Abstract
Cross-site scripting (XSS) is one of the most critical vulnerabilities found in web applications. XSS vulnerability present in web application that takes untrusted data and sends it to a web browser without proper input validation. XSS attack allows the adversary to execute scripts in the victim browser which can deface web sites, hijack user sessions, or redirect the user to malicious contents. Some of the proposed methods to XSS attack include the use of regular expressions to identify the presence of malicious content. However, this can be bypassed using parsing quirks and client-side filtering mechanisms such as Noscript and Noxes tool. The existing solutions are comparatively slow and cannot withstand against all attack vectors. Some of the existing approaches are too restrictive resulting in loss of functionality. In this paper, an API for server-side response filtering has been developed. The proposed method allows the HTML to pass through but blocks the harmful scripts. Unlike other approaches it requires a minor modification in existing web application. The performance evaluation shows that the proposed technique is having high fidelity and comparatively less response time.
References
Html purifier. http://htmlpurifier.org/ (2016)
Antisamy. https://code.google.com/p/owaspantisamy (2016)
Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of sql injection and cross-site scripting attacks. In: Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, IEEE (2009) 199–209
Bisht, P., Venkatakrishnan, V.: Xss-guard: precise dynamic prevention of cross-site scripting attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment, Springer (2008) 23–43
Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: dedacota: toward preventing server-side xss via automatic code and data separation. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, ACM (2013) 1205–1216
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM symposium on Applied computing, ACM (2006) 330–337
Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: Swap: Mitigating xss attacks using a reverse proxy. In: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, IEEE Computer Society (2009) 33–39
Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: Proceedings of the 19th international conference on World wide web, ACM (2010) 91–100
Jsoup html parser. http://jsoup.org/ (2016)
Html5 security cheatsheet. http://html5sec.org/ (2016)
Xss prevention cheatsheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Dalai, A.K., Ankush, S.D., Jena, S.K. (2018). XSS Attack Prevention Using DOM-Based Filter. In: Sa, P., Sahoo, M., Murugappan, M., Wu, Y., Majhi, B. (eds) Progress in Intelligent Computing Techniques: Theory, Practice, and Applications. Advances in Intelligent Systems and Computing, vol 719. Springer, Singapore. https://doi.org/10.1007/978-981-10-3376-6_25
Download citation
DOI: https://doi.org/10.1007/978-981-10-3376-6_25
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-3375-9
Online ISBN: 978-981-10-3376-6
eBook Packages: EngineeringEngineering (R0)