the Document
Web Data Base
Admin
Remote User
Attacker
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 86
Figure 5: Sequence diagram
As shown Figure 5, it is evident that the interaction among the roles is presented with a time
sequence. There is interaction among users like admin, remote user and web database. However,
when attacker makes malicious XSS attacks, the proposed system based CSP comes into picture and
prevents the XSS attacks of the two kinds in order to safeguard users from malicious script effects.
Algorithm: Cross Site Scripting Prevention (XSSP)
Inputs: Web page source p, white list vector W, black list vector B, grey list vector G
Output: XSS attack prevention
1. Start
2. Initialize scripts vector S
Admin Web Data Base Remote User
Attacker
List all users and authorize
Register and login
View your Profile, View all shared
documents by the admin and
download
Add Documents with
category, doc title, doc uses,
doc content, and doc image
Search documents by
content keyword and
download
List all documents with images, List all
cross site script attackers, and List all
user’s uses, doc content, doc image
Review about doc content,
View all doc reviews
List attacked documents with
attacker URL and Recover data, List
all documents reviews
Review about doc content,
View all doc reviews
Attack the contents
Find number documents attacked in
Chart
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 87
3. S=getScripts(p)
4. For each script s in S
5. IF s belongs to W Then
6. Add s to W
7. Else If s belongs to B
8. Add s to B
9. Else
10. Add s to G
11. End If
12. End For
As presented in Algorithm 1, the input web page source is subjected to extraction of scripts. Once all
the scripts are extracted, each one is verified against known blacklist and white list. Thus each script
goes to either blacklist or white list. In some cases, a script may go to grey list as well. Appropriate
decisions are taken to suppress suspected scripts from execution thus preventing XSS attack.
5. EXPERIMENTAL RESULTS
Experiments are made with the prototype application built. It is a web based application which
demonstrates proof of the concept. The application allows users to perform certain activities and
shows how vulnerable they are due to the injected XSS script into the web site. The results are
observed in terms of the number of XSS vectors created with the proposed CSP approach and without
CSP. The main UI of the application is as shown in Figure 6.
Figure 6: Main UI of the application
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 88
The application provides features to show persistent and non-persistent attacks related to cross side
scripting. It also contains some domain specific functionality useful to intended users. However, it is
mainly used to show how the injected scripts are succeeded and how to prevent them with the
proposed CSP approach.
Methods
No. of XSS Vectors
Firefox Chrome Safari Opera
Without CSP
Protection 40 20 20 20
With CSP
Protection 0 0 0 0
Table 1: Results of experiments
As shown in Table 1, it is evident that four browsers are used for experiments an each browser has
different behaviour with and without CSP protection. The number of XSS vectors created for each
browser with and without CSP content protection is presented.
Figure 7: Experimental results
As shown in Figure 7, it is evident that the proposed content protection approach which is based on
DOM model is able to provide security to web site. It is able to eliminate XSS attacks. The browsers
used for empirical study are presented in horizontal axis and the vertical axis shows the number of
XSS vectors created when tested with attacks. Interestingly it is understood that Firefox is more
vulnerable than other browsers in the absence of the CSP protection. However, with CSP protection
all browsers performed well without a single XSS vector created. The results revealed that CSP
content protection proposed in this paper is useful and it can be employed along with browsers in
order to safeguard users from such attacks.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 89
6. CONCLUSIONS AND FUTURE WORK
In this paper, we proposed a content security policy based solution to XSS attacks. Since
cross-site scripting attacks cause damage to data and allows illegitimate access to content of
users, it is essential to eliminate such attacks. Document Object Model (DOM) is the model
used by web applications. This model is studied and suitable content protection policies are
built in order to safeguard interests of genuine users. Browsers are used to implement the
proposed CSP approach and empirical study revealed that they are able to prevent all XSS
attacks. If the CSP approach is not followed, the same browsers were found vulnerable to
XSS attacks. We built a prototype application to experiment with both persistent and non-
persistent XSS attacks. The results revealed that the proposed method is useful in protecting
web sites from such attacks. In future we intend to propose a new approach and compare with
CSP.
References
[1] Shashank Gupta and B. B. Gupta. (2015). Cross-Site Scripting (XSS) attacks and
defense mechanisms: classification and state-of-the-art. Int J Syst Assur Eng Manag,
p1- 19.
[2] M. Johns, “Code Injection Vulnerabilities in Web Applications—Exemplified at Cross-
Site Scripting,” PhD dissertation, Univ. of Passau, 2009; https://opus4.kobv.de/opus4-
uni-passau/frontdoor/index/index /docId/144.
[3] Shashank Gupta and B. B. Gupta. (2015). XSS-SAFE: A Server-Side Approach to Detect
and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code. Arab J Sci Eng,
p1-24.
[4] Open Web Application Security Project, “OWASP Top 10 – 2013: The TenMost Critical
Web Application Security Risks,” 2013; www.owasp
.org/index.php/Top10#OWASP_Top_10_for_2013.
[5] Sebastian Lekies, Krzysztof Kotowicz and Samuel Groß . (2017). Code-Reuse Aacks for
the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets, p1-15.
[6] I. Yusof and A.-S.K. Pathan, “Preventing Persistent Cross-Site Scripting (XSS) Attack by
Applying Pattern Filtering Approach,” Proc. 5th IEEE Conf.Information and
Communication Technologyfor the Muslim World (ICT4M14), 2014, pp. 1−6.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 90
[7] Olgierd Pieczul, Alexander McGloin and Ellen Zurko. (2015). METHOD AND
APPARATUS FOR PROTECTING MARKUPLANGUAGE DOCUMENT
AGAINST CROSS-SITE SCRIPTING ATTACK . International Business Machines
Corporation, p1-13.
[8] L.K. Shar and H.B.K. Tan, “Defending against Cross-Site Scripting Attacks,” Computer,
vol. 45, no. 3, 2012, pp. 55−62.
[9] V. Nithya, S. Lakshmana Pandian and C. Malarvizhi. (2015). A Survey on Detection and
Prevention of Cross-Site Scripting Attack. International Journal of Security and Its
Applications. 9 (3), p 139-152.
[10] E. Kirda et al., “Noxes: AClient-Side Solution for Mitigating Cross-Site Scripting
Attacks,” Proc. 21st Ann.ACM Symp. Applied Computing (SAC06), 2006, pp.
330−337.
[11] Yinzhi Cao, Chao Yang, Vaibhav Rastogi, Yan Chen and Guofei Gu. (2013). Abusing
Browser Address Bar for Fun and Profit - An Empirical Investigation of Add-on
Cross Site Scripting Attacks, p1-18.
[12] T. Jim, N. Swamy, and M. Hicks, “Defeating Script Injection Attacks with Browser-
Enforced Embedded Policies,” Proc. 16th Int’l ACM Conf. WorldWide Web
(WWW07), 2007, pp. 601−610.
[13] Ms. Daljit Kaur and Dr. Parminder Kaur. (2017). Cross-Site-Scripting Attacks and
Their Prevention during Development . International Journal of Engineering
Development and Research. 5 (3), p1-7.
[14] Y. Nadji, P. Saxena, and D. Song, “Document Structure Integrity: A Robust Basis for
Cross-Site Scripting Defense,” Proc. 6th Ann. Network & DistributedSystem Security
Symp.(NDSS09), 2009; www.cs.berkeley.edu/~dawn song/papers/2009%20dsi-
ndss09.pdf.
[15] Pooja Chaudhary, B.B.Gupta and Shashank Gupta . (2016). Cross-Site Scripting (XSS)
Worms in Online Social Network (OSN): Taxonomy and Defensive
Mechanisms. IEEE, p1-6.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 91
[16] M.T. Louw and V.N. Venkatakrishnan, “Blueprint: Robust Prevention of Cross-site
Scripting Attacks for Existing Browsers,” Proc. 30th IEEE Symp.Security and
Privacy (S&P09), 2009,
pp. 331−346.
[17] Akhil Nair, Pallavi Chame, Shital Gaikwad, Swapnil Ethape and Prof.Shikha Agarwal.
(2018). Prevention of Cross Site Scripting (XSS) and securing web application
atclient side. International Journal of Computer Applications. 3 (2), p1-4.
[18] ROHINI SULATYCKI and EDUARDO B. FERNANDEZ. (2015). A threat pattern for
the “Cross-Site Scripting (XSS)” attack, p1-8.
[19] Imran Yousof and Al-Sakib Khan Pathan (2016). Mitigating Cross-Site Scripting
Attacks with a Content Security Policy. IEEE, p56-63.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 92