Cross-Site Scripting (XSS) Detection Integrating Evidences in Multiple Stages

Zhang, Jingchi; Jou, Yu-Tsern; Li, Xiangyang

doi:10.24251/hicss.2019.860

Cited by 9 publications

(5 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Section: Related Workmentioning

confidence: 99%

“…Zhang et al [ 30 ] extracted features from XSS payloads using word2vec and trained the dataset using two unsupervised clustering techniques, Gaussian mixture models (GMMs). Zhang et al [ 30 ] built two GMMs for detecting XSS in web request and web response packets. The XSS payloads are distinguished as two clusters with two different Gaussian functions characterized by the mean and covariance of the data points in a dataset.…”

Section: Related Workmentioning

confidence: 99%

“…Liu et al [ 25 ] applied graph convolution networks, and Abimov and Bianchi [ 49 ] used convolutional deep neural network (CNN) for the detection of XSS attacks. Zhou et al [ 21 , 30 ] applied machine learning techniques, [ 33 ] applied a genetic algorithm along with reinforcement learning to detect XSS attacks, and [ 50 ] detected reflected XSS attacks using reinforced learning. It is observed that only 06 out of 16 articles focused on evolutionary algorithms for the detection of XSS attacks, while only 01 focused on XML injection [ 51 , 52 ].…”

Section: Empirical Evaluation With Existing Approachesmentioning

confidence: 99%

“…The existing approaches of XSS attack detection using generative adversarial network [ 30 ] have an accuracy rate of 94.59%, and enforcement learning [ 21 ] reaches an accuracy up to 97.78, using deep neural network [ 20 ] (with an accuracy of 91.7%). Other machine learning techniques detect XSS payloads with less than 90% accuracy.…”

Section: Empirical Evaluation With Existing Approachesmentioning

confidence: 99%

See 3 more Smart Citations

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

Gupta

Singh

Mohapatra

2022

Computational Intelligence and Neuroscience

View full text Add to dashboard Cite

According to OWASP 2021, cross-site scripting (XSS) attacks are increasing through specially crafted XML documents. The attacker injects a malicious payload with a new pattern and combination of scripts, functions, and tags that deceits the existing security mechanisms in web services. This paper proposes an approach, GeneMiner, encompassing GeneMiner-E to extract new features and GeneMiner-C for classification of input payloads as malicious and nonmalicious. The proposed approach evolves itself to the changing patterns of attack payloads and identifies adversarial XSS attacks. The experiments have been conducted by collecting data from open source and generating various combinations of scripts, functions, and tags using an incremental genetic algorithm. The experimental results show that the proposed approach effectively detects newly crafted malicious XSS payloads with an accuracy of 98.5%, which is better than the existing classification techniques. The approach learns variations in the existing attack sample space and identifies the new attack payloads with reduced efforts.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Empirical Evaluation With Existing Approachesmentioning

confidence: 99%

Section: Empirical Evaluation With Existing Approachesmentioning

confidence: 99%

See 2 more Smart Citations

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

Gupta

Singh

Mohapatra

2022

Computational Intelligence and Neuroscience

View full text Add to dashboard Cite

show abstract

“…Zhang et al [119] used two separate Gaussian mixture models (GMM) trained on normal and XSS payloads respectively. The produced probabilities of the two GMMs on tested payloads are compared to reach a final prediction.…”

Section: Machine Learningmentioning

confidence: 99%

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Hannousse¹,

Yahiouche²,

Nait-Hamoud³

2022

Preprint

View full text Add to dashboard Cite

Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its reveal in late 1999 by Microsoft security engineers, several techniques have been developed in the aim to secure web navigation and protect web applications against XSS attacks. The problem became worse with the emergence of advanced web technologies such as Web services and APIs and new programming styles such as AJAX, CSS3 and HTML5. While new technologies enable complex interactions and data exchanges between clients and servers in the network, new programming styles introduce new and complicate injection flaws to web applications. XSS has been and still in the TOP 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks became one of the major concerns of several web security communities. In this paper, we contribute by conducting a systematic mapping and a comprehensive survey. We summarize and categorize existent endeavors that aim to protect against XSS attacks and develop XSS-free web applications. The present review covers 147 high quality published studies since 1999 including early publications of 2022. A comprehensive taxonomy is drawn out describing the different techniques used to prevent, detect, protect and defend against XSS attacks. Although the diversity of XSS attack types and the scripting languages that can be used to state them, the systematic mapping revealed a remarkable bias toward basic and JavaScript XSS attacks and a dearth of vulnerability repair mechanisms. The survey highlighted the limitations, discussed the potentials of existing XSS attack defense mechanisms and identified potential gaps.

show abstract

Proposing to Use Artificial Neural Networks for NoSQL Attack Detection

Alizadehsani

2020

Distributed Computing and Artificial Intelligence, Special Sessions, 17th International Conference

View full text Add to dashboard Cite

Relationships databases have enjoyed a certain boom in software worlds until now. These days, with the rise of modern applications, unstructured data production, traditional databases do not completely meet the needs of all systems. Regarding these issues, NOSQL databases have been developed and are a good alternative. But security aspects stay behind. Injection attacks are the most serious class of web attacks that are not taken seriously in NoSQL.This paper presents a Neural Network model approach for NoSQL injection. This method attempts to use the best and most effective features to identify an injection. The features used are divided into two categories, the first one based on the content of the request, and the second one independent of the request meta parameters. In order to detect attack payloads features, we work on character level analysis to obtain malicious rate of user inputs. The results demonstrate that our model has detected more attack payloads compare with models that work black list approach in keyword level. Keywords: Security Á Attack detection Á NoSQL injection Á Big data Á Feature extraction Á Deep learning Á Artificial neural network

show abstract

Cross-Site Scripting (XSS) Detection Integrating Evidences in Multiple Stages

Cited by 9 publications

References 12 publications

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Proposing to Use Artificial Neural Networks for NoSQL Attack Detection

Contact Info

Product

Resources

About