Abstract
We propose a new methodology to sanitize web pages to prevent code injection attacks. One of a common programming error that usually happens in the web application is using of an improper encoding method to sanitize the source code of the web page. Our methodology provides a proper encoding method to the webpages which have an improper encoding of untrusted data, so it can stop and prevent code injection attacks caused by improper encoding of untrusted data from occurring. Our framework is an automatic encoding method to sanitize web browser contains multiple interpreters, such as: JavaScript, CSS, HTML, and URI. In this methodology we also need to detect zero- day attack (XSS vulnerabilities) which may not be detected by detection tools. Our methodology can prevent a many types of code injection vulnerabilities, such as: XSS injection vulnerabilities.
There is a study that sponsored by Google showed that thirty percent usage of encoding method is incorrect. This incorrect encoding leads to code injection vulnerabilities in the webpages. In some encoding cases we should utilize more than one encoding method in the context, such as: URI and JavaScript encoding methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A systematic analysis of XSS sanitization in web application frameworks. In: 16th European Conference on RESEARCH in Computer Security (ESORICS 2011), pp. 150–171. Springer, Heidelberg (2011)
Sadeghian, A., Zamani M., Manaf, A.: SQL injection vulnerability general patch using header sanitization. In: IEEE International Conference on Computer, Communication, and Control Technology, (I4CT2014), pp. 239–242. IEEE (2014)
Medeiros, I., Neves, N., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: WWW 2014 Proceedings of the 23rd International Conference on World Wide Web, pp. 63–74. IEEE (2014)
Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment, vol. 5137, pp. 23–43. Springer, Berlin (2008)
An Introduction to Cross Site Scripting, April 2018. https://www.cybrary.it/0p3n/an-introduction-to-cross-site-scripting
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: IEEE Symposium on Security and Privacy (sp 2008), pp. 387–401. IEEE (2008)
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: An Empirical Analysis of XSS Sanitization in Web Application Frameworks (2011)
Mohammadi, M., Chu, B., Lipford, H.: Detecting cross-site scripting vulnerabilities through automated unit testing. In: IEEE International Conference on Software Quality, Reliability and Security, pp. 364–373. IEEE (2017)
Zed Attack Proxy (Zap), April 2018. https://www.utest.com/tools/zed-attack-proxy-zap
Meier, J.D., Mackman, A., Wastell, B., Bansode, P., Wigley, A.: How To: Prevent Cross-Site Scripting in ASP.NET, April 2018. https://msdn.microsoft.com/en-us/library/ff649310.aspx
Javed, A.: Revisiting XSS sanitization. In: ISACA Ireland Conference 2014 (2014)
Matt Giuca, URI Encoding Done Right, April 2018. https://unspecified.wordpress.com/2008/05/24/uri-encoding/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Alnabulsi, H., Islam, R. (2019). Web Sanitization from Malicious Code Injection Attacks. In: Abawajy, J., Choo, KK., Islam, R., Xu, Z., Atiquzzaman, M. (eds) International Conference on Applications and Techniques in Cyber Security and Intelligence ATCI 2018. ATCI 2018. Advances in Intelligent Systems and Computing, vol 842. Springer, Cham. https://doi.org/10.1007/978-3-319-98776-7_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-98776-7_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98775-0
Online ISBN: 978-3-319-98776-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)