Detection of DOM-Based XSS

Attack on Web Application

Shubhangi Ninawe(&) and Rakhi Wajgi

Department of Computer Technology,

Yashwantrao Chavan College of Engineering, Nagpur, Maharashtra, India
Shubhangininawe@gmail.com

Abstract. Cross-Site Scripting (XSS) is one of the huge issues of any Web-
based or Online applications. In this attack, the attacker uses malicious code to
intercept the information through users web application and sends it to the
corresponding web server. This is possible because web browsers are capable of
executing the instructions stored in Web pages. This enables the attackers to
make use of this feature, so as to execute the malicious code in a user’s Web
browsing application. This attack if happened, may result in very slow and poor
web surfing. It is also capable of stealing the cookies, passwords and other
personal information of the user. These kind of attacks are very easy in terms of
implementation but the prevention or detection of this attack is a challenging
task. In this paper firstly the existing research on the prevention of XSS is
presented. Then a framework is proposed to detect the XSS, which can provide a
legitimate solution for the mitigation of the attack.

Keywords: Cross-Site Scripting
Web application attack
Injection attacks

Network security
Web application protection

1 Introduction

The Internet or say World Wide Web (WWW), is global and huge interconnected
framework alluding millions of servers, networks, users and administrators. In the
initial days of internet, there were only websites developed by static webpages, which
was used to display and communicate static information. With the rapid growth in
technology, the internet and website also developed promisingly. The website which
were used to static one, now turned into the dynamic, progressive and responsive. Now
the webpages not only displays the static data but can also communicate the data stored
in the remotely situated database and webservers. Today, the dynamic web pages are
used for developing web based applications. It helps in actualizing and giving access to
online benefits. It is used for winding up genuinely inescapable in a wide range of plans
of action and associations. Today, most frameworks, for example, Social Networks,
medicinal services, sites, managing an account, or even crisis reaction, are depending
on web based applications. Clients can utilize web applications for speaking with
different clients by means of texting, for perusing email and for dealing with their
photos and different records, for altering and review video or notwithstanding making
spreadsheets, introductions, and content archives. Subsequently, the Internet is turning

© Springer Nature Switzerland AG 2020

S. Balaji et al. (Eds.): ICICV 2019, LNDECT 33, pp. 633–641, 2020.
https://doi.org/10.1007/978-3-030-28364-3_65
634 S. Ninawe and R. Wajgi

into an indispensable part our day by day life. So there must incorporate, an expansion
instrument to guarantee security for web clients.
The main focus of this study is on the specific type of attack called as Cross-Site
Scripting. Because of the advancement to help requests of the developing web, HTML
and other web dialects do not have the principled instrument to isolate untrusted
information (client substance) from confided in information. the need of a powerful
security mechanism on those web applications is an essential concern. Subsequently,
there are cross-webpage scripting assaults on web applications. To relieve issue of XSS
assaults, XSS barrier is required. There are different XSS resistances classified as
appeared in Fig. 1.

Fig. 1. Types of existing defenses

2 Cross-Site Scripting Attack

There are various ways the attacker can attack the website or web application. One of
the serious threat is Cross Site Scripting(XSS). Generally, XSS is a technique, where
the attacker tries to exploites the loopholes and vulnerabilities present in the source
code of the web page. These loopholes allows the attacker to inject the malicious codes
or scripts in the source through end-user. The injected codes can collect or hijack the
critical, personal or business data of the user. Formally, the XSS can be stated as illegal
use of technology for attacking the user. The injected code can be of any scripting
language like JavaScript, VBScript, ActiveX, HTML, or Flash. Such scripts can be
implemented on webpages with weak security measures for aggregating the confi-
dential information. The XSS attack can lead to compromised security, loss of control
over the data. It can make user confused with those of a substantial client, or execute
vindictive code on the end-client frameworks. Here the attacker the inserts the mali-
cious code as a normal hyperlink which is communicated over any conceivable
 Detection of DOM-Based XSS Attack on Web Application 635

methods on the web. The Cross Site Scripting attack can be categorise in three types as
Persistent, Non-Persistent and Document Object Module (DOM) Based Cross Site
Scripting.

2.1 Persistent XSS Attack

Web Applications with weak approval components for information related to message
sheets are generally prone to Persistent XSS Attacks. The chances of this attack are
more when the payload is really put away in the site. as in the precedent gave before at
whatever point an attacker will enter a remark that it contains a noxious content [4] and
it dwells on the web application. Figure 2 shows the sequence of this type of attacks.

Fig. 2. Persistent cross site scripting attack

The content of the page and malicious code will be executed by the script that heaps
the page containing the remark. There is a different event when such a lethal attack is
directed by the attackers. For instance, a persistent XSS attack against Hotmail was
directed in October 2001. Here the remote attacker was permitted to take .NET
Passport identifiers of Hotmail’s clients by gathering their related program’s treats.
Also, on October 2005, an outstanding persistent XSS attack which influenced the
online informal organization MySpace was used by the worm Samy to engender itself
over MySpace’s client profiles.

2.2 Non-persistent XSS Attack

The non-persistent XSS attack additionally called as reflected XSS attack, misuses the
escape clauses existed in a web application when it uses data given by the client so as
to create an active page for that client. The sequence of this type of attack is shown in
Fig. 3. As such, and as opposed to putting away the vindictive code installed into a
message by the attacker, here the malevolent code itself is specifically reflected back to
the client by methods for an outsider instrument. By utilizing a ridiculed email,
636 S. Ninawe and R. Wajgi

for example, the attacker can trap the unfortunate casualty to click a connection which
contains the vindictive code. At the point when the injured individual’s program
executes the URL [6], the focused on site echoes or reflects back to the client’s
program, for the most part, appearing with a blunder message thus.

Fig. 3. Non-persistent XSS attacks

Non-persistent XSS attacks are by a wide margin the most well-known kind of XSS
attacks against current web applications, and is ordinarily consolidated together with
different procedures, for example, phishing and social designing, so as to accomplish
its destinations (e.g., take client’s delicate data, for example, charge card numbers). On
account of the idea of this variation, i.e., the way that the code isn’t persistently put
away into the application’s site and the need of outsider systems, non-persistent XSS
attacks are regularly performed by gifted attackers and related to misrepresentation
attacks.

2.3 Document Object Module(DOM)-Based XSS Attack

To implement this type of attack, the attacker adjust the “condition” for DOM over the
side of customer. It is contrary to sending the infected code to the server. The web
applications gain the advanced website specialists that can be moved increasingly more
of the handling apparatus to the client’s program. At the point when a client associated
with a web application, it will be normal for their program to produce a portion of the
code that it will be executed and show to the client. In this type of attacks [5], the cyber
attackers debase a program’s information or condition so that the created code is
vindictive. A program’s informational index or condition, usually considered as a
 Detection of DOM-Based XSS Attack on Web Application 637

DOM (Document Object Module). It contains the information that has been given as
contribution by the client (for example name, address, secret key, remark field) [4]. The
program utilizes the information inside the DOM to create the code and execute in the
injured individual’s program. Figure 4 speaks to the grouping of DOM-based attack.

Fig. 4. Document object module based attack

This type of attack, allows the attacker to modify the HTML or XML record. It is
possible through the alteration in programmer’s original source script. Thus, the XSS is
worked out by utilizing the helplessness of the DOM. The reflected or put away XSS
attack is not expected to show such kind of weakness. It does not allow the malignant
code to be infused into the page. Similarly, the unreliable DOM object is an issue,
which can be deployed by the customer side in the website page or application.

3 Related Work

Thought it been long time that XSS attacks are in existence. Still it is one of the most
serious threats to web application security [6]. The severity of the thing can be
understood by the fact that OWASP [3], which is a famous index of web application
vulnerabilities, has listed the XSS attacks in top 10 critical attacks on Web Application
Security. According to the Report Statistics of White Hat security 2016 on Web
Application Security, nearly half of all web-based exploits are done through XSS
attacks. It is unfortunate that we can not get rid of such attack as it is very easy to
deploy by the attackers. It is executed by the user’s web browser and many websites are
still vulnerable to such attacks. According to the research conducted by Acunetix [12],
638 S. Ninawe and R. Wajgi

more than 33% web applications are still vulnerable to XSS and are easy target to
attack. As per the report of Synk [3], which is a provider of vulnerability scanning
products, the number is even higher. They report that around 50% of the existing Web
Application are prone to XSS.
A solution was designed that uses a genetic algorithm approach to detect and
remove the XSS vulnerabilities from the web application [7]. The first component
involves in this solution was to convert the source code entered by attacker in the
application, to the control flow graph. The second component focuses on detecting the
XSS from the user’s browser. The third component concentrates on removing the XSS
from the URL. This approach combines user experience modeling and user behavior
simulation as black-box testing [6, 8–10]. The approach was unable to provide instant
web application protection, and they cannot guarantee the detection of all flaws as well.
In another paper [2], SQL and XSS architectures were proposed. They developed
an SQL injection and XSS detection method [3] that looks for attack signature by using
a filter for the HTTP request sent by the user. In paper [6] fuzzy logic was used for
detection of web security and phishing website detection using a rule-based security
assurance system. It relies on extracting the exploitation paths of the XSS vulnera-
bilities of the web application. The works was done to access risks due to different
types of code injections vulnerabilities.
In a paper presented in [2], solution of the learning algorithm that can select a set of
attributes from a given data set based on weight by the SVM technique and classify into
fuzzy rule based on the processing of the Apriori algorithm was proposed.

4 Proposed Model

As it is seen in XSS attack that when an intruder attacks the server side, it brings about
corrupting the execution of web application as an outcome, the customer side feels poor
web perusing knowledge. XSS is one of the most abused shortcomings in web
application and of the most concentrated ones. In this paper, a methodology is proposed
for attacking and distinguishing XSS in the web application.

4.1 Exploiting XSS Attacks

The misuse of XSS attacks run noxious JavaScript code in the unfortunate casualty’s
program, an attacker first figures out how to infuse a payload into the internet browser
that the injured individual can visit the infused payload [11]. Obviously, an attacker
could utilize social designing systems to persuade a client for visiting a helpless page
with an infused JavaScript payload in the unfortunate casualty program. An XSS attack
happens a defenseless site needs to specifically incorporate client contribution to its
pages. At that point, an attacker can embed a string in the URL interface that will be
utilized inside the page and treated as code in the injured individual’s program.
 Detection of DOM-Based XSS Attack on Web Application 639

Steps of Generating XSS attacks:

The site database gets infected by the malicious JavaScript code deployed by the
attacker.
The web page from the web application where the malicious code is injected
receives the requested by victim.
The web page having the malicious code as the part of the HTML body was
accessed by the victim’s browser.
The victim’s individual’s program will execute the malicious content inside the
HTML body. The attacker currently just need to separate the unfortunate casualty’s
treat when the Http ask for lands at the server, after which the attacker can utilize the
injured individual’s stolen treat for infiltrating the internet browser.

4.2 Detecting the XSS Attacks

Xenotix framework was used to detect any XSS attack or redirection vulnerabilities
that use a maliciously crafted URL link to introduce mischievous data into Web Pages
(both statically and dynamically generated). When the data (or a manipulated form of
them) passed to one of the subsequent application programming interface (API), the
application may be vulnerable to the XSS attacks. We identify all uses of the APIs
which may be used to access DOM-based XSS data can be controlled through uniform
resource locators (URLs).
640 S. Ninawe and R. Wajgi

Algorithm 1: XSS Attack Generation And Detection

Step1: Create the Web Application For Organization
Step2: Write the JavaScript on Search Box
Step3: To Generate The XSS Attack On The Web Browser
Step4: Configure the server 127.0.0.1 in Xenotix Framework
Step5: Running the DOM XSS Analyzer
Step 6: Detection of DOM-Based XSS Attack
Thus, a general approach for detecting XSS vulnerabilities is discussed above and
Xenotix Framework is used for attacking and detecting the XSS vulnerability for the
web application designed for an organization.

5 Conclusion

In this paper, we presented DOM-based XSS attack for detecting the XSS vulnerability
in the web application. XSS is a versatile attack which is open for the ethics and Client-
side attack. It could be used to steal sensitive information, such as session tokens, user
credential or commercially valuable data, as well as to perform the sensitive operation.
This method can also be used in websites of net banking, legal official site, online
shopping, etc. Here we are focused on penetration test reports, it is a good time to
ignore the traditional proof of concept alert box payload as it will be misleading for
security stakeholders.

References
1. Thopate, P., Bamm, P., Kamble, A.: Cross site scripting attack detection & prevention
system. Int. J. Adv. Res. Comput. Eng. Technol. (IJARCET) 3 (2014)
2. Ayeni, B.K., Sahalu, J.B., Adeyanju, K.R.: Detecting cross-site scripting in web application
using fuzzy ınference system. J. Comput. Netw. Commun. 2018 (2018). Article ID 815948.
https://doi.org/10.1155/2018/8159548
3. Kaur, D., Kaur, P.: Cross-site scripting attack and their prevention during development. Int.
J. Eng. Dev. Res. 5(3) (2017). ISSN 2321-9939
4. Kaur, G.: Study of cross-site scripting attack and their countermeasure. Int. J. Comput. Appl.
Technol. Res. 3(10) (2014). ISSN 2319-8656
5. Singh, A., Sthappan, S.: A survey on XSS web-attack and defence mechanism. Int. J. Adv.
Res. Comput. Sci. Softw. Eng. (IJARCSSE) 4(3) (2014). ISSN 277-128X
6. Shalini, S., Usha, S.: Prevention of cross-site scripting attacks(XSS) on web application ın
the client side. Int. J. Comput. Sci. Issues 8(4), 650 (2011)
7. Hydara, I., Sultan, A.B.M., Zulzalil, H., Admodisastro, N.: Cross-site scripting detection
based on an enhanced genetic algorithm. Indian J. Sci. Technol. 8(30), 1–7 (2015). https://
doi.org/10.17485/ijst/2015/68130/86055
8. Avancini, A., Ceccato, M.: Towards security testing with taint analysis and genetic
algorithm. In: Proceedings of the 2010 ICSE Workshops on Software Engineering for secure
Systems, pp. 65–71. ACM, Cape Town (2010)
 Detection of DOM-Based XSS Attack on Web Application 641

9. Shar, L.K., Tan, H.B.K.: Automated removal of cross site scripting vulnerabilities in web
application. Inf. Softw. Technol. 54(5), 467-478 (2012). http://linkinghub.elsevier.com/
retrieve/pii/s0950584911002503
10. Shuai, B., Li, M., Li, H., Zhang, Q., Tang, C.: Software vulnerability detection using genetic
algorithm and dynamic taint analysis. In: 3rd International Conference on Consumer
Electronics, Communication and Network (CECNet), pp. 589–593. IEEE, November 2013.
http://ieeexplore.ieee.org/Ipdocs/epic03/wrapper.htm?arnumber=6703400
11. Gupta, S., Sharma, L.: Exploitation of cross-site scripting (XSS) vulnerability on real world
web application and its defense. Int. J. Comput. Appl. 60(14), 28–93 (2012)
12. Acunetix vulnerability Scanner. http://www.acunetix.com/vulnerability_scanner
13. OpenWeb application Security Project. https://www.owasp.org/index.php/Top_10
14. Tang, Z., Zhu, H., Cao, Z., Zhao, S.: L-WMxD: lexical based webmail XSS discover. In:
IEEE Conference on Computer Communication Workshops (INFOCOM WKSHPS),
pp. 976–981 (2011)