A Survey on XSS Attack Detection and Prevention in Web Applications

Cui, Yanpeng; Cui, Junjie; Hu, Jon-Fan

doi:10.1145/3383972.3384027

Cited by 15 publications

(8 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…During this type of attack, the attacker injects code that has been maliciously written onto the server in such a way that it cannot be removed. As shown in Figure 3, the scenario I used to illustrate a stored XSS attack [10] injected a script tag directly into the Document Object Model (DOM) and subsequently executed a malicious script using JavaScript hypothetically. However, while this is the most popular method of exploiting XSS, it is also the most common approach neutralized by advanced security professionals and security-conscious software developers [11].…”

Section: Stored Cross-site Scripting (Xss) Attackmentioning

confidence: 99%

Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey

Weamie¹

2022

IJCNS

View full text Add to dashboard Cite

The advancement of technology and the digitization of organizational functions and services have propelled the world into a new era of computing capability and sophistication. The proliferation and usability of such complex technological services raise several security concerns. One of the most critical concerns is cross-site scripting (XSS) attacks. This paper has concentrated on revealing and comprehensively analyzing XSS injection attacks, detection, and prevention concisely and accurately. I have done a thorough study and reviewed several research papers and publications with a specific focus on the researchers' defensive techniques for preventing XSS attacks and subdivided them into five categories: machine learning techniques, server-side techniques, client-side techniques, proxy-based techniques, and combined approaches. The majority of existing cutting-edge XSS defensive approaches carefully analyzed in this paper offer protection against the traditional XSS attacks, such as stored and reflected XSS. There is currently no reliable solution to provide adequate protection against the newly discovered XSS attack known as DOM-based and mutation-based XSS attacks. After reading all of the proposed models and identifying their drawbacks, I recommend a combination of static, dynamic, and code auditing in conjunction with secure coding and continuous user awareness campaigns about XSS emerging attacks.

show abstract

Section: Stored Cross-site Scripting (Xss) Attackmentioning

confidence: 99%

Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey

Weamie¹

2022

IJCNS

View full text Add to dashboard Cite

show abstract

“…Hence the attack cannot be detected by client-side approaches. Moreover, Stored XSS attacks can lead to more devastating damage because while Reflected XSS attacks often limit the scope of the attack to the attacker (i.e., the outcome of the attack is reflected by whoever injected the payload), Stored XSS attacks allow the payload injected by an attacker to be executed multiple times and even affecting on the unsuspicious user's browser context because of its nature the payload is persistently stored inside the application's database (Cui et al, 2020).…”

Section: Introductionmentioning

confidence: 99%

Server-side Cross-site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS Auditor

Pardomuan¹,

Kurniawan²,

Darus³

et al. 2023

JST

View full text Add to dashboard Cite

Cross-site Scripting attacks have been a perennial threat to web applications for many years. Conventional practices to prevent cross-site scripting attacks revolve around secure programming and client-side prevention techniques. However, client-side preventions are still prone to bypasses as the inspection is done on the user’s browser, so an adversary can alter the inspection algorithm to come up with the bypasses or even manipulate the victim to turn off the security measures. This decreases the effectiveness of the protection and leads to many web applications are still vulnerable to cross-site scripting attacks. We believe that XSS Auditor, which was pre-installed in Google Chrome browser for more than 9 years, is a great approach in combating and preventing XSS attacks. Hence, in this paper, we proposed a novel approach to thoroughly identify two types of cross-site scripting attacks through server-side filter implementation. Our proposed approach follows the original XSS Auditor mechanism implemented in Google Chrome. However, instead of placing the detection system on the client side, we design a detection mechanism that checks HTTP requests and responses as well as database responses for possible XSS attacks from the server side. From 500 payloads used to evaluate the proposed method, 442 payloads were classified correctly, thus showing that the proposed method was able to reach 88.4% accuracy. This work showed that the proposed approach is very promising in protecting users from devastating Cross-site Scripting attacks.

show abstract

“…Cross-site Scripting (XSS) and cross-site request forgery (CSRF) are considered to be among the top severe risks to web security from the kinds of vulnerabilities demonstrated by web applications, as per OWASP Top Ten (Open Web Application Security Project) [1]. Many detection algorithms based on conventional techniques, have been provided in order to track down these web vulnerabilities and defend against these attacks [2]. Unfortunately, they are not sufficiently effective enough against a threat that can take any form and is evolving as time passes by.…”

Section: Introductionmentioning

confidence: 99%

“…Such web attacks are evolving and becoming more challenging to detect. Several ideas from different perspectives have been put forth that can be used to improve the performance of detecting these web vulnerabilities and preventing the attacks from happening [2]. Machine learning techniques have lately been used by researchers to defend against XSS and CSRF [3], [4], [5], and given the positive findings, it can be concluded that it is a promising research direction.…”

mentioning

confidence: 99%