Cover
Vol. 17 No. 2 (2021)

Published: December 31, 2021

Pages: 58-65

Original Article

Server Side Method to Detect and Prevent Stored XSS Attack

Iman F. Khazal 1 Mohammed A. Hussain
1Department of Computer Science, Education College for Pure Science, University of Basrah, Basrah, Iraq
History
  • Received: June 28, 2021
  • Revised: August 7, 2021
  • Accepted: August 10, 2021
  • Available Online: August 12, 2021
DOI

https://doi.org/10.37917/ijeee.17.2.8

Abstract

Cross-Site Scripting (XSS) is one of the most common and dangerous attacks. The user is the target of an XSS attack, but the attacker gains access to the user by exploiting an XSS vulnerability in a web application as Bridge. There are three types of XSS attacks: Reflected, Stored, and Dom-based. This paper focuses on the Stored-XSS attack, which is the most dangerous of the three. In Stored-XSS, the attacker injects a malicious script into the web application and saves it in the website repository. The proposed method in this paper has been suggested to detect and prevent the Stored-XSS. The prevent Stored-XSS Server (PSS) was proposed as a server to test and sanitize the input to web applications before saving it in the database. Any user input must be checked to see if it contains a malicious script, and if so, the input must be sanitized and saved in the database instead of the harmful input. The PSS is tested using a vulnerable open-source web application and succeeds in detection by determining the harmful script within the input and prevent the attack by sterilized the input with an average time of 0.3 seconds.

Keywords

References

  1. A. Marashdiha, Z. Zaabaa, K. Suwaisb, N. Moda "Web Application Security: An Investigation on Static Analysis with other Algorithms to Detect Cross Site Scripting", Procedia Computer Science, Vol. 161, pp. 1173-1181, 2019.
  2. Mustafa H. Alzuwaini, and Ali A. Yassin, "An Efficient Mechanism to Prevent the Phishing Attacks", Iraqi Journal for Electrical and Electronic Engineering, Vol. 17, Issue 1, pp. 125-135, 2021.
  3. A. Marashdih, and Z. Zaaba. "Cross site scripting: removing approaches in web application", Procedia Computer Science, Vol. 124, pp. 647-655, 2017.
  4. Germán E. Rodríguez , J. Torres , P. Flores , D. Benavides. "Cross-site scripting (XSS) attacks and mitigation: A survey", Computer Networks, Vol. 166, 106960, 2020.
  5. S. Gupta & B. Gupta. "XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud”, Multimedia Tools and Applications, Vol. 77, No. 4, pp. 4829-4861, 2018.
  6. C. Lv, L. Zhang, F. Zeng, and J. Zhang, "Adaptive random testing for XSS vulnerability”, 2019 26th Asia- Pacific Software Engineering Conference (APSEC). IEEE, 2019.
  7. Parvez, Muhammad, P. Zavarsky, and N. Khoury. "Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities”, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST). IEEE, 2015.
  8. S. Mahmoud, Marco Alfonse, M. Roushdy, A. Salem “Detection of Cross Site Scripting Attacks Model with Deep Transfer Learning”, 2020.
  9. Manaa, M. Ebady, and R. Hussein. "Preventing cross site scripting attacks in websites”, Asian Journal of Information Technology, Vol. 15, No. 6, pp. 797-804, 2018.
  10. XSS, A comprehensive tutorial on cross-site scripting, Created by Jakob Kallin and Irene Lobo Valbuena, July 9th, 2016. Available from: https://excess-xss.com/ .
  11. S. Gupta, B. Gupta. "Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the- art”, International Journal of System Assurance Engineering and Management, Vol. 8, No.1, pp. 512-530, 2017.
  12. K. Rao, N. Jain, N. Limaje, A. Gupta, M. Jain, and B. Menezes. "Two for the price of one: A combined browser defense against XSS and clickjacking”, 2016 International Conference on Computing, Networking and Communications (ICNC). IEEE, 2016.
  13. G. Kaur, B. Pande, A. Bhardwaj, G. Bhagat, and S. Gupta "Efficient yet robust elimination of XSS attack vectors from HTML5 web applications hosted on OSN- based cloud platforms”, Procedia Computer Science, Vol. 125, pp. 669-675, 2018.
  14. Taha, T. Assad, and M.t Karabatak. "A proposed approach for preventing cross-site scripting”, 2018 6th International Symposium on Digital Forensic and Security (ISDFS). IEEE, 2018.
  15. G. Rodrıguez, D. Benavides, J. Torres, P. Flores, and W. Fuertes. "Cookie scout: An analytic model for prevention of cross-site scripting (XSS) using a cookie classifier”, International Conference on Information Technology & Systems. Springer, Cham, 2018.
  16. GitHub. About damn vulnerable web application (dvwa). Jun 3, 2021; Available from: https://github.com/digininja/DVWA. Khazal & Hussain | 65
  17. GitHub. Cross Site Scripting ( XSS ) Vulnerability Payload List Fep 10, 2021; Available from: https://github.com/payloadbox/xss-payload-list.
  18. PortSwigger. Cross-site scripting (XSS) cheat sheet. 19 Jan 2021; Available from: https://portswigger.net/web- security/cross-site-scripting/cheat-sheet
  19. W3school, HTML Element Reference, 1999-2021, available in: https://www.w3schools.com/html/html_lists.asp
  20. S. Gupta, and B. Gupta. "CSSXC: Context-sensitive sanitization framework for Web applications against XSS vulnerabilities in cloud environments”, Procedia Computer Science, Vol. 85, pp. 198-205, 2016.
  21. S. Gupta, and B. Gupta. "Enhanced XSS defensive framework for web applications deployed in the virtual machines of cloud computing environment”, Procedia Technology, Vol. 24, pp. 1595-1602, 2016.
  22. A. Sivanesan, A. Mathur, and A. Javaid. "A Google chromium browser extension for detecting XSS attack in html5 based websites”, 2018 IEEE International Conference on Electro/Information Technology (EIT). IEEE, 2018.
  23. P. Chen, C. Min, J. Wang "Research and Implementation of Cross-site Scripting Defense Method Based on Moving Target Defense Technology”, 2018 5th International Conference on Systems and Informatics (ICSAI). IEEE, 2018.