Professional Documents
Culture Documents
Detection of DOM-Based XSS Attack On Web Application
Detection of DOM-Based XSS Attack On Web Application
Abstract. Cross-Site Scripting (XSS) is one of the huge issues of any Web-
based or Online applications. In this attack, the attacker uses malicious code to
intercept the information through users web application and sends it to the
corresponding web server. This is possible because web browsers are capable of
executing the instructions stored in Web pages. This enables the attackers to
make use of this feature, so as to execute the malicious code in a user’s Web
browsing application. This attack if happened, may result in very slow and poor
web surfing. It is also capable of stealing the cookies, passwords and other
personal information of the user. These kind of attacks are very easy in terms of
implementation but the prevention or detection of this attack is a challenging
task. In this paper firstly the existing research on the prevention of XSS is
presented. Then a framework is proposed to detect the XSS, which can provide a
legitimate solution for the mitigation of the attack.
1 Introduction
The Internet or say World Wide Web (WWW), is global and huge interconnected
framework alluding millions of servers, networks, users and administrators. In the
initial days of internet, there were only websites developed by static webpages, which
was used to display and communicate static information. With the rapid growth in
technology, the internet and website also developed promisingly. The website which
were used to static one, now turned into the dynamic, progressive and responsive. Now
the webpages not only displays the static data but can also communicate the data stored
in the remotely situated database and webservers. Today, the dynamic web pages are
used for developing web based applications. It helps in actualizing and giving access to
online benefits. It is used for winding up genuinely inescapable in a wide range of plans
of action and associations. Today, most frameworks, for example, Social Networks,
medicinal services, sites, managing an account, or even crisis reaction, are depending
on web based applications. Clients can utilize web applications for speaking with
different clients by means of texting, for perusing email and for dealing with their
photos and different records, for altering and review video or notwithstanding making
spreadsheets, introductions, and content archives. Subsequently, the Internet is turning
into an indispensable part our day by day life. So there must incorporate, an expansion
instrument to guarantee security for web clients.
The main focus of this study is on the specific type of attack called as Cross-Site
Scripting. Because of the advancement to help requests of the developing web, HTML
and other web dialects do not have the principled instrument to isolate untrusted
information (client substance) from confided in information. the need of a powerful
security mechanism on those web applications is an essential concern. Subsequently,
there are cross-webpage scripting assaults on web applications. To relieve issue of XSS
assaults, XSS barrier is required. There are different XSS resistances classified as
appeared in Fig. 1.
There are various ways the attacker can attack the website or web application. One of
the serious threat is Cross Site Scripting(XSS). Generally, XSS is a technique, where
the attacker tries to exploites the loopholes and vulnerabilities present in the source
code of the web page. These loopholes allows the attacker to inject the malicious codes
or scripts in the source through end-user. The injected codes can collect or hijack the
critical, personal or business data of the user. Formally, the XSS can be stated as illegal
use of technology for attacking the user. The injected code can be of any scripting
language like JavaScript, VBScript, ActiveX, HTML, or Flash. Such scripts can be
implemented on webpages with weak security measures for aggregating the confi-
dential information. The XSS attack can lead to compromised security, loss of control
over the data. It can make user confused with those of a substantial client, or execute
vindictive code on the end-client frameworks. Here the attacker the inserts the mali-
cious code as a normal hyperlink which is communicated over any conceivable
Detection of DOM-Based XSS Attack on Web Application 635
methods on the web. The Cross Site Scripting attack can be categorise in three types as
Persistent, Non-Persistent and Document Object Module (DOM) Based Cross Site
Scripting.
The content of the page and malicious code will be executed by the script that heaps
the page containing the remark. There is a different event when such a lethal attack is
directed by the attackers. For instance, a persistent XSS attack against Hotmail was
directed in October 2001. Here the remote attacker was permitted to take .NET
Passport identifiers of Hotmail’s clients by gathering their related program’s treats.
Also, on October 2005, an outstanding persistent XSS attack which influenced the
online informal organization MySpace was used by the worm Samy to engender itself
over MySpace’s client profiles.
for example, the attacker can trap the unfortunate casualty to click a connection which
contains the vindictive code. At the point when the injured individual’s program
executes the URL [6], the focused on site echoes or reflects back to the client’s
program, for the most part, appearing with a blunder message thus.
Non-persistent XSS attacks are by a wide margin the most well-known kind of XSS
attacks against current web applications, and is ordinarily consolidated together with
different procedures, for example, phishing and social designing, so as to accomplish
its destinations (e.g., take client’s delicate data, for example, charge card numbers). On
account of the idea of this variation, i.e., the way that the code isn’t persistently put
away into the application’s site and the need of outsider systems, non-persistent XSS
attacks are regularly performed by gifted attackers and related to misrepresentation
attacks.
DOM (Document Object Module). It contains the information that has been given as
contribution by the client (for example name, address, secret key, remark field) [4]. The
program utilizes the information inside the DOM to create the code and execute in the
injured individual’s program. Figure 4 speaks to the grouping of DOM-based attack.
This type of attack, allows the attacker to modify the HTML or XML record. It is
possible through the alteration in programmer’s original source script. Thus, the XSS is
worked out by utilizing the helplessness of the DOM. The reflected or put away XSS
attack is not expected to show such kind of weakness. It does not allow the malignant
code to be infused into the page. Similarly, the unreliable DOM object is an issue,
which can be deployed by the customer side in the website page or application.
3 Related Work
Thought it been long time that XSS attacks are in existence. Still it is one of the most
serious threats to web application security [6]. The severity of the thing can be
understood by the fact that OWASP [3], which is a famous index of web application
vulnerabilities, has listed the XSS attacks in top 10 critical attacks on Web Application
Security. According to the Report Statistics of White Hat security 2016 on Web
Application Security, nearly half of all web-based exploits are done through XSS
attacks. It is unfortunate that we can not get rid of such attack as it is very easy to
deploy by the attackers. It is executed by the user’s web browser and many websites are
still vulnerable to such attacks. According to the research conducted by Acunetix [12],
638 S. Ninawe and R. Wajgi
more than 33% web applications are still vulnerable to XSS and are easy target to
attack. As per the report of Synk [3], which is a provider of vulnerability scanning
products, the number is even higher. They report that around 50% of the existing Web
Application are prone to XSS.
A solution was designed that uses a genetic algorithm approach to detect and
remove the XSS vulnerabilities from the web application [7]. The first component
involves in this solution was to convert the source code entered by attacker in the
application, to the control flow graph. The second component focuses on detecting the
XSS from the user’s browser. The third component concentrates on removing the XSS
from the URL. This approach combines user experience modeling and user behavior
simulation as black-box testing [6, 8–10]. The approach was unable to provide instant
web application protection, and they cannot guarantee the detection of all flaws as well.
In another paper [2], SQL and XSS architectures were proposed. They developed
an SQL injection and XSS detection method [3] that looks for attack signature by using
a filter for the HTTP request sent by the user. In paper [6] fuzzy logic was used for
detection of web security and phishing website detection using a rule-based security
assurance system. It relies on extracting the exploitation paths of the XSS vulnera-
bilities of the web application. The works was done to access risks due to different
types of code injections vulnerabilities.
In a paper presented in [2], solution of the learning algorithm that can select a set of
attributes from a given data set based on weight by the SVM technique and classify into
fuzzy rule based on the processing of the Apriori algorithm was proposed.
4 Proposed Model
As it is seen in XSS attack that when an intruder attacks the server side, it brings about
corrupting the execution of web application as an outcome, the customer side feels poor
web perusing knowledge. XSS is one of the most abused shortcomings in web
application and of the most concentrated ones. In this paper, a methodology is proposed
for attacking and distinguishing XSS in the web application.
5 Conclusion
In this paper, we presented DOM-based XSS attack for detecting the XSS vulnerability
in the web application. XSS is a versatile attack which is open for the ethics and Client-
side attack. It could be used to steal sensitive information, such as session tokens, user
credential or commercially valuable data, as well as to perform the sensitive operation.
This method can also be used in websites of net banking, legal official site, online
shopping, etc. Here we are focused on penetration test reports, it is a good time to
ignore the traditional proof of concept alert box payload as it will be misleading for
security stakeholders.
References
1. Thopate, P., Bamm, P., Kamble, A.: Cross site scripting attack detection & prevention
system. Int. J. Adv. Res. Comput. Eng. Technol. (IJARCET) 3 (2014)
2. Ayeni, B.K., Sahalu, J.B., Adeyanju, K.R.: Detecting cross-site scripting in web application
using fuzzy ınference system. J. Comput. Netw. Commun. 2018 (2018). Article ID 815948.
https://doi.org/10.1155/2018/8159548
3. Kaur, D., Kaur, P.: Cross-site scripting attack and their prevention during development. Int.
J. Eng. Dev. Res. 5(3) (2017). ISSN 2321-9939
4. Kaur, G.: Study of cross-site scripting attack and their countermeasure. Int. J. Comput. Appl.
Technol. Res. 3(10) (2014). ISSN 2319-8656
5. Singh, A., Sthappan, S.: A survey on XSS web-attack and defence mechanism. Int. J. Adv.
Res. Comput. Sci. Softw. Eng. (IJARCSSE) 4(3) (2014). ISSN 277-128X
6. Shalini, S., Usha, S.: Prevention of cross-site scripting attacks(XSS) on web application ın
the client side. Int. J. Comput. Sci. Issues 8(4), 650 (2011)
7. Hydara, I., Sultan, A.B.M., Zulzalil, H., Admodisastro, N.: Cross-site scripting detection
based on an enhanced genetic algorithm. Indian J. Sci. Technol. 8(30), 1–7 (2015). https://
doi.org/10.17485/ijst/2015/68130/86055
8. Avancini, A., Ceccato, M.: Towards security testing with taint analysis and genetic
algorithm. In: Proceedings of the 2010 ICSE Workshops on Software Engineering for secure
Systems, pp. 65–71. ACM, Cape Town (2010)
Detection of DOM-Based XSS Attack on Web Application 641
9. Shar, L.K., Tan, H.B.K.: Automated removal of cross site scripting vulnerabilities in web
application. Inf. Softw. Technol. 54(5), 467-478 (2012). http://linkinghub.elsevier.com/
retrieve/pii/s0950584911002503
10. Shuai, B., Li, M., Li, H., Zhang, Q., Tang, C.: Software vulnerability detection using genetic
algorithm and dynamic taint analysis. In: 3rd International Conference on Consumer
Electronics, Communication and Network (CECNet), pp. 589–593. IEEE, November 2013.
http://ieeexplore.ieee.org/Ipdocs/epic03/wrapper.htm?arnumber=6703400
11. Gupta, S., Sharma, L.: Exploitation of cross-site scripting (XSS) vulnerability on real world
web application and its defense. Int. J. Comput. Appl. 60(14), 28–93 (2012)
12. Acunetix vulnerability Scanner. http://www.acunetix.com/vulnerability_scanner
13. OpenWeb application Security Project. https://www.owasp.org/index.php/Top_10
14. Tang, Z., Zhu, H., Cao, Z., Zhao, S.: L-WMxD: lexical based webmail XSS discover. In:
IEEE Conference on Computer Communication Workshops (INFOCOM WKSHPS),
pp. 976–981 (2011)