Abstract
This paper presents an infrastructure-based mobile cloud computing framework that obstructs the execution of JavaScript (JS) worms injected from the untrustworthy remote servers. The execution of such worms triggers the Cross-Site Scripting (XSS) attack on the mobile cloud-based Online Social Network (OSN). The framework executes in two steps. Initially, it extracts the Uniform Resource Identifier (URI) links embedded in the HTTP response for extracting the untrusted JS links/code. Secondly, our framework generates the Document Object Model (DOM) tree corresponding to each extracted HTTP response. This tree is explored for the script nodes and extracts the embedded JS code. Now, both these extracted set of JS code will be explored for the detection of similar code. Such similar code will simply point towards the untrusted JavaScript code that will be utilized by an attacker to exploit the vulnerabilities of XSS attack on the OSN. The prototype of our framework was developed in Java and integrated the functionality of its components on the virtual machines of mobile cloud platforms. The experimental testing and performance evaluation of our work was carried out on the open source OSN websites that are integrated in the virtual cloud servers. Evaluation results revealed that our framework is capable enough to detect the untrusted JS worms with very high precision rate, fewer rates of false positives and acceptable performance overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Gupta, S., Gupta, B.B.: JS‐SAN: defense mechanism for HTML5‐based web applications against JavaScript code injection vulnerabilities. Secur. Commun. Netw. 9(11), 1477–1495 (2016)
Gupta, S., Gupta, B.B.: BDS: browser dependent XSS sanitizer. In: Book on Cloud-Based Databases with Biometric Applications. IGI-Global’s Advances in Information Security, Privacy, and Ethics (AISPE) Series, pp. 174–191. IGI-Global, Hershey (2014)
Gupta, B.B., et al.: Cross-Site Scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense. J. Inf. Priv. Secur. 11(2), 118–136 (2015)
Grossman, J., Hansen, R., Petkov, P.D., Rager, A., Fogie, S.: XSS attacks: cross-site scripting exploits and defense. Syngress, Burlington (2007). http://www.sciencedirect.com/science/book/9781597491549. ISBN 9781597491549
Gupta, S., Gupta, B.B.: Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manag. 1–19 (2015)
Gupta, S., Gupta, B.B.: PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM International Conference on Computing Frontiers. ACM (2015)
Hydara, I., et al.: Current state of research on Cross-Site Scripting (XSS)–a systematic literature review. Inf. Softw. Technol. 58, 170–186 (2015)
Gupta, S., Gupta, B.B.: XSS-SAFE: a server-side approach to detect and mitigate Cross-Site Scripting (XSS) attacks in JavaScript code. Arab. J. Sci. Eng. 41(3), 897–920 (2015)
Almorsy, M., Grundy, J., Mueller, I.: An analysis of the cloud computing security problem. In: The Proceedings of the 2010 Asia Pacific Cloud Workshop, Colocated with APSEC 2010, Australia (2010)
Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with BEK. In: Proceedings of the 20th USENIX Conference on Security, p. 1. USENIX Association (2011)
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 387–401. IEEE, Oakland (2008)
Cao, Y., Yegneswaran, V., Porras, P.A., Che, Y.: PathCutter: severing the self-propagation path of XSS JavaScript worms in social web networks. In: NDSS (2012)
Pelizzi, R., Sekar, R.: Protection, usability and improvements in reflected XSS filters. In: ASIACCS, p. 5 (2012)
Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM (2010)
Saxena, P., Molnar, D., Livshits, B.: SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 601–614. ACM (2011)
Dinh, H.T., Lee, C., Niyato, D., Wang, P.: A survey of mobile cloud computing: architecture, applications, and approaches. Wireless Commun. Mobile Comput. 13(18), 1587–1611 (2013)
HTML5 Security Cheat Sheet. http://html5sec.org/
XSS vectors. http://xss2.technomancie.net/vectors/
Technical Attack Sheet for Cross Site Penetration Tests. http://www.vulnerability-lab.com/resources/documents/531.txt
@XSS Vector Twitter Account. https://twitter.com/XSSVector
Joomla social networking site. https://www.joomla.org/download.html
Drupal social networking site. https://www.drupal.org/download
Gupta, S., Gupta, B.B.: XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimedia Tools Appl. 1–33 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Gupta, S., Gupta, B.B. (2016). An Infrastructure-Based Framework for the Alleviation of JavaScript Worms from OSN in Mobile Cloud Platforms. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds) Network and System Security. NSS 2016. Lecture Notes in Computer Science(), vol 9955. Springer, Cham. https://doi.org/10.1007/978-3-319-46298-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-46298-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46297-4
Online ISBN: 978-3-319-46298-1
eBook Packages: Computer ScienceComputer Science (R0)