Abstract
There are many types of web attacks on the Internet. While cross-site scripting (XSS) is one of the most popular among attackers, it is also one of the most underrated attack vectors. The typical use of XSS attacks is to steal cookies and expose sensitive information. An XSS attack occurs when the attacker tricks a legitimate web application to accept a malicious request. In this context, XSS is a server-side vulnerability. Hence, many previous studies had focused on evaluating server-side vulnerability against XSS attacks. Some studies have focused on evaluating client-side vulnerability against XSS attacks. The latest version of web browsers, plugins, and operating systems is a basic countermeasure against XSS attacks. However, keeping the latest updates on all computers requires time and effort. Furthermore, this does not reveal the actual impact of vulnerability. In this paper, we propose an automated audit method of client-side vulnerability against XSS. Our method is based on Browser Exploitation Framework (BeEF), which is designed to provide effective client-side attack vectors and to exploit any potential vulnerabilities in the web browser. Our method automates the penetration testing process using the RESTful API. The experimental result shows that our method provides a remote testing option for client computers and evaluates the actual impact of XSS vulnerability.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Bland, J.A., Petty, M.D., Whitaker, T.S., Maxwell, K.P., Cantrell, W.A.: Machine learning cyberattack and defense strategies. Comput. Secur. 92, 101,738 (2020). https://doi.org/10.1016/j.cose.2020.101738. https://www.sciencedirect.com/science/article/pii/S0167404818309799
Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: toward preventing server-side XSS via automatic code and data separation. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1205–1216. ACM (2013). https://doi.org/10.1145/2508859.2516708
Jaballah, W.B., Kheir, N.: A grey-box approach for detecting malicious user interactions in web applications. In: You, I., Bertino, E., (eds.) Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST@CCS 2016, Vienna, Austria, 28 October 2016, pp. 1–12. ACM (2016). http://dl.acm.org/citation.cfm?id=2995966
Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1193–1204. ACM (2013). https://doi.org/10.1145/2508859.2516703
Liu, M., Wang, B.: A web second-order vulnerabilities detection method. IEEE Access 6, 70,983–70,988 (2018). https://doi.org/10.1109/ACCESS.2018.2881070
Maeda, R., Mimura, M.: Automating post-exploitation with deep reinforcement learning. Comput. Secur. 100, 102,108 (2021). https://doi.org/10.1016/j.cose.2020.102108. https://www.sciencedirect.com/science/article/pii/S0167404820303813
Pan, J., Mao, X.: Detecting DOM-sourced cross-site scripting in browser extensions. In: 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017, Shanghai, China, 17–22 September 2017, pp. 24–34. IEEE Computer Society (2017). https://doi.org/10.1109/ICSME.2017.11
Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., Zhou, T.: CSPAutoGen: black-box enforcement of content security policy upon real-world websites. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 653–665. ACM (2016). https://doi.org/10.1145/2976749.2978384
Panja, B., Gennarelli, T., Meharia, P.: Handling cross site scripting attacks using cache check to reduce webpage rendering time with elimination of sanitization and filtering in light weight mobile web browser. In: 2015 First Conference on Mobile and Secure Services (MOBISECSERV), pp. 1–7 (2015). https://doi.org/10.1109/MOBISECSERV.2015.7072878
Steinhauser, A., Gauthier, F.: JSPChecker: static detection of context-sensitive cross-site scripting flaws in legacy web applications. In: Murray, T.C., Stefan, D. (eds.) Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS@CCS 2016, Vienna, Austria, 24 October 2016, pp. 57–68. ACM (2016). https://doi.org/10.1145/2993600.2993606
Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 655–670. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/stock
Acknowledgements
This work was supported by JSPS KAKENHI Grant Number 21K11898.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mimura, M., Yamasaki, T. (2022). Toward Automated Audit of Client-Side Vulnerability Against Cross-Site Scripting. In: Barolli, L. (eds) Advances on Broad-Band Wireless Computing, Communication and Applications. BWCCA 2021. Lecture Notes in Networks and Systems, vol 346. Springer, Cham. https://doi.org/10.1007/978-3-030-90072-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-90072-4_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90071-7
Online ISBN: 978-3-030-90072-4
eBook Packages: EngineeringEngineering (R0)