Abstract
Cybersecurity is one of the pillars of the growth of the digital industry, Industry Revolution 4.0. The network universe has several forms of cyber threats. Web application is the most essential and standard software system allowing human and computer communication. Cross-Site Scripting (XSS) attacks are a prevalent cybersecurity threat. This paper contains the brief emergence of Cross-Site Scripting Attacks (XSS), the key trigger and effects of Cross-Site Scripting Attacks (XSS), the existing Cross-Site Scripting Detection and Prevention Mechanism (XSS), and the analysis of current frameworks. Therefore, the current Cross-Site Scripting (XSS) detection and prevention mechanism would address how to identify the XSS and an overview of the static, dynamic and hybrid research approach utilized in these few decades. Also, the latest methods used to diagnose XSS in these decades will be addressed. The analysis of the benefits and drawbacks of the previously mentioned methods would also be addressed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hurson, A.R., Memon, A.: Advanced in computers, vol. 101. p. 34 (2016)
Avancini, A., Ceccato, M.: Security Testing of Web Applications: A Search Based Approach for Cross-site Scripting Vulnerabilities. FBK-irst Trento, Italy (2011)
Shrivastava, A., Choudhary, S., Kumar, A.: XSS Vulnerability Assessment and Prevention in Web Application. Department of Computer Science and Engineering Manipal University JaipurRajasthan, India (2016)
Panja, B., Gennarelli, T., Meharia, P.: Handling cross site scripting attacks using cache check to reduce webpage renderingtime with elimination of sanitization and filtering in light weight mobile web browser. In: Proceedings of Conference on Mobile and Secure Services (MOBISECSERV), pp. 1–7 (2015)
Ayeni, B.K., Sahalu, J.B., Adeyanju, K.R.: Detecting cross-site scripting in web application using fuzzy inference system. Department of Computer Science (2018)
Bhargav: Application Data Protection Techniques. Secure Java for Web Application Development (2010)
Branch.io Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks. https://www.securityweek.com/branchio-flaws-exposed-tinder-shopify-yelp-users-xss-attacks
Liang, Q., Mu, J., Wang, W., Zhang, B. (eds.): CSPS 2016. LNEE, vol. 423. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-3229-5
Endler, D.: The Evolution of Cross-Site Scripting Attacks. iDEFENSE Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 (2012)
Patil, D.K., Patil, K.: Client-side automated sanitizer for cross-site scripting vulnerabilities. Int. J. Comput. App. 121, 1–8 (2015)
RodrÃguez, G., Torres, J., Flores, P.: Cross-Site Scripting (XSS) Attacks and Mitigation: A Survey. Faculty of Systems Engineering Escuela Politécnica Nacional Quito, Ecuador (2019)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE 2008: Proceedings of the 30th International Conference on Software Engineering, pp. 171–180. ACM ACM, New York (2008)
Singh, H., Dua, M.: Detection & prevention of website vulnerabilities: current scenario and future trends. In: 2nd International Conference on Communication and Electronics Systems (ICCES 2017) (2017)
Choi, H., Hong, S., Cho, S., Kim, Y.-G.: HXD: Hybrid XSS detection by using a headless browser. In: 2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT) (2017)
Taha, T.A., Karabatak, M.: A proposed approach for preventing cross-site scripting. In: 2018 6th International Symposium on Digital Forensic and Security (ISDFS) (2018)
Hydara, I., Sultan, A.B.M., Zulzalil, H., Admodisastro, N., Isatou, H., et al.: Cross-site scripting detection based on an enhancedgenetic algorithm. Ind. J. Sci. Technol. 8(30), 1–5 (2015)
Cotroneo, D.: Innovative Technologies for Dependable OTS-Based Critical Systems. Springer, Milan (2013). https://doi.org/10.1007/978-88-470-2772-5
Pan, J., Mao, X.: Detecting DOM-sourced cross-site scripting in browser extensions. In: Proceedings of IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 24–34 (2017)
Pranathi, K., Kranthi, S., Srisaila, A., Madhavilatha, P.: Attacks on Web Application Caused by Cross Site Scripting. Siddhartha Engineering College, Vijayawada Andhra Pradesh, India (2018)
Shar, L.K., Briand, L.C., Tan, H.B.K.: Web application vulnerability prediction using hybrid program analysis and machine learning. IEEE Trans. Dependable Secure Comput. 12(6), 688–707 (2015)
Satyanarayana, V., Sekhar, M.V.B.C.: Static analysis tool for detecting web application vulnerabilities. Int. J. Mod. Eng. Res. (IJMER) 1(1), 127–133 (2011)
Mohammadi, M., Chu, B., Lipford, H.R., Murphy-Hill, E.: Automatic web security unit testing: XSS vulnerability detection. University of North Carolina at Charlotte, NC, USA (2016)
Smith, M.A.: Web Application Security: XSS Attacks. Kansas State University (n.d.)
Liu, M., Zhang, B., Chen, W.B., Zhan, X.L.: A Survey of Exploitation and Detection Methods of XSS Vulnerabilities. School of Computer Science and Cyber Engineering, Guangzhou University, Guangzhou 510006, China (2019)
Felderer, M., Büchler, M., Johns, M., Brucker, A.D., Breu, R., Pretschner, A.: Security Testing. Elsevier BV (2016)
Ruse, M.E., Basu, S.: Detecting cross-site scripting vulnerability using concolic testing. In: 2013 10th International Conference on Information Technology: New Generations (2013)
Faghani, M.R., Saidi, H.: Malware propagation in Online Social Networks. In: 2009 4th International Conference on Malicious and Unwanted Software (MALWARE) (2009)
Dayal, M., Singh, N., Raw, R.S.: A Comprehensive Inspection of Cross Site Scripting Attack. Ambedkar Institute of Advanced Communication Technologies and Research, New Delhi, India (2016)
Kaur, D., Kaur, P.: Cross-Site-Scripting Attacks and Their Prevention during Development. Department of Computer Science Lyallpur Khalsa College, Jalandhar, Guru Nanak Dev University Amritsar, India (2017)
Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Program Flow Analysis: Theoryand Applications. Prentice Hall, pp. 189–233 (1981)
Positive Technologies: Web Application Vulnerabilities and Threats: Statistics for 2019 (2019)
Salem, A.B.M.: A comparative analysis of Cross Site Scripting (XSS) detecting and defensive techniques. In: 2017 Eighth International Conference on Intelligent Computing and Information Systems (ICICIS) (2017)
Mahmoud, S.K., Alfonse, M., Roushdy, M.I., Salem, A.-B.M.: A Comparative Analysis of Cross Site Scripting (XSS) Detecting and Defensive Techniques. Computer Science Department, Faculty of Computer and Information Sciences, Ain Shams University, Cairo, Egypt (2017)
Rathore, S., Sharma, P.K., Park, J.H.: XSS Classifier: an efficient XSS attack detection approach based on machine learning classifier on SNSs. J. Inf. Process. Syst. 13(4), 1014–1028 (2017)
Gupta, S., Gupta, B.B.: Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manage. 8, 512–530 (2015)
Basha, S.M., Poluru, R.K., Janet, J., Balakrishnan, S., Santhosh, D.D., Kousalya, A.: A case study on data vulnerabilities in software development lifecycle model, chapter 2. IGI Global (2020)
Shalini, S., Usha, S.: Prevention of Cross-Site Scripting Attacks (XSS) On web applications in the client side. Department of Computer and Communication, Sri Sairam Engineering College, Chennai-44, Tamilnadu, India (2011)
TikTok fixes bugs that exposed data. https://economictimes.indiatimes.com/tech/internet/tiktok-fixes-bugs-that-exposed-data/articleshow/73164730.cms
Taha, T.A., Karabatak, M.: A proposed approach for preventing Cross-Site Scripting. Department of Software Engineering Firat University (2018)
Verizon Messages App Allowed XSS Attacks Over SMS. https://www.securityweek.com/verizon-messages-app-allowed-xss-attacks-over-sms
Nithya, V., Lakshmana Pandian, S., Malarvizhi, C.: A Survey on Detection and Prevention of Cross-Site Scripting Attack. University College of Engineering, Thirukkuvalai, Anna University, India Pondicherry Engineering College, Puducherry, India (2015)
Ben Jaballah, W., Kheir, N.: A grey-box approach for detecting malicious user interactions in web applications. In: Proceedings of 8th ACM CCS International Workshop on Managing Insider Security Threats (MIST 2016), p. 12 (2016)
Wang, X., Zhang, W.: Cross-site scripting attacks procedure and Prevention Strategies. In: MATEC Web of Conferences (2016)
Hou, X.-Y., Zhao, X.-L., Wu, M.-J., Ma, R., Chen, Y.-P.: A Dynamic Detection Technique for XSS Vulnerabilities. School of Software, Beijing Institute of Technology, Beijing 100081, China (2018)
Fang, Y., Li, Y., Liu, L., Huang, C.: DeepXSS: cross site scripting detection based on deep learning. In: Proceedings of International Conference on Computing and Artificial Intelligence (ICCAI 2018), March 2018, pp. 47–51 (2018)
Doupe, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: toward preventing server-side XSS via automatic code and data separation. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 1205–1216 (2013)
Steinhauser, A., Gauthier, F.: JSPChecker: static detection of context-sensitive cross-site scripting flaws in legacy web applications. In: Proceedings of ACM, PLAS, pp. 57–68. ACM, New York (2016)
Mohammadi, M., Chu, B., Lipford, H.R.: Detecting cross-site scripting vulnerabilities through automated unit testing. In: Proceedings of IEEE International Conference on Software Quality, Reliability & Security (QRS), pp. 364–373 (2017)
Kronjee, J., Hommersom, A., Vranken, H., Kronjee, J.J.: Discovering vulnerabilities using data-flow analysis and machine learning. In: Proceedings of 13th International Conference on Availability, Reliability and Security, p. 6, August 2018
Khalid, M.N., Farooq, H., Iqbal, M., Alam, M.T., Rasheed, K.: Predicting web vulnerabilities in web applications based on machine learning. In: Bajwa, I.S., Kamareddine, F., Costa, A. (eds.) INTAP 2018. CCIS, vol. 932, pp. 473–484. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-6052-7_41
Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)
Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: Proceedings of USENIX Conference on Security Symposium (SEC), pp. 655–670 (2014)
Fazzini, M., Saxena, P., Orso, A.: AutoCSP: automatically retrofitting CSP to web applications. In: Proceedings of 37th IEEE International Conference on Software Engineering, vol. 1, pp. 336–346, May 2015
Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., Zhou, T.: CSPAutoGen: black-box enforcement of content security policy upon real-world websites. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 653–665 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
The comparison of the tools between its advantages and disadvantages had been stated in order to help the developer or tester prevent the Cross-site Scripting attacks (XSS) vulnerability by using the tools while testing. Hence, in Table 6, an analysis has been present as the tools function such as the programming language need, input, report generation, web scanner and prediction of the detection cases. With this analysis, it should able to help the user or developer in order to prevent the Cross-site Scripting attacks (XSS) vulnerability in their web application.
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Gan, JM., Ling, HY., Leau, YB. (2021). A Review on Detection of Cross-Site Scripting Attacks (XSS) in Web Security. In: Anbar, M., Abdullah, N., Manickam, S. (eds) Advances in Cyber Security. ACeS 2020. Communications in Computer and Information Science, vol 1347. Springer, Singapore. https://doi.org/10.1007/978-981-33-6835-4_45
Download citation
DOI: https://doi.org/10.1007/978-981-33-6835-4_45
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-33-6834-7
Online ISBN: 978-981-33-6835-4
eBook Packages: Computer ScienceComputer Science (R0)