Skip to main content
SpringerLink
Log in

A Review on Detection of Cross-Site Scripting Attacks (XSS) in Web Security

  • Conference paper
  • First Online:
Advances in Cyber Security (ACeS 2020)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1347))

Included in the following conference series:

Abstract

Cybersecurity is one of the pillars of the growth of the digital industry, Industry Revolution 4.0. The network universe has several forms of cyber threats. Web application is the most essential and standard software system allowing human and computer communication. Cross-Site Scripting (XSS) attacks are a prevalent cybersecurity threat. This paper contains the brief emergence of Cross-Site Scripting Attacks (XSS), the key trigger and effects of Cross-Site Scripting Attacks (XSS), the existing Cross-Site Scripting Detection and Prevention Mechanism (XSS), and the analysis of current frameworks. Therefore, the current Cross-Site Scripting (XSS) detection and prevention mechanism would address how to identify the XSS and an overview of the static, dynamic and hybrid research approach utilized in these few decades. Also, the latest methods used to diagnose XSS in these decades will be addressed. The analysis of the benefits and drawbacks of the previously mentioned methods would also be addressed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Hurson, A.R., Memon, A.: Advanced in computers, vol. 101. p. 34 (2016)

    Google Scholar 

  2. Avancini, A., Ceccato, M.: Security Testing of Web Applications: A Search Based Approach for Cross-site Scripting Vulnerabilities. FBK-irst Trento, Italy (2011)

    Google Scholar 

  3. Shrivastava, A., Choudhary, S., Kumar, A.: XSS Vulnerability Assessment and Prevention in Web Application. Department of Computer Science and Engineering Manipal University JaipurRajasthan, India (2016)

    Book  Google Scholar 

  4. Panja, B., Gennarelli, T., Meharia, P.: Handling cross site scripting attacks using cache check to reduce webpage renderingtime with elimination of sanitization and filtering in light weight mobile web browser. In: Proceedings of Conference on Mobile and Secure Services (MOBISECSERV), pp. 1–7 (2015)

    Google Scholar 

  5. Ayeni, B.K., Sahalu, J.B., Adeyanju, K.R.: Detecting cross-site scripting in web application using fuzzy inference system. Department of Computer Science (2018)

    Google Scholar 

  6. Bhargav: Application Data Protection Techniques. Secure Java for Web Application Development (2010)

    Google Scholar 

  7. Branch.io Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks. https://www.securityweek.com/branchio-flaws-exposed-tinder-shopify-yelp-users-xss-attacks

  8. Liang, Q., Mu, J., Wang, W., Zhang, B. (eds.): CSPS 2016. LNEE, vol. 423. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-3229-5

    Book  Google Scholar 

  9. Endler, D.: The Evolution of Cross-Site Scripting Attacks. iDEFENSE Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 (2012)

    Google Scholar 

  10. Patil, D.K., Patil, K.: Client-side automated sanitizer for cross-site scripting vulnerabilities. Int. J. Comput. App. 121, 1–8 (2015)

    Google Scholar 

  11. Rodríguez, G., Torres, J., Flores, P.: Cross-Site Scripting (XSS) Attacks and Mitigation: A Survey. Faculty of Systems Engineering Escuela Politécnica Nacional Quito, Ecuador (2019)

    Google Scholar 

  12. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE 2008: Proceedings of the 30th International Conference on Software Engineering, pp. 171–180. ACM ACM, New York (2008)

    Google Scholar 

  13. Singh, H., Dua, M.: Detection & prevention of website vulnerabilities: current scenario and future trends. In: 2nd International Conference on Communication and Electronics Systems (ICCES 2017) (2017)

    Google Scholar 

  14. Choi, H., Hong, S., Cho, S., Kim, Y.-G.: HXD: Hybrid XSS detection by using a headless browser. In: 2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT) (2017)

    Google Scholar 

  15. Taha, T.A., Karabatak, M.: A proposed approach for preventing cross-site scripting. In: 2018 6th International Symposium on Digital Forensic and Security (ISDFS) (2018)

    Google Scholar 

  16. Hydara, I., Sultan, A.B.M., Zulzalil, H., Admodisastro, N., Isatou, H., et al.: Cross-site scripting detection based on an enhancedgenetic algorithm. Ind. J. Sci. Technol. 8(30), 1–5 (2015)

    Google Scholar 

  17. Cotroneo, D.: Innovative Technologies for Dependable OTS-Based Critical Systems. Springer, Milan (2013). https://doi.org/10.1007/978-88-470-2772-5

  18. Pan, J., Mao, X.: Detecting DOM-sourced cross-site scripting in browser extensions. In: Proceedings of IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 24–34 (2017)

    Google Scholar 

  19. Pranathi, K., Kranthi, S., Srisaila, A., Madhavilatha, P.: Attacks on Web Application Caused by Cross Site Scripting. Siddhartha Engineering College, Vijayawada Andhra Pradesh, India (2018)

    Google Scholar 

  20. Shar, L.K., Briand, L.C., Tan, H.B.K.: Web application vulnerability prediction using hybrid program analysis and machine learning. IEEE Trans. Dependable Secure Comput. 12(6), 688–707 (2015)

    Article  Google Scholar 

  21. Satyanarayana, V., Sekhar, M.V.B.C.: Static analysis tool for detecting web application vulnerabilities. Int. J. Mod. Eng. Res. (IJMER) 1(1), 127–133 (2011)

    Google Scholar 

  22. Mohammadi, M., Chu, B., Lipford, H.R., Murphy-Hill, E.: Automatic web security unit testing: XSS vulnerability detection. University of North Carolina at Charlotte, NC, USA (2016)

    Google Scholar 

  23. Smith, M.A.: Web Application Security: XSS Attacks. Kansas State University (n.d.)

    Google Scholar 

  24. Liu, M., Zhang, B., Chen, W.B., Zhan, X.L.: A Survey of Exploitation and Detection Methods of XSS Vulnerabilities. School of Computer Science and Cyber Engineering, Guangzhou University, Guangzhou 510006, China (2019)

    Google Scholar 

  25. Felderer, M., Büchler, M., Johns, M., Brucker, A.D., Breu, R., Pretschner, A.: Security Testing. Elsevier BV (2016)

    Google Scholar 

  26. Ruse, M.E., Basu, S.: Detecting cross-site scripting vulnerability using concolic testing. In: 2013 10th International Conference on Information Technology: New Generations (2013)

    Google Scholar 

  27. Faghani, M.R., Saidi, H.: Malware propagation in Online Social Networks. In: 2009 4th International Conference on Malicious and Unwanted Software (MALWARE) (2009)

    Google Scholar 

  28. Dayal, M., Singh, N., Raw, R.S.: A Comprehensive Inspection of Cross Site Scripting Attack. Ambedkar Institute of Advanced Communication Technologies and Research, New Delhi, India (2016)

    Google Scholar 

  29. Kaur, D., Kaur, P.: Cross-Site-Scripting Attacks and Their Prevention during Development. Department of Computer Science Lyallpur Khalsa College, Jalandhar, Guru Nanak Dev University Amritsar, India (2017)

    Google Scholar 

  30. Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Program Flow Analysis: Theoryand Applications. Prentice Hall, pp. 189–233 (1981)

    Google Scholar 

  31. Positive Technologies: Web Application Vulnerabilities and Threats: Statistics for 2019 (2019)

    Google Scholar 

  32. Salem, A.B.M.: A comparative analysis of Cross Site Scripting (XSS) detecting and defensive techniques. In: 2017 Eighth International Conference on Intelligent Computing and Information Systems (ICICIS) (2017)

    Google Scholar 

  33. Mahmoud, S.K., Alfonse, M., Roushdy, M.I., Salem, A.-B.M.: A Comparative Analysis of Cross Site Scripting (XSS) Detecting and Defensive Techniques. Computer Science Department, Faculty of Computer and Information Sciences, Ain Shams University, Cairo, Egypt (2017)

    Google Scholar 

  34. Rathore, S., Sharma, P.K., Park, J.H.: XSS Classifier: an efficient XSS attack detection approach based on machine learning classifier on SNSs. J. Inf. Process. Syst. 13(4), 1014–1028 (2017)

    Google Scholar 

  35. Gupta, S., Gupta, B.B.: Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manage. 8, 512–530 (2015)

    Google Scholar 

  36. Basha, S.M., Poluru, R.K., Janet, J., Balakrishnan, S., Santhosh, D.D., Kousalya, A.: A case study on data vulnerabilities in software development lifecycle model, chapter 2. IGI Global (2020)

    Google Scholar 

  37. Shalini, S., Usha, S.: Prevention of Cross-Site Scripting Attacks (XSS) On web applications in the client side. Department of Computer and Communication, Sri Sairam Engineering College, Chennai-44, Tamilnadu, India (2011)

    Google Scholar 

  38. TikTok fixes bugs that exposed data. https://economictimes.indiatimes.com/tech/internet/tiktok-fixes-bugs-that-exposed-data/articleshow/73164730.cms

  39. Taha, T.A., Karabatak, M.: A proposed approach for preventing Cross-Site Scripting. Department of Software Engineering Firat University (2018)

    Google Scholar 

  40. Verizon Messages App Allowed XSS Attacks Over SMS. https://www.securityweek.com/verizon-messages-app-allowed-xss-attacks-over-sms

  41. Nithya, V., Lakshmana Pandian, S., Malarvizhi, C.: A Survey on Detection and Prevention of Cross-Site Scripting Attack. University College of Engineering, Thirukkuvalai, Anna University, India Pondicherry Engineering College, Puducherry, India (2015)

    Google Scholar 

  42. Ben Jaballah, W., Kheir, N.: A grey-box approach for detecting malicious user interactions in web applications. In: Proceedings of 8th ACM CCS International Workshop on Managing Insider Security Threats (MIST 2016), p. 12 (2016)

    Google Scholar 

  43. Wang, X., Zhang, W.: Cross-site scripting attacks procedure and Prevention Strategies. In: MATEC Web of Conferences (2016)

    Google Scholar 

  44. Hou, X.-Y., Zhao, X.-L., Wu, M.-J., Ma, R., Chen, Y.-P.: A Dynamic Detection Technique for XSS Vulnerabilities. School of Software, Beijing Institute of Technology, Beijing 100081, China (2018)

    Google Scholar 

  45. Fang, Y., Li, Y., Liu, L., Huang, C.: DeepXSS: cross site scripting detection based on deep learning. In: Proceedings of International Conference on Computing and Artificial Intelligence (ICCAI 2018), March 2018, pp. 47–51 (2018)

    Google Scholar 

  46. Doupe, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: toward preventing server-side XSS via automatic code and data separation. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 1205–1216 (2013)

    Google Scholar 

  47. Steinhauser, A., Gauthier, F.: JSPChecker: static detection of context-sensitive cross-site scripting flaws in legacy web applications. In: Proceedings of ACM, PLAS, pp. 57–68. ACM, New York (2016)

    Google Scholar 

  48. Mohammadi, M., Chu, B., Lipford, H.R.: Detecting cross-site scripting vulnerabilities through automated unit testing. In: Proceedings of IEEE International Conference on Software Quality, Reliability & Security (QRS), pp. 364–373 (2017)

    Google Scholar 

  49. Kronjee, J., Hommersom, A., Vranken, H., Kronjee, J.J.: Discovering vulnerabilities using data-flow analysis and machine learning. In: Proceedings of 13th International Conference on Availability, Reliability and Security, p. 6, August 2018

    Google Scholar 

  50. Khalid, M.N., Farooq, H., Iqbal, M., Alam, M.T., Rasheed, K.: Predicting web vulnerabilities in web applications based on machine learning. In: Bajwa, I.S., Kamareddine, F., Costa, A. (eds.) INTAP 2018. CCIS, vol. 932, pp. 473–484. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-6052-7_41

    Chapter  Google Scholar 

  51. Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)

    Google Scholar 

  52. Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: Proceedings of USENIX Conference on Security Symposium (SEC), pp. 655–670 (2014)

    Google Scholar 

  53. Fazzini, M., Saxena, P., Orso, A.: AutoCSP: automatically retrofitting CSP to web applications. In: Proceedings of 37th IEEE International Conference on Software Engineering, vol. 1, pp. 336–346, May 2015

    Google Scholar 

  54. Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., Zhou, T.: CSPAutoGen: black-box enforcement of content security policy upon real-world websites. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 653–665 (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Computing and Informatics, University Malaysia Sabah, Sabah, Malaysia

    Jun-Ming Gan, Hang-Yek Ling & Yu-Beng Leau

Authors
  1. Jun-Ming Gan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hang-Yek Ling
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yu-Beng Leau
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jun-Ming Gan .

Editor information

Editors and Affiliations

  1. National Advanced IPv6 Centre, Universiti Sains Malaysia, Penang, Malaysia

    Mohammed Anbar

  2. Hodeidah University, Hodeidah, Yemen

    Nibras Abdullah

  3. National Advanced IPv6 Centre, Universiti Sains Malaysia, Penang, Malaysia

    Selvakumar Manickam

Appendix

Appendix

The comparison of the tools between its advantages and disadvantages had been stated in order to help the developer or tester prevent the Cross-site Scripting attacks (XSS) vulnerability by using the tools while testing. Hence, in Table 6, an analysis has been present as the tools function such as the programming language need, input, report generation, web scanner and prediction of the detection cases. With this analysis, it should able to help the user or developer in order to prevent the Cross-site Scripting attacks (XSS) vulnerability in their web application.

Table 6. Existing tools to detect the Cross-Site Scripting (XSS) attacks
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gan, JM., Ling, HY., Leau, YB. (2021). A Review on Detection of Cross-Site Scripting Attacks (XSS) in Web Security. In: Anbar, M., Abdullah, N., Manickam, S. (eds) Advances in Cyber Security. ACeS 2020. Communications in Computer and Information Science, vol 1347. Springer, Singapore. https://doi.org/10.1007/978-981-33-6835-4_45

Download citation

  • DOI: https://doi.org/10.1007/978-981-33-6835-4_45

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-33-6834-7

  • Online ISBN: 978-981-33-6835-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation