SWAP: Mitigating XSS attacks using a reverse proxy

Wurzinger, P.; Platzer, Christian; Ludl, Christian; Kirda, Engin; Kruegel, Christopher

doi:10.1109/iwsess.2009.5068456

Cited by 95 publications

(48 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Wurzinger et al [8] introduced a tool known as SWAP (Secure Web Application Proxy), a server-side solution for discovering and preventing cross-site scripting attacks. SWAP contain a reverse proxy that intercepts all HTML responses, as well as a make use of modified Web browser to detect script content.…”

Section: Related Workmentioning

confidence: 99%

Study of Cross-Site Scripting Attacks and Their Countermeasures

Kaur¹

2014

IJCATR

View full text Add to dashboard Cite

-In present-day time, most of the associations are making use of web services for improved services to their clients. With the upturn in count of web users, there is a considerable hike in the web attacks. Thus, security becomes the dominant matter in web applications. The disparate kind of vulnerabilities resulted in the disparate types of attacks. The attackers may take benefit of these vulnerabilities and can misuse the data in the database. Study indicates that more than 80% of the web applications are vulnerable to cross-site scripting (XSS) attacks. XSS is one of the fatal attacks & it has been practiced over the maximum number of well-known search engines and social sites. In this paper, we have considered XSS attacks, its types and different methods employed to resist these attacks with their corresponding limitations. Additionally, we have discussed the proposed approach for countering XSS attack and how this approach is superior to others.

show abstract

Section: Related Workmentioning

confidence: 99%

Study of Cross-Site Scripting Attacks and Their Countermeasures

Kaur¹

2014

IJCATR

View full text Add to dashboard Cite

show abstract

“…Two main techniques are used to block the propagation of an XSS attack from the server to a client: signature-based and behavior-based like the SWAP approaches [3]. While the first approach cannot block new attacks (no known signature), the second fails in detecting browser specific XSS (a known limitation for SWAP), like the ones shown in [4].…”

Section: Background On Cross-site Scripting (Xss)mentioning

confidence: 99%

“…Attacks should be tailored to the injection point to be effective like in Duchene et al approach [22]; otherwise, depending on the injection point, your XSS attack can be rendered useless (while with the same vector, an attacker can succeed). Most of XSS research works focus either on detection of XSS attacks [1], [3], or on finding XSS vulnerabilities [23], [24]. Other related papers study XSS vulnerabilities or XSS worms [25], [26].…”

Section: Related Workmentioning

confidence: 99%

Empirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting: An Urgent Need for Systematic Security Regression Testing

Abgrall

Traon²,

Gombault

et al. 2014

2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops

View full text Add to dashboard Cite

Abstract-One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have evolved to support new features. In this paper, we explore whether the evolution of web browsers is done using systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions. We use XSS attack vectors as unit test cases and we propose a new method supported by a tool to address this XSS vector testing issue. The analysis on a decade releases of most popular web browsers including mobile ones shows an urgent need of XSS regression testing. We advocate the use of a shared security testing benchmark as a good practice and propose a first set of publicly available XSS vectors as a basis to ensure that security is not sacrificed when a new version is delivered.

show abstract

“…Using of the shield in front of WebGoat [19] (which is a vulnerable OWASP web application used for teaching security) is a good example to show how the bypass-shield provides extra security, and where it does not. As shown in WebGoat, the developers focus very often the fields that are under user's control (like text fields), and neglect performing input validation on other fields, like check boxes or select lists, which have predefined values.…”

Section: Impact Of Enforcing Constraints On Securitymentioning

confidence: 99%