Beijing , China. Keywords: Web system, XSS vulnerability, Filtering mechanisms, Vulnerability scanning.

Similar documents
LECTURE-3. Exceptions JS Events. CS3101: Programming Languages: Javascript Ramana Isukapalli

JAVASCRIPT BASICS. Handling Events In JavaScript. In programing, event-driven programming could be a programming

Pearson Education Limited Edinburgh Gate Harlow Essex CM20 2JE England and Associated Companies throughout the world

Events: another simple example

Fundamentals of Website Development

New Perspectives on Creating Web Pages with HTML. Tutorial Objectives

LECTURE-2. Functions review HTML Forms. Arrays Exceptions Events. CS3101: Scripting Languages: Javascript Ramana Isukapalli

HTML User Interface Controls. Interactive HTML user interfaces. Document Object Model (DOM)

Canvas & Brush Reference. Source: stock.xchng, Maarten Uilenbroek

CISH-6510 Web Application Design and Development. Overview of JavaScript. Overview

Introduction to DHTML

Key features. Nothing to do with java It is the Client-side scripting language Designed to add interactivity to HTML pages

Name Related Elements Type Default Depr. DTD Comment

Princeton University COS 333: Advanced Programming Techniques A Subset of JavaScript

Want to add cool effects like rollovers and pop-up windows?

Princeton University COS 333: Advanced Programming Techniques A Subset of JavaScript

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

JavaScript Handling Events Page 1

Installation and Configuration Manual

Web basics: HTTP cookies

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

DOM Primer Part 2. Contents

TEXTAREA NN 2 IE 3 DOM 1

JavaScript and XHTML. Prof. D. Krupesha, PESIT, Bangalore

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Client Side Injection on Web Applications

1$ 5 ! $ 6 4 * Source: 0 "!*! 0! * 8 97 ?!$ 5 0 *! 4! $ 0 : * ' () 7;7 7<7

Continues the Technical Activities Originated in the WAP Forum

CSC Javascript

JSF - H:INPUTSECRET. Class name of a validator that s created and attached to a component

710 Index Attributes, 127 action attribute, 263 assigning, bottom attribute, domain name attribute, 481 expiration date attribute, 480 8

Web Designing Course

link document.getelementbyid("coffee").style.borderwidth = "0px" document.getelementbyid("tea").style.borderwidth = "10px"

Common Websites Security Issues. Ziv Perry

Detecting XSS Based Web Application Vulnerabilities

Appendix A. XHTML 1.1 Module Reference

5-Sep-16 Copyright 2016 by GemTalk Systems LLC 1

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

CSCE 813 Internet Security Case Study II: XSS

Web Design and Application Development

Digitizing Sound and Images III Storing Bits

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Proposal for Virtual Web Browser by Using HTML5

Web Security IV: Cross-Site Attacks

Place User-Defined Functions in the HEAD Section

Web Application Security

C1: Define Security Requirements

8/19/2018. Web Development & Design Foundations with HTML5. Learning Objectives (1 of 2) Learning Objectives (2 of 2) What is JavaScript?

CSS The web browser uses its own resources, and eases the burden on the server. It has fewer features than server side scripting.

Introduction to JavaScript, Part 2

Malicious Web Pages Detection Based on Abnormal Visibility Recognition

BOOSTING THE SECURITY

CIS 4360 Secure Computer Systems XSS

IronWASP (Iron Web application Advanced Security testing Platform)

UNIT - III. Every element in a document tree refers to a Node object. Some nodes of the tree are

Web Programming and Design. MPT Junior Cycle Tutor: Tamara Demonstrators: Aaron, Marion, Hugh

Web Security: Vulnerabilities & Attacks

Penetration Test Report

JavaScript is described in detail in many books on the subject, and there is excellent tutorial material at

Chapter 14 - Dynamic HTML: Event Model

HTML 5 Tables and Forms

a.) All main headings should be italicized. h1 {font-style: italic;} Use an ordinary selector. HTML will need no alteration.

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

JS Tutorial 3: InnerHTML Note: this part is in last week s tutorial as well, but will be included in this week s lab

JSF - H:SELECTONEMENU

Your Turn to Hack the OWASP Top 10!

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

COMP519 Web Programming Lecture 16: JavaScript (Part 7) Handouts

Automated Article Links Identification for Web-based Online Medical Journals

Content Security Policy

WEB SECURITY: XSS & CSRF

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSC 405 Computer Security. Web Security

Internet Explorer HTML 4.01 Standards Support Document

Photo from DOM

CS 161 Computer Security

Javascript. A key was pressed OR released. A key was released. A mouse button was pressed.

Web Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech

Experience the Magic of On-the-fly Modernization. Screen Customization Guide. for Genie Version 3.0

Finding Vulnerabilities in Web Applications

Dynamic Web Pages - Integrating JavaScript into a SAS Web Application Caroline Bahler, ASG, Inc.

New Media Production Lecture 7 Javascript

Skyway Builder Web Control Guide

This tutorial has been designed for beginners in HTML5 to make them understand the basicto-advanced

Chrome Extension Security Architecture

Accessibility of EPiServer s Sample Templates

Portcullis Computer Security.

Note: Java and JavaScript are two completely different languages in both concept and design!

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

EasyCrypt passes an independent security audit

JSF - H:SELECTONERADIO

CS 161 Computer Security

Exploiting and Defending: Common Web Application Vulnerabilities

Transcription:

2017 International Conference on Computer, Electronics and Communication Engineering (CECE 2017) ISBN: 978-1-60595-476-9 XSS Vulnerability Scanning Algorithm Based on Anti-filtering Rules Bo-wen LIU 1, Jun WANG 1, Jian-yi LIU 1, Ru ZHANG 1, Wen-xin SUN 1 and Yuan-gang YAO 2 1 Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China 2 China Information Technology Security Evaluation Center Keywords: Web system, XSS vulnerability, Filtering mechanisms, Vulnerability scanning. Abstract. In this paper, we investigate the main security vulnerabilities of web system and vulnerability scanning technology and the causes of different web system vulnerabilities are analyzed. We deeply analyze XSS vulnerability s formation principle, vulnerability utilization. By researching web server filtering mechanism, we put forward XSS vulnerability scanning algorithm based on antifiltering rules. Then we use this algorithm to expand and optimize the XSS vulnerability test case library. Thus, the coverage of XSS vulnerability scanning is improved and the security of web system is guaranteed. Introduction In recent years, the security of web systems has attracted wide attention. The number of vulnerabilities in web system determines its security.[1] In this paper, we research the filtering mechanism of web server and the corresponding antifiltering rule set. Based on anti-filtering rules, we propose XSS vulnerability scanning algorithm, thus improving web system security much better. Relating Work Jovanovic open source vulnerability scanning tool Pixy [2] for the static analysis in 2006. It completes the web system vulnerability mining work through the detection and analysis by the direction of the data flow. Penetration testing The technology of for dynamic analysis is established by SecuBat. But it only supports limited vulnerability scanning and cannot scan for new vulnerabilities. However, Nessus[3] could be a good solution to this problem. It is designed by Renaud Derasion and based on C/S architecture. But Nessus system is very bloated due to the long time. The costs are high. There are also very good vulnerability scanners at home and abroad, such as Web Inspect, WebSOC and so on. However, these scanners usually require high configuration. As a result, they are not applied to web system of small and medium-sized enterprises. XSS Vulnerability Research When an application receives untrusted data and returns it to the browser without proper validation and escaping, it will produce a cross-site vulnerability (XSS).[4] The web system does not check the input data strictly so that the attacker can inject the script fragment by the user input domain, in which these scripts can be accessed by the victim to achieve the purpose of attack [5]. The above is what is XSS. According to their different ways of triggering, XSS vulnerability can be divided into three categories. 1. Reflective XSS vulnerability. This type of XSS vulnerability is a non-persistent vulnerability. Vulnerability occurs when the web client uses the server client script to generate page to provide data for the users [6]. 2. Storage XSS vulnerability. The attacker first stores the attacking data in the server, which is called storage property. Then the attacker induces users to access vulnerabilities page. Each time 181

these attacking data have been accessed, they can appear in the client without be processed. It will lead to the emergence of storage XSS vulnerabilities, which is called persistence. 3. XSS vulnerability based on DOM. The attacker modifies the DOM "environment" and executes it in the original client script so that the client's code runs in an unexpected way. At present, the main XSS vulnerability detection methods are detection based on the source code, detection based on server-side and client-based detection. The static detection technique for the detection of source code is to audit the source code without running the target program. The purpose of the server detection is to confirm the untrusted data and use the filtering measures to handle the dangerous keywords. On the client side, it detects the script language in the browser, prevents malicious script to run, and prompts the user with a reasonable warning. Web Vulnerability Scanning Algorithm Based on Anti-filtering Rules Filtering Rules Analysis Web system developers tend to regard all user data as untrusted data. They deal with it through different ways in order to reduce the security risk of web system. In addition to the firewall outside the web system, IDS, IPS and other ways, the most common usage is to filter and process untrusted data in different web system internal logic layer. There are three main ways to filter in general: filtering based on keywords, filtering based on encoding, and filtering based on string processing Anti-filtering Rules Analysis The anti-filtering rule set is a set of untrusted data conversion methods. Through the use of one or more methods of the anti-filtering rule set, untrusted data which is submitted by the user can be converted, making it possible to bypass the filtering rules of web system server and execute it normally. There are five main methods of anti-filtering rule set as follows: Content recoding. In web system blacklist, if the key part of the test data is recoded without affecting its execution, it can bypass the type of keyword filtering. Code sensitive word processing. Web system will filter a variety of different keywords, just like alert, script and other keywords of XSS vulnerabilities. it must deal with related sensitive words to bypass filtering. Especially in dealing with sensitive words, it could be bypassed through replacement, annotation and other methods. Character writing style confusion. Without affecting the implementation, trying to do the mix of capital and lowercase or the mix of full-width and half-width character will achieve the purpose of bypassing the filtering mechanism. Code format reconstruction: HTML and JavaScript all support multi-line code format, thus you can try to insert multiple Tab and Enter key to reconstruct format in order to bypass the filtering mechanism. Encoding format conversion: There are a lot of character encoding formats, such as ANSI, Unicode, UTF-8, etc. Therefore, it is a good way to bypass the filtering rules by encoding format conversion. Through the study of the filtering rules, we know how the web system handles the untrusted data. We can carry out the corresponding anti-filtering process according to these processing methods. Hence, the pass rate of the test cases is greatly improved in vulnerability scanning. Application of the Algorithm in XSS Scanning XSS Cross-site Injection. The composition of XSS vulnerability case sample library of web system is described as follows: XSS test cases of direct injection. We need to list its statements directly. Test cases of URL pseudo protocol in JavaScript. We need to list the various attributes that support the URL pseudo protocol, such as src, herf, etc. 182

For the test cases in HTML, we need to list the commonly used HTML labels and events according to the HTML syntax rules to compose test cases. According to the different scopes, HTML labels are divided into 4 categories [7]. They are window label, form label, image label and other label. At the same time, events are also divided into 5 categories [7] and the specific categories are shown as follows(table 1). labels and events window label form label Audio and video label other labels window event form event image event keyboard and mouse event other events Table 1. Labels and Events Classification [7]. list <body>, <frame>, <iframe>, <frameset>, etc <input>, <form>, <textarea>, <button>, <select>, <option>, <isindex>, <label>, <fieldset>, <legend>, <optgroup>, <meter>, etc <img>, <audio>, <video>, etc <table>, <meta>, <base>, <object>, <div>, <source>, etc <onload>, <onunload>, etc <onchange>, <onsubmit>, <onreset>, <onselect>, <onfocous>, <onblur>, <onscroll>, etc <onabort>, <onresize>, etc <onkeyup>, <onkeydown>, <onkeypress>, <onclick>, <ondblclick>, <onmousemove>, <onmousedown>, <onmouseout>, <onmouseover>, <onmouseup>, etc <onerror>, etc The Way of Attack Data Optimization. Through the analysis of the current filtering rules and the way of anti-filtering, we could implement a targeted change to test cases to improve the test case library. The anti-filtering rules represent the conversion of the XSS code, not only can be used alone, but also mixed with several different ways to use. Mode 1: Code sensitive word processing. For sensitive word filtering methods, such as masking, forbidding execution, we can bypass the filtering by decomposing the sensitive words or adding comments to code. For example, The original code and after inserting comments, the code is shown below. < div style="width:expression( alert( xss ) ) ; " > < div style="width:expr/*xss*/ ession( alert( xss ) ) ; " > Mode 2: Character writing style confusion. The case requirements of HTML language are not strict while Javascript is case-sensitive. So mixed writing in the code can break some of the filtering behavior on XSS. For example: < img src = JavAsCrIpT: alert( /XSS/ ) > Mode 3: Content re-encoding or transcoding. so we can bypass the filtering rules by re-encoding or converting the encoding format of the corresponding code or labels. For example: <script>onclick &# 61; alert(&#39;xss&#39;)</sc& #114;ipt> Mode 4: Code format reconstruction. Html code and Javascript code all support multiple lines of code format, so we can bypass the server filtering by code format reconstruction. For example, regarding <script>alert ('test') </script>, we could convert it as follows. < script>aler t( text )</ script > Towards the web system common security filtering, we can use the above four methods optimize the test samples which need to send. They expand the test sample library and enhance the XSS vulnerability detection results. 183

Experiment Experimental Method Design In order to verify the application effect of the anti-filtering rules in the XSS vulnerability scanning, the anti-filtering rules conversion module is added to XSS vulnerability scanning process. If the original test cases can not trigger the vulnerability, it transforms according to the rules of the antifiltering and does retest until all transformation modes are tried. It is mainly divided into three parts: the web crawler, the test preparation and the vulnerability detection. The first part is the web crawler. It is mainly responsible for crawling data in the URL of the beginning site. It also analyzes the content of the page to extract suspected injection point. The second part is the test case library preparation. This module will generate test cases according to the returned results of the probe data. It will carry out the vulnerability scanning confirmation. As a comparison, we extend the anti-filtering rule set according to the generated test cases. Then we also scan site vulnerabilities and finally complete the results comparison. The third part is vulnerability scanning. The injection point which is extracted by the crawler is connected with the corresponding test case. We submit data to the server through GET and POST and compare and analyze its return results. If the test cases have been successfully returned to the HTML page, we know that it exists XSS crosssite vulnerabilities. Then its corresponding URL and the test case are stored and recorded. We implement 12 times scans for 6 web sites, including 6 times for the test case optimization without using anti-filtering rules. As a contrast, the other 6 times optimize test cases using antifiltering rules. Experimental Result During the experiment, we mainly aim at the efficiency and the time of XSS vulnerability scanning. Then we make a comprehensive comparison between scan coverage and scan efficiency. Finally, we prove the advantages of anti-filtering rules that are applied to the cross-site vulnerability scanning. Specific experimental data are shown as follows (Taken security into consideration, we do not post the address.). Specific vulnerability scanning results and scan time are shown in Table 2. Table 2. Vulnerability scanning results. site Vulnerability numbers without anti-filtering rules Vulnerability numbers with anti-filtering rules Scan time without antifiltering rules(second) Scan time without antifiltering rules(second) 1 3 4 387 436 2 1 1 296 398 3 5 7 524 713 4 3 5 368 446 5 2 2 304 453 6 4 5 375 502 Experimental Data Analysis During the experiment, we mainly record the effect of XSS vulnerability scanning and the time required for scanning. From a comprehensive comparison of scan coverage and scan efficiency, we validate the advantages of anti-filtering rules for cross-site vulnerability scanning and its applicability in other vulnerability scans. The corresponding vulnerability scanning as shown in Figure 1(a), and the scan time is shown in Figure 1(b). 184

collation map of scanning effect 1000 Scan time comparison 10 5 500 0 site 1 site 2 site 3 site 4 site 5 site 6 0 site 1 site 2 site 3 site 4 site 5 site 6 no use anti filtering rule use anti filtering rule no use anti filtering rule use anti filtering rule (a) the comparison of scanning vulnerability number Figure 1. The result of Scanning Comparison. (b) the comparison of scanning time consumption By observing the scan time consumption, the following conclusions can be drawn: 1.the coverage of XSS vulnerabilities has been improved by the anti-filtering rules. 2. The time of vulnerability scanning using the anti-filtering rules has an increase.the reason is using test cases after using anti-filtering rules leading the test data packages have an increase. 3.Through the comparison experiment, it has been found that the scanning efficiency has been greatly improved.the method has strong feasibility for small and medium-sized enterprises. Summary This paper summarizes the causes, classification and harm of web system vulnerability. It also analyzes the principle, characteristics, harm and defense of XSS vulnerability. The web vulnerability scanning algorithm which is based on anti-filtering rules is proposed. The core of the algorithm is establishing the anti-filtering rules set through the analysis of the filtering rules of the web system. The anti-filtering rule set is established and it is composed of untrusted data conversion method. The data is processed with content recoding and other methods in rule set. But it still maintain its basic function after filtering. We apply this algorithm to optimize the test case libraries of XSS vulnerability scanning needing. Thus coverage of vulnerability scanning is enhanced and we get a more secure web system. Acknowledgement The authors thank the editor and reviewers for their suggestions to improve the quality of paper. This work was supported by The National Key Research and Development Program of China under Grant 2016YFB0800903, the NSF of China (U1636112, U1636212) and NSF of China (U1536118). References [1] Jiang Yu. Research and implementation of Web security vulnerability detection system [D] Jilin University, 2011. [2] Pixy [EB/OL]. http://pixybox.seclab.tuwien.ac.at/pixy/. [3] [EB/OL]http://www.tenable.com/products/nessus, 2012. [4] Wichers D. OWASP Top-10 2013[J]. 2013. [5]Beijing Venustech Inc: XSS Attack Defense Technical White Paper[EB/OL] http://www.venustech.com.cn/newsinfo/358/7770.html. [6] Qin Ying. Research and realization of XSS cross-site script attack detection technology based on behavior [D]. Xidian University, 2010. [7] Qiu Yongjie. Study on XSS attack and defense Technology [D]. Beijing Jiaotong University, 2010. 185

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback