IJITCS Vol. 8, No. 4, 8 Apr. 2016
Cover page and Table of Contents: PDF (size: 376KB)
Full Text (PDF, 376KB), PP.86-95
Views: 0 Downloads: 0
Web application, Cross-site scripting, Vulnerability, Sanitizer
Web applications are useful for various online services. These web applications are becoming ubiquitous in our daily lives. They are used for multiple purposes such as e-commerce, financial services, emails, healthcare services and many other captious services. But the presence of vulnerabilities in the web application may become a serious cause for the security of the web application. A web application may contain different types of vulnerabilities. Cross-site scripting is one of the type of code injection attacks. According to OWASP TOP 10 vulnerability report, Cross-site Scripting (XSS) is among top 5 vulnerabilities. So this research work aims to implement an effective solution for the prevention of cross- site scripting vulnerabilities. In this paper, we implemented a novel client-side XSS sanitizer that prevents web applications from XSS attacks. Our sanitizer is able to detect cross-site scripting vulnerabilities at the client-side. It strengthens web browser, because modern web browser do not provide any specific notification, alert or indication of security holes or vulnerabilities and their presence in the web application.
Dnyaneshwar K. Patil, Kailas R. Patil, "Automated Client-side Sanitizer for Code Injection Attacks", International Journal of Information Technology and Computer Science(IJITCS), Vol.8, No.4, pp.86-95, 2016. DOI:10.5815/ijitcs.2016.04.10
[1]Dromaeo javascript performance testing. Available at http://dromaeo.com/, JavaScript Performance Testing.
[2]Mozilla developer network. Available at https://developer.mozilla.org/en-US/Add-ons, Mozilla.
[3]Mozilla firefox extensions. Available at https: //addons.mozilla.org/en-US/firefox/extensions/, Mozilla Firefox.
[4]New international project on web vulnerabilities. Available at https://www.owasp.org/index.php, OWASP.
[5]Prevent xss with jsoup sanitizer. Available at http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer, JSOUP.
[6]Survey by cenzic inc. application vulnerability report.. Available at https://www.info-pointsecurity.com/sites/default/files/cenzic-vulnerability-report-2014.pdf, Vulnerability Report 2014.
[7]The xss sanitize package. Available at https://hackage.haskell.org/package/xss-sanitize, The XSS Sanitizer.
[8]Xss sanitizer plugin. Available at https://grails.org/plugin/xss-sanitizer,XSS Sanitizer Plugin.
[9]Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. Prophiler: A fast filter for the large-scale detection of malicious web pages. In Proceedings of the 20th International Conference on World Wide Web, WWW ’11, pages 197–206, New York, NY, USA, 2011. ACM.
[10]Vivek Chandra and Nidhi Saxena. Article: An improved technique for web page classification in respect of domain specific search. International Journal of Computer Applications, 102(4):7–10, September 2014.
[11]Shuo Chen, Jose Meseguer, Ralf Sasse, Helen Wang, Yi min Wang, Shuo Chen, Jos Meseguer, Ralf Sasse, Helen J. Wang, and Yi min Wang. A systematic approach to uncover gui logic flaws for web security, 2006.
[12]Marco Cova, Christopher Kruegel, and Giovanni Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th International Conference on World Wide Web, WWW ’10, pages 281–290, New York, NY, USA, 2010. ACM.
[13]Laura Falk, Atul Prakash, and Kevin Borders. Analyzing websites for user-visible security design flaws. In Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS ’08, pages 117–126, New York, NY, USA, 2008. ACM.
[14]Matthew Finifter, Joel Weinberger, and Adam Barth. Preventing capability leaks in secure javascript subsets. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February - 3rd March 2010, 2010.
[15]Dinei Florencio and Cormac Herley. A large-scale study of web password habits. In Proceedings of the 16th International Conference on World Wide Web, WWW ’07, pages 657–666, New York, NY, USA, 2007. ACM.
[16]Mohamed Ghazouani, Sophia Faris, Hicham Medromi, and Adil Sayouti. Article: Information security risk assessment a practical approach with a mathematical formulation of risk. International Journal of Computer Applications, 103(8):36–42, October 2014.
[17]Stefan Kals, Engin Kirda, Christopher Kruegel, and Nenad Jovanovic. Secubat: A web vulnerability scanner. In Proceedings of the 15th International Conference on World Wide Web, WWW ’06, pages 247–256, New York, NY, USA, 2006. ACM.
[18]Navjot Kaur and Himanshu Aggarwal. Article: Web log analysis for identifying the number of visitors and their behavior to enhance the accessibility and usability of website. International Journal of Computer Applications, 110(4):25–30, January 2015.
[19]M. V. Kishore, G. Pandit Samuel, N. Aditya Sundar, M. Enayath Ali, and Y. Lalitha Varma. Article: A novel methodology for secure communications and prevention of forgery attacks. International Journal of Computer Applications, 96(22):5– 12, June 2014.
[20]Anuradha K. Kudlikar and Meghana B. Nagori. Article: Refinement in personalize web search system with privacy protection. International Journal of Computer Applications, 117(6):1–6, May 2015.
[21]Zeynab Liraki, Ali Harounabadi, and Javad Mirabedini. Article: Predicting the users’ navigation patterns in web, using weighted association rules and users’ navigation information. International Journal of Computer Applications, 110(12):16–21, January 2015.
[22]Laxmi Shanker Maurya and Anil Kumar Malviya. Article:Web application reliability assessment using error and workload data obtained from server error and access logs. International Journal of Computer Applications, 97(15):6–9, July 2014.
[23]Smita Ranveer and Swapnaja Hiray. Article: Comparative analysis of feature extraction methods of malware detection. International Journal of Computer Applications, 120(5):1–7, June 2015.
[24]Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jaffar. S3: A symbolic string solver for vulnerability detection in web applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 1232–1243, New York, NY, USA, 2014. ACM.
[25]Sonali Utsai and Ram B. Joshi. Article: Dos attack reduction by using web service filter. International Journal of Computer Applications, 105(14):4–9, November 2014.
[26]Chuan Yue and Haining Wang. A measurement study of insecure javascript practices on the web. ACM Trans. Web, 7(2):7:1–7:39, May 2013.
[27]Rui Zhao and Chuan Yue. All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design. In Elisa Bertino, Ravi S. Sandhu, Lujo Bauer, and Jaehong Park, editors, CODASPY, pages 333–340. ACM, 2013.
[28]Yunhui Zheng, Xiangyu Zhang, and Vijay Ganesh. Z3-str: A z3-based string solver for web application analysis. In zroceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pages 114–124, New York, NY, USA, 2013. ACM.