Abstract
This article presents a novel framework XSS-Secure, which detects and alleviates the propagation of Cross-Site Scripting (XSS) worms from the Online Social Network (OSN)-based multimedia web applications on the cloud environment. It operates in two modes: training and detection mode. The former mode sanitizes the extracted untrusted variables of JavaScript code in a context-aware manner. This mode stores such sanitized code in sanitizer snapshot repository and OSN web server for further instrumentation in the detection mode. The detection mode compares the sanitized HTTP response (HRES) generated at the OSN web server with the sanitized response stored at the sanitizer snapshot repository. Any variation observed in this HRES message will indicate the injection of XSS worms from the remote OSN servers. XSS-Secure determines the context of such worms, perform the context-aware sanitization on them and finally sanitized HRES is transmitted to the OSN user. The prototype of our framework was developed in Java and integrated its components on the virtual machines of cloud environment. The detection and alleviation capability of our cloud-based framework was tested on the platforms of real world multimedia-based web applications including the OSN-based Web applications. Experimental outcomes reveal that our framework is capable enough to mitigate the dissemination of XSS worm from the platforms of non-OSN Web applications as well as OSN web sites with acceptable false negative and false positive rate.
Similar content being viewed by others
References
Almorsy M, Grundy J, Mueller I (2010) An analysis of the cloud computing security problem. Proc 2010 Asia Pacific Cloud Workshop, Colocated with APSEC2010, Australia
Balzarotti D, Cova M, Felmetsger V, Jovanovic N, Kirda E, Kruegel C, Vigna G (2008) Saner: composing static and dynamic analysis to validate sanitization in web applications. In Sec Privacy, 2008. SP 2008. IEEE Symp:387–401. IEEE
Bates D, Barth A, Jackson C (2010) Regular expressions considered harmful in client-side XSS filters. Proc World Wide Web: 91–100
Blogit. Available at: http://www.blogit.com/Blogs/
Byong JH, Jung I-Y, Kim K-H, Lee D-k, Rho S, Jeong CS (2013) Cloud-based active content collaboration platform using multimedia processing. EURASIP J Wireless Commun Networking (JWCN), Springer, 2013:63
Cao Y, Yegneswaran V, Porras PA, Chen Y (2012) PathCutter: severing the self-propagation path of XSS javascript worms in social web networks. NDSS
CVE Details (2013) Vulnerabilities by type. Retrieved from http://www.cvedetails.com/vulnerabilitie-by-types.php
Drupal social networking site. Available: https://www.drupal.org/download
Elgg social networking engine. Available at: https://elgg.org
Gupta S, Gupta BB (2014) BDS: browser dependent XSS sanitizer, book on cloud-based databases with biometric applications, IGI-Global’s advances in information security, privacy, and ethics (AISPE) series, 174–191, USA
Gupta S, Gupta BB (2015) Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of- art. Int J Syst Assurance Eng Manag, Springer
Gupta S, Gupta BB (2015) XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arab J Sci Eng: 1–24
Gupta S, Gupta BB (2016) Automated discovery of javascript code injection attacks in PHP web applications. Proc Comput Sci 78:82–87
Gupta BB, Shashank G, Gangwar S, Kumar M, Meena PK et al (2015) Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense, special issue of secured communication in wireless and wired networks. J Inform Privacy Sec, Taylor & Francis Online 11(2):118–136
Gupta MK et al. (2015) XSSDM: towards detection and mitigation of cross-site scripting vulnerabilities in web applications. Adv Comput, Commun Inform (ICACCI), 2015 Int Conf. IEEE
Hooimeijer P, Livshits B, Molnar D, Saxena P, Veanes M (2011) Fast and precise sanitizer analysis with BEK. Proc 20th USENIX Conf Security: 1-1. USENIX Association
Humhub social networking site. Available at: https://www.humhub.org/en
Jabbar S, Naseer K, Moneeb G, Rho S, Chang HB (2016) Trust model at service layer of cloud computing for educational institutes. J Supercomput (JoS), Springer 72(1):247–274
Joomla social networking site. Available at: https://www.joomla.org/download.html
Myspace samy worm [online]. Available: http://namb.la/popular/tech.html
Orkut and Twitter XSS worm [online]. Available: http://www.xssed.com/news/120/Twitter_and_Orkut_XSS_worms_in_the_news/
OsCommerce. Available at: http://www.oscommerce.com/
Parameshwaran I et al. (2015) DexterJS: robust testing platform for DOM-based XSS vulnerabilities. Proc 2015 10th Joint Meet Found Software Eng. ACM
Pelizzi, Riccardo, and R. Sekar. “Protection, usability and improvements in reflected XSS filters.” In ASIACCS, p. 5. 2012.
phpBB v2. Available at: http://sourceforge.net/projects/phpbb/files/phpBB%202/phpBB%20v2.0.23/
Rsnake (2008) XSS Cheat Sheet. http://ha.ckers.org/xss.html
Saxena P, Molnar D, Livshits B (2011) SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. Proc 18th ACM Conf Comput Commun Sec: 601–614. ACM
Stock B et al. (2015) From facepalm to brain bender: exploring client-side cross-site scripting. Proc 22nd ACM SIGSAC Conf Comput Commun Sec. ACM
Wackopicko. Available at: https://github.com/adamdoupe/wackopicko
Weinberger J, Saxena P, Akhawe D, Finifter M, Shin R, Song D (2011) A systematic analysis of XSS sanitization in web application frameworks. Comput Sec–ESORICS 2011:150–171. Springer Berlin Heidelberg
Wordpress. Available at: https://wordpress.org/
Xiao W et al. (2014) Preventing client side XSS with rewrite based dynamic information flow. Parallel Architect, Algorit Prog (PAAP), 2014 Sixth Int Symp. IEEE
Acknowledgments
The authors would like to thank members of Information and Cyber Security Research Group working in the National Institute of Technology Kurukshetra, India for their valuable feedback and worthwhile discussions. This work was financially supported by TEQIP-II.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Gupta, S., Gupta, B.B. XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimed Tools Appl 77, 4829–4861 (2018). https://doi.org/10.1007/s11042-016-3735-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-016-3735-1