Identifying Cross-Site Scripting Attacks Based on URL Analysis

Автор: Zhihua Tang, Ning Zheng, Ming Xu

Журнал: International Journal of Engineering and Manufacturing(IJEM) @ijem

Статья в выпуске: 5 vol.2, 2012 года.

Бесплатный доступ

Cross-site scripting (XSS) is one of the major threats to the security of web applications. Many techniques have been taken to prevent XSS. This paper presents an approach to identify Cross-Site Scripting attacks based on URL analysis. The fundamental assumption of our method is that the URL contains a part that can produce a valid JavaScript syntax tree. First, we extract the parameters of the URL to produce a valid JavaScript syntax tree and weight its parsing depth. If its depth exceeds a user-defined threshold, the URL is considered suspicious. Second, to the exception URLs, a second level of defense is formed by analyzing its structure. The experimental results demonstrate that our approach can effectively distinguish most of the malicious URLs from the benign ones.

Еще

Cross-site scripting, depth level, structure

Короткий адрес: https://sciup.org/15014338

IDR: 15014338

Список литературы Identifying Cross-Site Scripting Attacks Based on URL Analysis

  • Van der Geer J, Hanraads JAJ, Lupton RA. The art of writing a scientific article. J Sci Commun 2000;163:51-9.
  • Strunk Jr W, White EB. The elements of style. 3rd ed. New York: Macmillan; 1979.
  • OWASP (2010). OWASP Top 10 Project , Available at http://www.owasp.org/index.php.
  • S. Kamkar, “I’m popular,” 2005, description and technical explanation of the JS.Spacehero (a.k.a. “Samy”) MySpaceworm. [Online]. Available: http://namb.la/popular.
  • P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment,2008.
  • EnginKirda, Christopher Kruegel, Giovanni Vigna,and Nenad Jovanovic. Noxes: A client-side solution formitigating cross-site scripting attacks. In Proceedings of the 21st ACM Symposium on Applied Computing (SAC),Security Track, 2006.
  • S. Nanda, L.-C. Lam , T. Chiueh. Dynamic multiprocess information flow tracking for webapplication security. In Proceedings of the 8th ACM/IFIP/USENIX international conference on Middleware, 2007.
  • M. Van Gundy and H. Chen, “Noncespaces: Using randomization to enforce information flow tracking and thwart crosssite scripting attacks,”in 16th Annual Network & Distributed System Security Symposium,San Diego, CA, USA, Feb. 2009.
  • P. Saxena, D. Song, and Y. Nadji, “Document structure integrity:A robust basis for cross-site scripting defense,” in 16th Annual Network & Distributed System Security Symposium,San Diego, CA, USA, Feb. 2009.
  • T. Jim, N. Swamy, and M. Hicks. Beep: Browser-enforced embedded policies. 16th International World World Web Conference, 2007.
  • D. Bates, A. Barth, and C. Jackson. Regular Expressions Considered Harmful in Client-Side XSS Filters. In Proceedings of the 19th international conference on World Wide Web (WWW). ACM New York, NY, USA, 2010.
  • M. Ter Louw and V. N. Venkatakrishnan. BluePrint: RobustPrevention of Cross-site Scripting Attacks for ExistinBrowsers. In Proceedings of the IEEE Symposium on Securityand Privacy, 2009.
  • SpiderMonkey Engine.http://www.mozilla.org/js/spidermonkey.
  • XSS (Cross Site Scripting) Cheat Sheet. Esp: for filter evasion. http://ha.ckers.org/xss.html.
  • K. Fernandez and D. Pagkalos. XSSed.
Еще
Статья научная