A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All
Kour, Haneet
- Analysis of Browser Level Defense Mechanisms to Prevent Cross Site Scripting Attacks
Authors
1 Department of Computer Science & IT, University of Jammu, J & K, IN
Source
Research Cell: An International Journal of Engineering Sciences, Vol 21 (2016), Pagination: 80-95Abstract
Context: Web Technologies were primarily designed to cater the need of ubiquitousness but the security concern has been overlooked and such overlooks resulted in vulnerabilities which are being highly exploited by hackers in various ways to compromise security. When a vulnerability is blocked, the attacker traces out a different mechanism to exploit it. Cross site scripting (XSS) attack is also an exploitation of one of the vulnerabilities existing in the web applications.
Objective: To conduct a study on XSS attacks and to analyze the various defense mechanisms provided at browser level to protect the web applications from XSS attacks.
Method: In the study of XSS attacks, various experiments have been performed to trace out the vulnerabilities in the JavaScript functions, html tags and their various attributes leading to Cross Site Scripting attacks on the local host server (XAMPP) and then defense mechanisms against XSS attacks which are provided at browser level have been evaluated in both modern web browsers and mobile browsers.
Results: Browser level defense approaches can mitigate Reflected XSS vulnerabilities, but the Stored and DOM based XSS vulnerabilities successfully by pass the prevention mechanisms provided at browser level.
Conclusion: XSS attack is emerging as one of the top 10 web application vulnerabilities leading to security breach. Although, the browsers can protect the web applications against the said vulnerability up to some extent, yet more research is required to enhance the browser functionality to protect the users of the web application against XSS vulnerability.
Keywords
Cross Site Scripting, Cookie, Web Vulnerability, Web Browser, Mobile Browser.- Analysis of Mitigation Techniques to Prevent Cross Site Scripting Attack in the Web Applications
Authors
1 Department of Computer Science & Engineering, MBSCET, Jammu, J&K, IN
Source
Research Cell: An International Journal of Engineering Sciences, Vol 24, No 1 (2017), Pagination: 52-60Abstract
The three tier architecture of the web has been developed to help the developers to create flexible web applications that are accessed by millions of users across the world. These web applications are developed by using various technologies like HTML, JavaScript, AJAX, XML etc. But the vulnerabilities at the design level in these technologies result in security compromise for the users. Thus, the security of these applications is becoming an important issue to ensure the user's authentication and privacy. Cross site scripting attack (XSS) is also an exploitation of these vulnerabilities (existing in the web applications) that result in theft of user's credentials. This paper studies the XSS attack and then analyses the various mitigation techniques to prevent XSS attacks.Keywords
Cross Site Scripting, Cookie, Web Vulnerability, Mitigation.References
- Joaquin G.A. and Guillermo N.A., “Prevention of cross-site scripting attacks on current web applications”, OTM 2007, Lect. Notes Computer Science, vol. 4804, 2007, pp. 1770–1784.
- Haneet Kour and Lalit Sen Sharma, “Tracing Out Cross Site Scripting Vulnerabilities in Modern Scripts”, International Journal of Advanced Networking and Applications (IJANA), ISSN: 0975-0290 (Online) Volume 7 Issue 5, 2016, pp. 2862-2867.
- Zero. Historic Lessons From Marc Slemko – Exploit number 3: Steal hotmail account. http://0x000000.com /index.php? i=270 &bin=100001110.
- Wade Alcorn, “XSS viruses: Cross-site scripting viruses and worms–a new attack vector”, Journal of Network Security, Elsevier, ISSN 1353-4858 Volume 2006 Issue 7, July 2006 pp 7-8.
- Y. Amit, “XSS vulnerabilities in Google.com”, November 2005. [Internet]. Available: http://www.watchfire.com/securityzone/ advisories/12-21-05.aspx.
- R. Hansen, “Cross Site Scripting Vulnerability in Google”, July 2006. [Internet]: http://hackers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/.
- David Scott and Richard Sharp. “Abstracting application-level web security”, in WWW '02: Proceedings of the 11th international conference on World Wide Web, ACM, New York, USA, 2002, pp. 396-407.
- O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi, “A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability”, 18th Int. Conf. on Advanced Information Networking and Applications 2004, pp. 145-151.
- Trevor Jim, Nikhil Swamy and Micheal Hicks, "Defeating Script Injection Attacks with Browser Enforced Embedded Policies", Proc. 16th International Conference on WWW ACM 2007, pp.601-610
- Gary Wassermann, Zhendong Su, “Static Detection of Cross-Site Scripting Vulnerabilities”, ICSE ‟08: Proceedings of the 30th international conference on Software engineering, 2008, pp. 171-180.
- Yi Wang, Zhoujun Li, Tao Guo, “Program Slicing Stored XSS Bugs in Web Application”, Fifth International Symposium on Theoretical Aspects of Software Engineering, IEEE, 2011, pp. 191-194.
- Shashank Gupta and B.B. Gupta, “BDS: Browser Dependent XSS Sanitizer”, IGI-Global, Handbook of Research, Nonvember 2014, pp. 174-191.