DYNAMIC HUFF- HASH COOKIES: PREVENTING XSS VULNERABILITIES ON THE SERVER SIDE R.JAYAPRAKASH

Size: px

Start display at page:

Download "DYNAMIC HUFF- HASH COOKIES: PREVENTING XSS VULNERABILITIES ON THE SERVER SIDE R.JAYAPRAKASH"

Elinor Butler
6 years ago
Views:

1 DYNAMIC HUFF- HASH COOKIES: PREVENTING XSS VULNERABILITIES ON THE SERVER SIDE R.JAYAPRAKASH Research Scholar, Department of Computer Science, Research and Development Centre, Bharathiar University, Coimbatore, India. ID: ABSTRACT: Nowadays, social websites creates more attention among the internet users. Cross Site Scripting (XSS) attacks is widely known attacks in Web Applications. XSS depicts a decent way of stealing the user information. The attacks are the worst to trace but it can be efficiently prevented. The attacker s intention is to control the targeted variable such as injecting malicious code, scripts, stealing cookies, session hijacking, account hijacking, etc. This paper focused on novel issue Data Tangling at the server side. We utilized cookie mechanism to prevent XSS vulnerabilities in web applications. Cookies acts as communication protocol over HTTP. As per WWW protocol, the browser user gets authenticated by the web server of the web application. The web server generates and sends the cookie to the web browser. The authentication status is maintained between user and web application using cookies. We introduced Dynamic Huff- Hash Cookies whose aim is to reduce the efficiency of the cookies even it is hacked. It is deployed on the server side whose role is to generate the compressed hash value of the name attribute and send to the web browser. Experimental results show that the effectiveness and response time of the system has been analyzed and achieved 97%. Keywords: Websites, Web Application, Server side scripting, Cross Site Scripting, Hashing, Compression. I.INTRODUCTION: Web application is defined as any application which utilizes the browser as a client. It is subdivided into static web application and dynamic web application. Static 61 web applications, as the name suggest, it exhibits the information to the web users. Dynamic web application is a reactive in nature [1]. According to the user input, it displays the information. Web application is a program that works on web browser as an interface and it also allows their visitors to post and retrieve data from/to a database across the internet. A web server is maintained to display the information to the user via browser in an intended format eg. HTML, JS using CSS. Without the intervention of database, the user can interact, compute and display the result which is pruned to the Cross Site Scripting (XSS) attacks. This type of attacks is analyzed in upcoming sections. Web application is mostly affected by XSS attacks [2]. Web site is a target variable. The user may be an attacker or normal accomplice. The web application process is presented as: Browser GUI Web Server Business logic Data access Fig.1.1 Web Application Process [1] 1.1 CROSS SITE SCRIPTING ATTACKS Database Data storage A simple web page comprised of text and scripts at the server and it is rendered by the client browser [2]. Static pages are less vulnerable than the dynamic pages based on the controlled variable. In dynamic web pages, if the user finds any malicious content, the user can have the full control to take necessary protective actions. Several ways to introduce the malicious content are: The malicious code supplied by the attacker without the user s knowledge. The user can click the malicious link for itself.

2 this SSL can be compromised to execute the malicious code or scripts. 6. The attacks may be persistent towards the infected cookies. This also paves the way to execute the malicious scripts. 7. The attacker may need to access the unauthorized in an intranet web server even if the victim s client possess cached authentication for the targeted server. 8. The domain based security policies may be exhausted. 9. The selection character set is important. Many websites lack of character set, this leads to attacks. 10. The form action may vary from user to user. The attacker can modify the data during form submission. Example 1: Fig.2. Architecture of XSS vulnerability [2] Consider a scenario the user is looking for PHP tutorial. The URL is obtained as tutorial.com/index.php?search= php+tutorial. In this gap, the attacker can make the user to click on its offensive link [3]: index.php?search=</form><formaction= hackerdomain.co m /hack.php > The above script enables to capture the user s cookie information. Example 2: Sometimes the attackers craft an URL, and make the user to execute the JavaScript mentioned by the attacker. <script XSS VULNERABILTIES APPLICATION FOR Several application risks associated with XSS were [4]: src= WEB 1. The user may click on the other dynamic pages unknowingly which is supplied by the attacker. 2. The attacker can control the user session before the cookie expires. 3. The attackers communicate with the malicious server that automatically connects with the user. 4. The user is convinced by the attacker to access his URL could execute the script and slip the cookie information. 5. A connection is established between the client and server using Secure Socket Layer (SSL). Sometimes PROBLEM FORMULATION We delve into the study of XSS attacks. Several financial, banking and ecommerce web applications are developed using Hypertext Preprocessor (PHP). There is no single solution for web applications that obtains input from various ports. From our analysis, we discovered Data Tangling issue which means when the user submit the information via web browser. The hacker acts like a normal user and steal the cookies without user s knowledge. Some hash based techniques were used to prevent XSS attacks. The hash value storage took more cookie-sized in the server side that automatically stores the data into the database in a tangled manner. So, an efficient server side solution should be build to solve this issue. 1.4 ORGANIZATION OF THE PAPER: This paper is structured as: Section 1 depicts the Definition of the Cross Site Scripting (XSS) attacks and its importance in security perspectives. Section 2 portrays the various studies conducted by the researchers in XSS attacks. Section 3 proposes an innovative solution to the problem formulated from the previous studies. An innovative solution has been implemented and their outcomes were depictedd in Section 4. Atlast, it is concluded in Section 5. II. LITERATURE SURVEY: Web application grabs the attention of many internet users. Web network utilizes the JavaScript which brings a serious issue of XSS vulnerabilities. Web scanners are introduced to detect and prevent the XSS vulnerabilities [3]. The stored XSS doesn t detect the vulnerabilities properly. The combination of XSS and SQL injection were provided to prevent stored XSS. The form submission field is considered as inputs. It has been done in three components namely, crawling component, attack component and analysis component. When an XSS attack is merged with SQL injection attacks, they reduced the effects of stored XSS attack using we scanner. String

3 comparison is a technique used to validate the input forms. The requested values that are reflected to the particular HTMLs forms used the string comparison techniques. An efficient DOM based design is done to filter the XSS attacks. It was developed using runtime taint tracking and taint aware parsers. An auditor module is maintained to monitor the token produced by the HTML parser [15]. Thus injected fragments are discovered and it is not passed to the JavaScript interpreter and hence attacks are prevented [4]. Some detection tools were invented to detect the XSS attacks. QualysGuard is a tool used to reduce the XSS vulnerabilities in web applications. It checks the number of redundant link, damaged link and doesn t allow validating the same link. It enhanced the detection speed rate without compromising the quality [5]. URL analysis [6] was also used to prevent the XSS attacks. The URL parameters are extracted to form a JavaScript syntax tree and its weights are calculated. User defined threshold is maintained and the JavaScript weights exceed the threshold level then the URL is malicious one. In server side, the Dynamic hash generation technique is employed to prevent the XSS attacks. Cookies are used to exploit the XSS vulnerabilities. The stolen cookies are making inefficient even if the attacker retrieves the cookies [7]. A supervised learning methodology is used to relate the static attributes to form a dynamic attributes to predict the XSS vulnerabilities. Classification and clustering model are used as prediction model even in presence or absence of training data. Some real time execution traces are collected to classify the data validation and data sanitization [16]. The vulnerable code statements are predicted to ensure the security auditing and testing. Thus precision and recall values are estimated [8]. XSS propagation of worms in Online Social Networks [9] was investigated in Facebook detection system. The user s impact to visit their friends is less than the strangers. An efficient resource allocation is done with maximized monitoring coverage to detect the XSS worms. It was a feasible one to detect the early stage of propagation of XSS worms. Secure Delivery Networks (SDN) applications [10] such as financial transactions, new accessing, entertainments etc. These networks should be free from worms. Threats has been in greater level in SDNs. This reported the level of each attacks in SDN applications [11]. Web services lets the user to access the content from the websites. Privileges should be granted only to the authorized users. They introduced the method PASSE which slows down the malicious scripts by developing end to end and control flow relationships [12]. They proved 96% applications with less overhead. SQL Attack Scanner (SQLAS) is a tool to detect the SQL attacks in the PHP web applications. It scans web applications even in offline mode that reduces the time and less overhead in runtime. It worked on both simple and 63 complex data structure. XML rules are generated to valid the inputs [13]. The malicious scripts are rewarded with full access to all resources. Noxes was introduced to automatically generate rules to discover XSS attempts. It is a Microsoft windows based personal web firewall application. It provides client side solution without the intervention of web applications. It protects the sensitive information such as cookies and session ids [14] [17]. III. DYNAMIC HUFF-HASH COOKIE TECHNIQUE: 3.1 MOTIVATION Cookies are small of piece of information that is privately stored in web browser. The website owners can read the values of the cookies and it can be utilized as their wish. The browser saves this information for future use. Cookies are well supported by Hypertext Preprocessor (PHP). The functionality of the cookies is used for the webpage authentications, storing preferences for websites and observing of user s movement. Since cookies in the server side took more size to store the value of the cookie. 3.2 DYNAMIC HUFF-HASH COOKIES TECHNIQUE In this section, we introduced a novel concept Dynamic Huff-Hash cookies. The objective is to secure cookies from the attackers. Our design ensures Robustly protects against XSS attacks. Support a normal HTML form. Compatible with existing browsers. The cookie is set in the header. It should be set before any HTML is set to web page. The cookie is set as: bool setcookie (string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false]]]]]] ) The attributes in cookie are: Name: Name of the cookie Value: Its cookie value and is stored in client s computer. Expire: The time taken to terminate the cookie Path: Server path where the cookie resides. Domain: determines the cookie resides to set subdomains. Secure: Decides to use only HTTPS connection from the client. Httponly: it sets TRUE using HTTP protocols and not the scripting languages such as JS, VBScript. It lets us to discover the XSS attacks.

4 Return: It returns 1 for successful execution and 0 for unsuccessful execution. The procedure is as follows: 1. The client registered with the web applications using username and password. 2. A cookie is maintained in the web browser to monitor the activities carried out by the client. 3. In web server side, the username, password and cookie are maintained. 4. The cookie contain information such as name, value, expire, path, domain, secure and httponly. 5. In web server database, instead of storing original value, a dynamic compressed hash value of name, path, domain and httponly is stored. 6. If the user wants to connect to the web applications, the compressed hash cookie value is entered as request. 7. This will be reestimated at the server side. 8. Anyway, the XSS attacker can steal the cookies but it can t be used again for future use. al JS tutori vascript/ al Table 1: A sample of ori The hash value of the cookie is again compressed using the technique Dynamic Huffman Coding. This method is employed to address the Data Tangling issue. When we store the hash value of a cookie directly to the web server, it will consume more response time to the web browser and also storage space is higher. Huffman encoding is a type of lossless compression scheme that also lessens the redundancy of the data. The procedure is as follows: Input: Hash value of cookie value. Output: a compressed hashh value. /loc 3 Poss5 6 *% #@^$ iginal and hash value of cookie 1. Let H(C) = {h 1, h 2.,h n } 2. Compute hash weight using C =(c 1, c 2 c n ) 3. C i = frequency (h i ), 1 i n Now, in web server, the compressed hash data value is stored in 0/1 bits whichh lessens the cookie-sized and increases response time. Even if the attacker steals the cookies, they can t use the information. Thus in this way we can prevent the XSS attacks. Fig. 3.1 A proposed architecture Firstly, the hash values of the cookies were generated in order to make the stateless cookies. This technique is implemented on the web server rather than the web browser which implicitly does not require any changes. In database of the web server, the hashh value of name attribute is generated. This hash value is stored in the web server rather than original value. The role of the user at the browser side will get authenticated by the web server. Let us consider three attributes namely, name, domain and path for discovering the cookies. The table 1 depicts the storing of cookies on server side. 4. EXPERIMENTAL RESULTS: We evaluated this technique on Google chrome using XAMPP services. We tested on different blog users. Nam e PHP tutori al XM L tutori Domain php.net Pat h /loc 1 /loc 2 Origi nal Value 159io p 289gh t Hash value *@#( $! +(#% *$ Fig.4.1 Login page 64

total data size is 576 bits. Therefore, 1- (16/576) = 97.2% Fig.4.

5 # ( $ 1 110! Table 3: Frequency and Huffman code estimation The effectiveness is calculated as: (1*2)+(1*2)+(1*3)+(1*3)+(1*3)+(1*3)= 16 There are 72 symbols where each symbols constitutes of 8 bits, hence total data size is 576 bits. Therefore, 1- (16/576) = 97.2% Fig.4.2 Dashboard of users is maintained Performance measures such as effectiveness of compression, storage size and response time were evaluated. i) Effectiveness of Huffman code: The effectiveness of the Huffman code is to find out the lessened size of compressed data. It is calculated as the product of each frequency of the symbols and its number of bits. These products are added together to find out the effectiveness of the compression system. From the above result, it can be inferred that the effectiveness of the compression of hash value of cookie is higher. ii) Response time Response time is defined as the aggregate time taken to respond to the service requested by the client. Here five different blog pages have been used by users. The response time of each page took only few milliseconds to response the server. n = i= 1 Effectiveness No. offrequencyofsymbols * No. ofbits Eg: 1. Consider a test case: Hash Value: *@#($! Symbols Frequency Huffman code * CONCLUSION This paper analyzed the current issue namely Data Tangling at the server side in the field of web vulnerability known as XSS attacks. A cookie plays a vital role in the web browser which assists the attackers to steal the information. We introduced Dynamic Huff- Hash Cookies whose aim is to reduce the efficiency of the cookies even it is hacked. It is deployed on the server side Fig.4.3 Response time of users from different blogs whose role is to generate the compressed hash value of the name attribute and send to the web browser. The performance measures such as effectiveness and response time has been evaluated. By deploying this novel technique, the effectiveness of the compression system has been achieved 97%. As our future work, we will be analyzing on detecting the XSS attacks using different compression techniques. 65

6 REFERENCES 1. J. Alex Halderman, To strengthen security, change developer s incentives, IEEE computer and reliability societies, March/ April 2010, pp: Hossein Saiedian and Dan S. Broyles, Security vulnerabilities in same origin policy- implications and alternatives, September 2011, pp Punam Thopate et al, Cross Site Scripting attack detection and prevention system, International Journal of Advanced Research in Computer Engineering & Technology (IJARCET), Volume 3 Issue 11, November Ben Stock et al, Precise client-side protection against DOM-based Cross-Site Scripting, USENIX, The advanced computing systems association, August 20-22, Tejinder Singh Mehta and Sanjay Jamwal, Model to prevent websites from XSS vulnerabilities, International Journal of Computer Science and Information Technologies, Vol. 6 (2), Zhi hua Tang et al, Identifying Cross-Site Scripting Attacks Based on URL Analysis, International journal engineering and manufacturing, Vol 5, Shashank Gupta et al, Prevention of Cross Site Scripting vulnerability using Dynamic Hash Generation Technique on the server side, International Journal of Advanced Computer Research, Volume-2 Number-3 Issue-5 September Lwin Khin Shar, Hee Beng Kuan Tan and Lionel C. Briand, Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis, IEEE 35 th International conference on Software Engineering, May Mohammad Reza Faghani and Uyen Trang Nguyen, A study of XSS worm propagation and detections mechanisms in online social networks IEEE transactions on information forensics and security, vol. 8, no. 11, November Angelos D. Keromytis, Randomized Instruction sets and runtime environments, IEEE security and privacy, David Gillman et al, Protecting websites from attack with secure delivery networks, IEEE Computer Security, April 015, pp Aaron Blankstein and Michael J. Freedman, Automating Isolation and Least Privilege in Web Services, IEEE Symposium on Security and Privacy, Lwin Khin Shar and Hee Beng Kuan Tan, Defending against Cross site scripting attacks, IEEE computer security, March 2012, pp Vandana Dwivedi et al, SQLAS: Tool to detect and prevent attacks in PHP web applications, International Journal of Security, Privacy and Trust Management (IJSPTM) Vol 4, No 1, February Amit Singh and Suraj Singh Tomer, Securing Server/ Client side applications against XSS attack via XSS obliterator, International Journal of Computer Science and Information Technologies, Vol. 6 (2), Puspendra Kumar and R. K. Pateriya, Enhanced Intrusion Detection Systems for input validation attacks in web application, Vol. 10, Issue 1, No 2, January Kamlesh Kumar Raghuvanshi and Neetesh Tiwari, Prevention and Detection Techniques for XSS injection attacks, International Journal of Computer Trends and Technology (IJCTT), Vol.12, No.2, June

Detecting XSS Based Web Application Vulnerabilities

Detecting XSS Based Web Application Vulnerabilities M.S.Jasmine M.Tech (ISCF).Student, Department of Information Technology SRM University, TamilNadu,India jasmine.srakj@gmail.com Kirthiga Devi Assistant