DETECTION OF CROSS-SITE SCRIPTING ATTACK USING DYNAMIC

ANALYSIS AND FUZZY INFERENCE SYSTEM

BY
IGHODALO PAUL ERHOMONSE 190591132
OSIDIPE SODIQ OPEYEMI 190591251
ADIGUN EZEKIEL IDOWU 190591031
OKANLAWON MUYIWA RAPHAEL 190591200

A PROJECT BEING SUBMITTED TO

DEPARTMENT OF COMPUTER SCIENCE
FACULTY OF SCIENCE, LAGOS STATE UNIVERSITY, OJO, LAGOS
STATE, NIGERIA IN PARTIAL FULFILMENT OF THE
REQUIREMENTS FOR THE AWARD OF BACHELOR OF SCIENCE IN
COMPUTER SCIENCE

SUPERVISOR:
DR. OWATE

SEPTEMBER, 2023

i
 CERTIFICATION

This is to certify that this project research titled ‘‘DETECTION OF CROSS-SITE

SCRIPTING ATTACK USING DYNAMIC ANALYSIS AND FUZZY INFERENCE

SYSTEM’’ was carried out by IGHODALO PAUL ERHOMONSE 190591132

OSIDIPE SODIQ OPEYEMI 190591251

ADIGUN EZEKIEL IDOWU 190591031

OKANLAWON MUYIWA RAPHAEL 190591200. In fulfillment of the requirements of

Bachelor of Science (B.Sc) in Computer Science, Faculty of Science, Lagos State University,

Ojo Lagos.

……………………………… ………………………………

Dr .Owate Date

Project Supervisor

……………………………… ………………………………

Prof. Rahman, M.A Date

Head of Department

ii
 DEDICATION

This work is dedicated to Almighty God for the gift of knowledge, wisdom, understanding and

divine inspiration that lead us to the success of this project work.

And also to our amazing parents for their supports.

iii
 ACKNOWLEDGEMENT

Our profound gratitude goes to Almighty God for his abundant grace and privileges. And to our

supervisor Dr. Owate, Prof. Rahman , the H.O.D, Computer Science Department.

We also acknowledge and appreciate Dr Owate, my project supervisor for his efforts, advice and

support all through the course of our project. We can’t afford not to appreciate our parents for

their guidance and support throughout our program towards this work.

iv
 ABSTRACT

Many prevalent problems of web applications are induced by injected codes, which pose great

security threats. Vulnerabilities found in web applications are commonly typically exploited to

perpetrate attacks. With cross-site scripting (XSS), attackers can infuse malevolent contents into

website pages, in this way gaining access- privileges to sensitive page content of the user such

as, session cookies, user’s data or credentials and several other information often kept up by the

browser on behalf of the users. This paper presents a hybrid mechanism for detecting XSS

attacks using Dynamic Analysis and Fuzzy Inference. The approach scans the website for

possible points of injection before generating an attack vector launched via an HTTP request to a

web application. The analysis of the HTTP response predicts the presence of an attack vector.

The detection capability of the system is evaluated using some active world web applications and

the results show a high rate of detection.

Keywords: Cross-Site Scripting (XSS), internet, vulnerability, web application, code injection

System

v
 TABLE OF CONTENTS

Title page i

Certification ii

Dedication iii

Acknowledgement iv

Abstract v

Table of contents vi

CHAPTER ONE

1.1 Introduction 1

1.2 Statement Of Problem 2

1.3 Aims and Objectives 3

1.4 Scope Of Study 3

CHAPTER TWO

2.1 Literature review 4

2.2 Detection methods 5

2.3 Review of Related Work 6

CHAPTER THREE

3.1 Methodology

CHAPTER FOUR

vi
4.1 Discussions and Results

4.2 Hardware and Software Requirements

4.3 System Architecture

4.4 Dynamic Analysis Implementation

4.5 Fuzzy Inference Integration

4.6 Analysis

CHAPTER FIVE

5.1 Summary

5.2 Conclusion

5.3 Recommendations

References 7

vii
 CHAPTER ONE

1.1 INTRODUCTION
Recently, the use of the Internet has rapidly increased through the use of sophisticated computers

and portable devices coupled with interactive web pages. Records show that in June 2019, a total

number of 4.5 billion individuals accessed the internet. This usage will continue to increase as

web applications, which are client- server software programs that run on web browser continue

to drive various sectors of the economy such as e- commercial, health, banking, academic,

entertainment etc (Adam, 2019).

Web applications are becoming one of the standard platforms for representing data and services

released over the World Wide Web. Several vulnerabilities have been found in modern web

applications. A high fraction of Internet-based web applications is increasingly becoming

vulnerable. Consequently, major security concerns have been raised on web applications and

Internet-based services (World internet users, 2019).

Cross-site scripting (XSS) attack is one of the topmost attacks plaguing web applications. With

the existence of cross-site scripting, every user of the web is a potential victim to an attack that

could lead to various kind of cyber-thefts. Symantec reportedly blocked more than 3.7 million

form-jacking attempts in 2018. With XSS attack, an attacker can execute some malicious scripts

on a victim’s web browser resulting in consequences such as data compromise, theft of cookies,

passwords, credit card numbers etc. (Symantec 2019)

XSS is an application layer attack that injects malicious code into trusted content of vulnerable

web applications. The user executes the web application and is served the malicious content,

which disguises as part of legitimate code of the web application on the victim’s browser. The

1
browser runs the embedded malicious script because of its inability to differentiate between

malicious and genuine content. One of the major vulnerabilities in a web application is the lack

of validation of input data, which permits input data sent back as output without validating or

scrutinizing, paving way for injected malicious code (Sarmah et al; 2018).

The major cause of XSS attack is the inability of the vulnerable web application to validate and

sanitize user inputs before generating output to the victim that requested the page (Ayeni et al;

2018). The vulnerability depends on the failure of the application to check up on its input. XSS

attack takes advantage of exact guidelines to gain access to system resources just like a genuine

web application with access privilege (Ruderman 2001).

The client's browser at that point succumbs to the malicious aims of the attacker, as it cannot

separate between the authentic and malicious content conveyed by a similar site. Once the user

runs the web application, the affected application serves the malicious code as part of the page

and is then executed in the context of the trusted and legitimate web application. At the end of

successful execution, the victim is hence open to any type of attack dependent on the attacker.

(Sarmah et al; 2018)

1.2 STATEMENT OF PROBLEM

XSS attacks occur almost daily. Websites such as Twitter, Facebook and Google have already

become victims for XSS attacks. Effects of XSS attacks include session hijacking, account

hijacking, Distributed Denial of Services (DDoS) attacks, evasion by worms, disclosure of

sensitive information, loss of confidentiality, etc.

In this paper, a framework to process web activities and capture fuzzy boundaries between web

activities is proposed for the detection of cross-site scripting attack.

2
The rest of the paper is organized as follows. Section II describes a cross-scripting attack in

details, as well as existing defense mechanisms. Section III presents the architecture for the

proposed system. In Section IV, the implementation and results are discussed. The paper

concludes in Section V.

1.3 AIMS AND OBJECTIVES

The project aims to contribute to the advancement of web application security by providing a

robust and intelligent detection system for XSS attacks. The proposed system will empower web

developers and administrators to proactively protect their applications, safeguard user data, and

ensure the integrity of web platforms.

To achieve our aim these objectives were set:

 Identification of Cross-site scripting Vulnerabilities

 Detection in Real-Time

 Integration of Fuzzy Inference System

 Scalability and Efficiency

 User-Friendly Implementation and Design

1.4 SCOPE OF STUDY

"Detection of Cross-Site Scripting (XSS) Attack Using Dynamic Analysis and Fuzzy Inference,"

encompasses a comprehensive examination of XSS attack types and their prevalence, an

exploration of both static and dynamic analysis techniques for XSS detection, an investigation

3
into the principles of fuzzy logic and fuzzy inference systems, the development of a hybrid XSS

detection system integrating these methods, rigorous evaluation using real-world applications,

and the analysis of security implications and recommendations. (Shuai Wang et al; 2015)

4
 CHAPTER TWO

2.1 LITERATURE REVIEW

Recently, websites have become more user- friendly, interactive and dynamic, as these sites no

longer make use of static web pages. This enhances more activities to be carried out on web

applications leading to injectable flaws that are prone to manipulations. Cross-site scripting

(XSS) is one of the injection-based attacks and one of the most dangerous web-application based

attacks that arose from the adaptation of dynamic web pages in web browsers.

There are three types of XSS attacks namely Reflected XSS, Stored XSS and Document Object

Model– based (DOM) XSS. A Reflected XSS attack is a non- persistent or type I attack where an

attacker tricks the victim to click or access a link that contains the malicious code, after which

the malicious code is sent back to the user from the trusted context of the vulnerable web

application. (Ruderman 2001)

The vulnerability of the web application of not encoding or sanitizing the input causes the

malicious code within the HyperText Mark-up Language (HTML) code to be executed within

the trust context of the trusted site. This causes the cookies of the trusted site to be sent to the

repository of the hacker’s site. These actions make the attacker have access to sensitive

information of victims, which can be used to carry out account hijacking. (Garcia-alfaro et

al;2007)

The server, however, does not store the malicious script but bounces the original input from the

server to the user, which cannot be traced since the victim deliberately initiated the execution of

malicious code. (Ramesh et al; 2016)

5
In the case of stored XSS attack or persistent attack, the targeted server stores the input in form

of a message to either a database or visited logs and this data becomes part of the server and is

not reflected. (Jovanovic et al; 2009)

This attack is difficult to spot, as it does not require any form of social engineering. For instance,

in a blog, that accepts comment via a text box and stores the message in the database. If an

attacker injects a malicious code like tracking session ID cookie and if the server fails to validate

the input, the code is stored on the server and executed, stealing the cookie. Unlike the other, two

types of XSS attacks that exploit the vulnerabilities on the server-side, DOM-based XSS exploits

the vulnerabilities at the client’s side. (Sarmah et al; 2018)

The attack executes when JavaScript in the page gets a uniform resource locator (URL)

parameter and utilizes this data to compose HTML to the page. The attacker controls the items in

the DOM and improperly handles the properties of the page; such attacks are hard to distinguish,

as they are not included in the response but part of the DOM of the HTML page. (Wang et al;

2016)

2.2 DETECTION METHODS

There are majorly three detection techniques for identifying cross-site scripting attacks. They are

static analysis, dynamic analysis and hybrid analysis.

i. Static Analysis: Static analysis is a white-box testing technique that examines the

source code, binaries, or bytecode of a program without executing it. It analyzes the

code for vulnerabilities, coding errors, and potential security issues by inspecting the

code structure, data flow, and control flow. (Brian and Jacob, 2012)

ii. Dynamic Analysis: Dynamic analysis, in contrast to static analysis, involves running

the software and observing its behavior during execution. It is often used to identify

6
 runtime vulnerabilities, such as memory leaks, buffer overflows, and runtime

exceptions. Dynamic analysis tools and techniques include fuzz testing, runtime

monitoring, and penetration testing. (Micheal et al; 2016)

iii. Hybrid Analysis: Hybrid analysis combines elements of both static and dynamic

analysis to leverage the strengths of each approach. It involves analyzing the source

code statically to identify potential vulnerabilities and then validating and exploring

these issues through dynamic testing by executing the software. (Ben and Calvin,

2017)

2.3 RELATED STUDY

Bhojak et al (2015) focuses on the application’s source code where it reviews the source code

aimed at finding security flaws. This method does not involve the execution of the web

application. An application can be reviewed either manually by inspection or automatically with

the use of automated analysis tools. The approach has the benefits of detecting potential

vulnerabilities that can prove too expensive, time-consuming and prone to a human error leading

to lack of accuracy.

Hallaraker and Vigna (2005) implemented on the runtime behavior of an application in contrast

to static analysis. Hallaraker and Vigna proposed an auditing mechanism to detect malicious

JavaScript code by monitoring and logging the JavaScript code execution within the Mozilla

Web. These techniques which do not go through source codes are relatively precise in

distinguishing vulnerabilities resulting in lower false-positive rates.

Patil and Patil (2015) proposed a client-side automated sanitizer for detecting cross-site scripting

attacks based on the hybrid analysis. A dynamic analysis was also utilized for the identification

7
and evacuation of XSS in web applications, a few software-testing techniques such as fault

injection, black box testing and web application monitoring were used to prove the existence of

vulnerabilities. However, it was unable to provide instant web application protections, and could

not detect flaws.

Saleh et al; (2015) introduced an algorithm called the Boyer- Moore string match algorithm to

detect XSS vulnerabilities. It works by looking at the characters of the inputted design with the

characters of the page from ideal to left utilizing the two heuristics called bad character shift and

good-suffix shift. The main goal of this module was to scan from the right to left, scanning

character by character for the inputted pattern. However, took a long time to scan when the

length of the URL is long.

Koli et al; (2016) proposed XSS architecture to search for assault marks by utilizing channels for

the HyperText Transfer Protocol (HTTP) use identification segment to decide if a content tag is

available or not. If the content tag is not in the database, the tag is automatically removed. The

approach will fail to identify an attack if there are multiple instances in the database.

Krugel and Vigna (2003) proposed an anomaly detection of web-based attacks using log file with

an HTTP request. Log files were used to learn the behavior of a web page for anomaly detection.

JavaScript monitoring, data tainting, code rewriting and intrusion detection have been proposed

mitigating XSS attacks. Code-rewriting technique uses applications like BrowserShield and

CoreScript as well as other tools for rewriting codes and executing them according to a security

policy alongside monitoring their runtime behavior of JavaScript.

8
 CHAPTER THREE

3.1 METHODOLOGY

The proposed system is an intelligent system capable of detecting XSS attack using a hybrid

methodology consisting of dynamic analysis and fuzzy logic to detect vulnerabilities in web

applications. The system carries out a series of dynamic security analysis check on the web

application using attack vectors that are previously recognized by Application Entry Points

(AEP).

AEP comprises of fields that require filling by the user (i.e. GET and POST parameters, forms

with their elements as well as anchor or links with parameters) which are required for generation

of the HTTP requests sent to the web application in a testing phase.

A. Web Crawler

A web crawler also known as crawler or spider is a bot that scans the World Wide Web (WWW)

for indexing. The Crawler module scans the web application and collects all the information

belonging to the web application. Crawling process starts with the URL and proceeds to the web

link tree to collect all the web pages, and this is done by interacting with the web application for

gathering AEPs and the Web pages, which are further sent to the parser function. The crawler

employs a queue scheduling system to access all input URLs and terminates when the queue is

empty and all accessible web pages have been identified and parsed. The crawler-parser function

scans through the gathered information and sorts the web pages to extract the AEPs that are

further sent to the “Vulnerability Checker” module.

The crawler in the system has been configured to avoid links that will terminate the current

session and scan. The crawler carries out three functions:

9
i. Scanning: The module gathers all the necessary parameters from the URL of the target

website. These parameters are used to scan for DOM-check if the web applications security

would block and deny response, if the string is flagged and blocked, the information is sent to

the Fuzzy engine.

ii. The Fuzzy Engine

The Fuzzy Engine extracts a string from a list of fuzz strings and replaces the string with another

to be tested again by the Web Application Firewall Detector. If the string is blocked, the string is

returned to the fuzzy engine to be replaced with a less “noisy” string; this module randomly

generates a delay before sending a new request with the newly fuzzy generated string until the

Firewall is evaded.

B. Vulnerability Checker

A vulnerability checker is a program that scans the website for security issues. Based on the

information returned by parsing function in the filter checker and the Inject checker module, the

attack vector generator module analyze this information to determine the payload scheme that

perfectly fits the attack properly. It scans each occurrence of a reflected string and uses the

context information to constructs the malicious scripts to be injected by the Inject function. It

also assigns a value of confidence to every allocated set of attack code generated by the Attack

vector for each AEP and passes the payload to the checker to determine the payload success. The

number of confidence is from range (0-10), the higher the number, the more effective it is. The

efficiency value is derived from comparing the injected string and the reflected string in the

response and the list are ranked according to efficiency value where greater efficiency is injected

first.

10
C. Fuzzy Inference Engine

The Fuzzy Inference is designed to bypass the Web Application Firewall (WAF). The fuzzy

module is called when the request is blocked due to the script being recognized by the signatures

of the Web Application firewall

1. The Web Application Firewall Detector

The Web Application detector sends a noisy malicious string in the data to be requested by the

web application to vulnerability, the result of the scan is transferred to Requesting Module in an

encoded form.

Requester: Receives the parameters given by the Scanning Module and replaces the input

data with XSS_test data (a non-malicious script to test for vulnerability and receive a response).

The received response is stored in an encoded format which is thereafter converted to a text file

and passed to the vulnerability checker.

HTML Parser: The result of Requester is checked against xss_test script by attributes

(position, context, and value) through series of searching for script in HTML context, attribute

context, and comment and displays the position. Algorithm 1 shows the steps for performing

HTML parser.

Algorithm 1: HTML Parser

11
 CHAPTER FOUR

4.1 DISCUSSIONS AND RESULTS

Building on the groundwork established in preceding chapters, which meticulously defined

theoretical underpinnings and outlined methodological approaches, this section is dedicated to

the concrete manifestation of the conceptual framework. It intricately navigates through the

intricacies of translating theoretical knowledge into a tangible and functional system.

The chapter unfolds the comprehensive implementation details, shedding light on the

methodologies chosen, the intricacies of the development process, and the strategic decisions

made. It encapsulates the essence of the project by providing a detailed account of the steps

taken to transform abstract concepts into a tangible solution. Furthermore, the chapter delves into

the results obtained from the practical application of the XSS attack detection system, offering

insights into its functionality, effectiveness, and contributions to enhancing web security. In

essence, Chapter 4 represents the bridge between theory and application, where theoretical

concepts take shape and deliver practical outcomes in the realm of cyber security.

4.2 HARDWARE AND SOFTWARE REQUIREMENTS

The hardware and software requirements of the system are as follows:

i. Windows, Mac or Kali Linux operating system

12
 ii. 2 GB RAM and above for optimum speed

iii. 1.8GHz or Greater processor speed.

iv. Dual Core or Greater Process

v. Python Version: 3.4 >

vi. Internet connection.

4.3 SYSTEM ARCHITECTURE

Embarking on the implementation of the XSS attack detection system, a dynamic and innovative

hybrid approach takes center stage in the final-year project. This approach seamlessly integrates

dynamic analysis with fuzzy inference, culminating in an intelligent and sophisticated system.

Figure 4.1, portraying the system architecture, serves as a visual testament to its intricate design.

The system strategically leverages dynamic security analysis and fuzzy logic to discern

vulnerabilities within web applications.

13
 Figure 4.1: System Architecture

In this architecture, the pivotal role of Application Entry Points (AEP) comes to the forefront.

AEPs serve as discerning markers, identifying fields necessitating user input—ranging from

GET and POST parameters to forms and links with parameters. During the crucial testing phase,

these entry points become instrumental in generating attack vectors for HTTP requests. This

strategic utilization of AEPs adds a layer of precision to the system's testing methodology,

enhancing its efficacy in detecting potential XSS vulnerabilities. The project not only

encapsulates theoretical knowledge but also unfolds a practical and intelligent solution,

showcasing the culmination of academic endeavours and a forward-thinking approach in the

realm of web security.

4.4 DYNAMIC ANALYSIS IMPLEMENTATION

Within the intricate framework of the final-year project, dynamic analysis emerges as a pivotal

component, casting a spotlight on the proactive approach employed to fortify web security. In

14
essence, dynamic analysis is the heartbeat of the XSS attack detection system, constituting a

sophisticated process of scanning websites to pinpoint potential vulnerabilities susceptible to

injection.(U. Sarmah, 2020)

The modus operandi of dynamic analysis involves the generation of attack vectors, strategically

crafted HTTP requests that infiltrate the web application, simulating potential avenues for

injection attacks. These attack vectors serve as virtual probes, probing the system for weak points

where malicious code could potentially be injected. The precision in crafting these attack vectors

is a testament to the system's intelligence, strategically targeting various elements such as GET

and POST parameters, forms, and links with parameters—elements where vulnerabilities

commonly lurk.(J. Garcia-alfaro, G. Navarro-arriba, 2022)

The ensuing phase in this dynamic dance of cybersecurity involves a meticulous analysis of the

HTTP responses elicited by the crafted attack vectors. This phase is akin to deciphering the

echoes of a probing signal, where the system scrutinizes the response to predict the presence of

an attack vector. It's a predictive endeavor, leveraging insights gleaned from the web

application's response to ascertain the likelihood of a potential injection attack. This predictive

prowess sets the system apart, adding a layer of foresight to its arsenal.

In essence, dynamic analysis encapsulates a proactive and predictive stance, embodying the

system's commitment to pre-emptive detection of XSS vulnerabilities. It's not merely about

identifying weaknesses post facto; it's about anticipating and neutralizing threats before they

materialize, showcasing the project's sophistication and strategic approach to fortifying the

digital frontier.(E. Kirda, 2020)

4.5 FUZZY INFERENCE INTEGRATION

15
In elevating the sophistication of the XSS attack detection system, the integration of fuzzy

inference stands as a testament to the project's commitment to intelligence and precision. Fuzzy

logic, a potent tool in the realm of artificial intelligence, is strategically harnessed to imbue the

system with nuanced and discerning detection capabilities.

Fuzzy inference, in the context of this project, operates as a cognitive layer, endowing the system

with the ability to assess not just the presence but also the severity and unique characteristics of

detected vulnerabilities. Traditional binary approaches often label vulnerabilities in a stark

dichotomy present or absent. However, the infusion of fuzzy logic introduces shades of gray into

this binary landscape, allowing for a more granular evaluation.(A. Kieun, 2019)

The application of fuzzy logic in vulnerability assessment provides the system with the cognitive

acumen to understand XSS attacks in a nuanced manner. It doesn't merely flag an attack; it

comprehensively gauges the gravity of the threat and delineates the distinctive features that

characterize the vulnerability. This nuanced understanding significantly enhances the accuracy of

the detection mechanism, setting the system apart in its capacity to decipher the intricacies of

web security threats.(B. K. Ayeni et al., 2020)

Moreover, the introduction of fuzzy logic aligns with the project's overarching objective of

cultivating a proactive and intelligent defence mechanism. By evaluating vulnerabilities on a

spectrum rather than a binary scale, the system transcends the limitations of traditional

approaches. It's a stride toward predictive cybersecurity, where the system not only identifies

threats but also comprehends their intricacies, offering a formidable shield against the evolving

landscape of XSS attacks.

4.6 ANALYSIS

16
Upon evaluating multiple frameworks for the envisaged XSS defence plan, we converted the

conceptual design and system specifications into executable Python code. Leveraging the Python

programming language and incorporating the fuzzywuzzy package (Adam, 2023), the system

was implemented to operate through the terminal. To validate its efficacy, the proposed system

underwent live testing on selected websites, actively scanning and collecting vulnerability data

during the process.

Table 1: displays a variety of sample data employed to assess the performance of our simulated

model.

S/N Web Site

1 https://www.dramaonlinelibrary.com/

2 https://www.lasu.edu.ng/

3 https://gizaenergy.ng/

4 https://seaofvitality.life/

Figure 4.2 below depicts the outcome of scanning and executing an injected payload on

www.dramaonlinelibrary.com, a drama retail site. The analysis of the injected payload disclosed

the identification and prioritization (sent as a request) of the 'any' parameter, along with the

discovery of reflection, affirming the presence of vulnerability in the website. The offline status

of the Web Application Firewall (WAF) signifies the absence of firewall protection for the

website. The scan results unequivocally confirmed the susceptibility of the web application to

XSS attacks.

17
 Figure 4.2: Scanning URL on the terminal (www.dramaonlinelibrary.com)

In Figure 4.3 below, the scan results for www.lasu.edu.ng, an academic website, unveil a

potential vulnerability related to DOM-based attacks. This vulnerability stems from the

identification of an object function within the website's web tree.

18
 Figure 4.3: URL scan for DOM vulnerability (www.lasu.edu.ng)

In Figure 4.4, we implemented the fuzz inference engine on the LASU website, the findings

indicated that the fuzz scan conducted successfully exposed all the requested strings.

Figure 4.4: Fuzz Scan on LASU website (www.lasu.edu.ng)

19
In figure 4.5 below we target the next website www.gizaenergy.ng which is a moverter sale

website, we performed a crawl on the website and passed a valid parameter into the system. The

application returns 0 vulnerabilities found in the crawl session.

Figure 4.5: URL crawling (www.gizaenergy.ng)

In Figure 4.6, we also implemented the fuzz inference engine on www.seaofvitality.life website,

the findings indicated that the fuzz scan conducted successfully exposed all the requested string

and also the WAF (Web Application Firewall) signifies the absence of firewall on the website.

20
 Figure 4.6: Apply Fuzz (www.seaofvitality.life)

The fuzz strings successfully circumvented all requested fuzz strings and managed to filter two

strings. This outcome indicates that the website lacks protection, rendering it vulnerable to

potential attacks.

21
 CHAPTER FIVE

5.1 SUMMARY
In summary, the objective of this project was to create a sophisticated XSS attack detection

system by combining dynamic analysis and fuzzy inference. The adoption of this hybrid

approach demonstrated its effectiveness in identifying vulnerabilities, marking a significant

stride forward in enhancing the security of web applications. The integration of dynamic

analysis, involving website scanning for potential injection points, alongside fuzzy inference,

which added an intelligent layer to vulnerability assessment, showcased the project's

comprehensive approach to address XSS threats. This not only meets the immediate goal of

fortifying web application security but also contributes valuable insights to the broader field of

cyber security. The successful implementation of this intelligent system reflects the commitment

to staying ahead of evolving cyber security challenges and underscores the potential impact of

such innovations on the overall safety of digital environments.

5.2 CONCLUSION
The pervasive threat of Cross-Site Scripting (XSS) attacks has cast a shadow over the security

landscape of web applications, posing risks such as session and account hijacking, Distributed

Denial of Service (DDoS) attacks, worm evasion, and the compromise of sensitive information.

Addressing these vulnerabilities is paramount, leading to the development of a robust XSS attack

detection framework detailed in this paper. This framework represents a crucial advancement in

fortifying web applications against potential exploitation.

22
The devised solution incorporates a hybrid system, strategically combining dynamic analysis and

fuzzy techniques to heighten its effectiveness. Notably, the fuzzy model integrates Levenshtein

distance, a mechanism for comparing and transforming strings within the system. This nuanced

approach not only demonstrates the sophistication of the detection system but also underscores

its adaptability in handling complex scenarios.

The results of the detection system showcase a commendable level of accuracy in identifying

vulnerabilities within web applications. This not only serves as a testament to the system's

efficacy but also positions it as a dependable tool for users seeking a robust and reliable means of

mitigating the risks associated with XSS attacks. In essence, the framework presented in this

paper stands as a significant contribution to the ongoing efforts to bolster the security

infrastructure of web applications and safeguard user data from potential threats.

5.3 RECOMMENDATIONS
Looking ahead, the current system, though promising, provides fertile ground for future

enhancements and extensions. One potential avenue for exploration involves the refinement of

the fuzzy logic model, aiming to elevate its precision and adaptability. Additionally, there exists

an opportunity to integrate advanced machine learning techniques into the system, further

amplifying its analytical capabilities and predictive accuracy. Such improvements would

contribute to the system's resilience against evolving cyber threats and enhance its overall

effectiveness.

The project, as it stands, represents a substantial stride in advancing web application security.

The innovative hybrid approach showcased in this research not only addresses existing

vulnerabilities but also opens new frontiers in intelligent XSS attack detection. This marks a

23
noteworthy contribution to the ever-evolving landscape of cyber security, offering a potent and

reliable tool for fortifying digital environments. In conclusion, the project's multifaceted

exploration and groundbreaking methodology position it as a key player in shaping the future of

web application security.

24
 REFERENCES

A. Kieun, J. G. (2019). Automatic creation of SQL injection and cross-site scripting

attacks. In ICSE Proceedings of the 31st International Conference on Software
Engineering , 12-25.

Adam, C. (2023, February 12). FuzzyWuzzy. Retrieved December 10, 2023, from Pypi:
https://pypi.org/project/fuzzywuzzy/

B. K. Ayeni, B, J. B Sahalu, and K. R. Adeyanju,. (2020). Detecting Cross-Site Scripting

in Web Applications Using Fuzzy Inference System. Journal of Computer Networks and
Communications , 10.

E. Kirda, N. J. (2020). Client-side cross-site scripting protection. Computer and Society ,

12-28.

G. R. K Rao, R. S. Prasad, and M. Ramesh. (2021). Neutralizing Cross-Site Scripting

Attacks using Open Source Technologies. Proceedings of the Second International
Conference on ICT for Competitive Strategies , 20-24.

J. Garcia-alfaro, G. Navarro-arriba. (2022). Prevention of cross-site scripting attacks on

current web applications. OTM, Lecture Notes Comput. Sci , 11-15.

U. Sarmah, ,. D. (2020). A survey of detection methods for XSS attacks. Journal of Network
and Computer Applications , 12-20.

25
 REFERENCES

Adam, C. (2019). “FuzzyWuzzy” https://pypi.org/project/fuzzywuzzy [Accessed: 13-Sept. 2023]

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May

25,2020 at 10:30:58 UTC from IEEE Xplore. Restrictions apply.

Ayeni, B.K., Sahalu, B.J.B. and Adeyanju, K.R. (2018) “Detecting Cross- Site Scripting in Web

Applications Using Fuzzy Inference System”, Journal of Computer Networks and

Communications; Vol. 2018, pp. 10.

Ben Hardekopf and Calvin Lin (2017) "Hybrid Analysis: Combining Static and Dynamic

Analysis for Effective Bug Detection"

Bhojak, P., Patel, K., Agrawal, V. and Shah, V. (2015). “SQL Injection and XSS Vulnerability

Detection in web Application”, Int. Journal of Advanced Research in Computer Science

and Software Engineering; 5 (12) Dec. 2015, pp. 110-115.

Brian Chess and Jacob West. (2012) "Secure Programming with Static Analysis"

Curtsinger, C., Livshits, B., ZornB. G. and Seifert, C. (2011). ZOZZLE: Fast and Precise In-

Browser JavaScript Malware Detection, in: USENIX Security Symposium, 2011, pp. 33–

48.

Garcia-alfaro, J. and Navarro-arribas, G. (2007). “Prevention of cross-site scripting attacks on

current web applications”, OTM, Lecture Notes Comput. Sci., vol. 4804.

Hallaraker, O. and Vigna, G. (2005). “Detecting malicious JavaScript code in Mozilla”, 10th

Proceedings of IEEE International Conference of Eng. of Complex Computer Systems

doi: 10.1109/iceccs.2005.35.

26
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T. and Kuo, S.Y., (2004). Securing Web

Application Code by Static Analysis and Runtime Protection, in: Proceedings of the 13th

International Conference on World Wide Web, ACM, pp. 40–52.

Internet World Stats, “Internet Usage Statistics, the Internet Big Picture, World Internet Users

and 2019 Population Stats”. [Online]. Available:

https://www.internetworldstats.com/stats.htm. [Accessed: 13- Sept- 2023]

Isatou, H., Abubakr, S., Hazura, Z. and Novia, A. (2014) “An approach for cross site scripting

detection and removal based on genetic algorithms,” In: Proceedings of the Ninth

International Conference on Software Engineering Advances: France, pp. 227–232,

Nice, France.

Kieun, A., Philip, J.G., Karthick, J. and Michael, D.E. (2009). “Automatic creation of SQL

injection and cross-site scripting attacks”, In ICSE Proceedings of the 31st International

Conference on Software Engineering, (Vancouver, BC, Canada), May 2009, pp. 199-209.

Kirda, E., Jovanovic, N., Kruegel, C. and Vigna, G. (2009). “Client-side cross- site scripting

protection”, Computer and Society 28(7), pp. 592-604, 2009, doi:

10.1016/j.cose.2009.04.008.

Koli, M., Pooja, S., Pranali, H.K. and PraSthmesh, N.G. (2016). “SQL injection and XSS

vulnerabilities countermeasures in web applications, “International Journal on Recent

and Innovation Trends in Computing and Communication, vol. 4, no. 4, pp. 692–695.

Krugel, C. and Vigna, G. (2003). “Anomaly detection of web-based attacks” Proceedings of

10th ACM Conference on Computer and Communications Security, CSC, Washington,

DC, USA.

27
Lucca, G., Fasolino, A., Mastroianni, M. and Tramontana, P. (2004). “Identifying Cross Site

Scripting Vulnerabilities in Web Applications” In Sixth IEEE International Workshop on

Web Site Evolution (WSE), pages 71 – 80.

Michael Sutton, Adam Greene, and Pedram Amini (2016) "Fuzzing: Brute Force Vulnerability

Discovery"

Oystein, H. and Giovanni, V. (2005). “Detecting malicious javascript code in mozilla”, in

ICECCS ’05: Proceedings of the 10th IEEE International Conference on Engineering of

Complex Computer Systems, pages 85–94, Washington, DC, USA, IEEE Computer

Society.

Patil, D.K. and Patil, K. (2015). “Client-side Automated Sanitizer for Cross- Site Scripting

Vulnerabilities”, International Journal of Computer Applications 121.

Rao, G.R.K., Prasad, R.S.[ and Ramesh, M. (2016). “Neutralizing Cross-Site Scripting Attacks

using Open Source Technologies”, Proceedings of the Second International Conference

on ICT for Competitive Strategies No 24 2016 doi: https://doi.org/10.1145/2905055.2905230.

Reis, C., Dunaga, J., Wang, H., Dubrovsky, O. and Esmeir, S. (2007). “Browsershield:

Vulnerability-driven ltering of dynamic html”, ACM Transactions on the Web, 1(3).

Ruderman, J. (2001) “The same origin policy”, [Online]. Available:

http://www.mozilla.org/projects/sec urity/components/same- origin.html [Accessed: 13-

Sept.-2023].

Saleh, A., Rozalia, B., Bujaa, B., Kamarularin, A., Mohd, A. and Faradilla, A. (2015) “A method

for web application vulnerabilities detection by using Boyer-Moore string matching

algorithm,” Information Systems International Conference, vol. 72, no. 3, p. 112.

28
Sarmah, U, Bhattacharyya, K, J. and Kalita, K. (2018). “A survey of detection methods for XSS

attacks”, Journal of Network and Computer Applications, doi: 10.1016/j.jnca.2018.06.004

Shuai Wang et al; (2015) "XSSCRAZE: Decoding Browser-Based XSS Attacks"

Symantec (2019). Internet Security Threat Report. 23.

Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C. and Vigna, G. (2007). “Cross-Site

Scripting Prevention with Dynamic Data Tainting and Static Analysis”, 14th Annual

Network and Distributed System Security Symposium, NDSS, Vol. 2007, p. 12.

Wang, C., Wang, H. and Zhou, S. (2016). A New Cross-Site Scripting Detection Mechanism

Integrated with HTML5 and CORS Properties by Using Browser Extensions, in: 2016

International Computer Symposium (ICS), IEEE, 2016, pp. 264–269.

Wassermann, G. and Su, Z. (2008). Static Detection of Cross-site Scripting Vulnerabilities, in:

Proceedings of the 30th International Conference on Software Engineering, ACM, 2008,

pp. 171–180.

29