Abstract
In this paper, we address the overlooked problem of Cross-Site Scripting (XSS) on mobile versions of web applications. We have surveyed 100 popular mobile versions of web applications and detected XSS vulnerabilities in 81 of them. The inspected sites present a simplified version of the desktop web application for mobile devices; the survey includes sites by Nokia, Intel, MailChimp, Dictionary, Ebay, Pinterest, Statcounter and Slashdot. Our investigations indicate that a significantly larger percentage (81 % vs. 53 %) of mobile web applications are vulnerable to XSS, although their functionality is drastically reduced in comparison to the corresponding desktop web application.
To mitigate XSS attacks for mobile devices, this paper presents a light-weight, black-list and regular expressions based XSS filter for the detection of XSS on mobile versions of web applications, which can be deployed on client or server side. We have tested our implementation against five different publicly available XSS attack vector lists; none of these vectors were able to bypass our filter. We have also evaluated our filter in the client-side scenario by adding support in 2 open source mobile applications (WordPress and Drupal); our experimental results show reasonably low overhead incurred due to the small size of the filter and computationally fast regular expressions. We have contributed an implementation of our XSS detection rules to the ModSecurity firewall engine, and the filter is now part of OWASP ModSecurity Core Rule Set (CRS) https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
“Type Etsy.com into your mobile browser on your phone and you’ll find a simple and optimized version of the Etsy site http://www.etsy.com/”.
- 2.
- 3.
Flip the pref to turn on the CSP 1.0 parser for Firefox for Android: https://bugzilla.mozilla.org/show_bug.cgi?id=858780.
- 4.
- 5.
- 6.
- 7.
- 8.
The complete list of surveyed mobile sites is available at http://pastebin.com/MabbJWWL.
- 9.
- 10.
XSS is now fixed, see http://i.imgur.com/oWwpc1e.jpg
- 11.
- 12.
- 13.
- 14.
- 15.
Nokia has sent us Nokia Lumia 800 Phone as a part of appreciation and responsible disclosure.
- 16.
For interested readers, we will soon publish a technical report titled — “A Footprint of Third-Party Tracking on Mobile Web”.
- 17.
- 18.
- 19.
The url 0x.lv has been developed by Eduardo Vela of Google.
- 20.
We have collected a list of some of the state-of-the-art XSS vectors here http://pastebin.com/BdGXfm0D.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
Galadrim https://twitter.com/g4l4drim
- 38.
- 39.
- 40.
References
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE 2008. http://dl.acm.org/citation.cfm?id=1368112
Controlling the XSS filter. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-/protection-http-header.aspx
Cook, S.: A web developer’s guide to cross-site scripting (January 2003). http://www.giac.org/practical/GSEC/Steve_Cook_GSEC
WhiteHat Security’s Website Security Statistics Report (May 2013). https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
Do mobile and desktop interfaces belong together?. http://mobile.smashingmagazine.com/2012/07/19/do-mobile-desktop-interfaces-belong-together/more-130354
Mobile site vs. full site. http://www.nngroup.com/articles/mobile-site-vs-full-site/
Regular expression language – quick reference. http://msdn.microsoft.com/en-us/library/az24scfc.aspx
Regular expression tutorial. http://www.regular-expressions.info/tutorialcnt.html
Regular expressions cheat sheet. http://www.cheatography.com/davechild/cheat-sheets/regular-expressions/
Regular expressions. https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Regular_Expressions
Measuring time with javascript. http://webdesign.onyou.ch/2010/11/30/measure-time-with-javascript/
Accuracy of JavaScript time. http://ejohn.org/blog/accuracy-of-javascript-time/
NoScript anywhere. http://noscript.net/nsa/
redos.js - JavaScript test program for regular expression DoS attacks. http://www.computerbytesman.com/redos/retime_js.source.txt
Regular expression denial of service. http://en.wikipedia.org/wiki/ReDoS
Singh, K.: Can mobile learn from the Web? In: W2SP 2012. http://www.w2spconf.com/2012/papers/w2sp12-final13.pdf
OWASP top 10 mobile risks. https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
XUL (XML User Interface Language). https://developer.mozilla.org/en-US/docs/XUL
Mozilla developer platforms mobile. https://groups.google.com/group/mozilla.dev.platforms.mobile/browse_thread/thread/ff8d89bfa28383bb?pli=1
Knowyourelements. http://www.knowyourelements.com/#tab=list-view&date=2013-01-24
A complete guide of jQuery mobile for beginners. http://www.webappers.com/2013/03/15/a-complete-guide-of-jquery-mobile-for-beginners/
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development (2010)
Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)
Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: WWW (2010). http://www.collinjackson.com/research/xssauditor.pdf
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM (2006)
Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In: AINA (2004)
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS (2009)
Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pp. 283–298. USENIX Association, Berkeley (2009)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS)
Barth, A., Jackson, C., Mitchell, J.C.: Securing browser frame communication. In: 17th USENIX Security (2008)
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: WWW (2010)
Oda, T., Wurster, G., van Oorschot, P., Somayaji, A.: SOMA: mutual approval for included content in web pages. In: CCS (2008)
Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser enforced embedded policies. In: WWW (2007)
OWASP modSecurity core rule set project. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Apache module \({\rm {mod}}\_{\rm {proxy}}\). http://httpd.apache.org/docs/2.2/mod/ \({\rm mod}\_{\rm proxy}\).html
Acknowledgements
The authors would like to thank @0x6D6172696F, @insertScript, @ryancbarnett, @garethheyes, @ma1, @avlidienbrunn, @mathias, @secalert, @g4l4drim and many more from Twitter “infosec community” for their help and anonymous reviewers for their comments. This work has been supported by the Ministry of Economic Affairs and Energy of the State of North Rhine-Westphalia (Grant 315-43-02/2-005-WFBO-009).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Javed, A., Schwenk, J. (2014). Towards Elimination of Cross-Site Scripting on Mobile Versions of Web Applications. In: Kim, Y., Lee, H., Perrig, A. (eds) Information Security Applications. WISA 2013. Lecture Notes in Computer Science(), vol 8267. Springer, Cham. https://doi.org/10.1007/978-3-319-05149-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-05149-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05148-2
Online ISBN: 978-3-319-05149-9
eBook Packages: Computer ScienceComputer Science (R0)