Advertisement

An Infrastructure-Based Framework for the Alleviation of JavaScript Worms from OSN in Mobile Cloud Platforms

  • Shashank Gupta
  • Brij B. GuptaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9955)

Abstract

This paper presents an infrastructure-based mobile cloud computing framework that obstructs the execution of JavaScript (JS) worms injected from the untrustworthy remote servers. The execution of such worms triggers the Cross-Site Scripting (XSS) attack on the mobile cloud-based Online Social Network (OSN). The framework executes in two steps. Initially, it extracts the Uniform Resource Identifier (URI) links embedded in the HTTP response for extracting the untrusted JS links/code. Secondly, our framework generates the Document Object Model (DOM) tree corresponding to each extracted HTTP response. This tree is explored for the script nodes and extracts the embedded JS code. Now, both these extracted set of JS code will be explored for the detection of similar code. Such similar code will simply point towards the untrusted JavaScript code that will be utilized by an attacker to exploit the vulnerabilities of XSS attack on the OSN. The prototype of our framework was developed in Java and integrated the functionality of its components on the virtual machines of mobile cloud platforms. The experimental testing and performance evaluation of our work was carried out on the open source OSN websites that are integrated in the virtual cloud servers. Evaluation results revealed that our framework is capable enough to detect the untrusted JS worms with very high precision rate, fewer rates of false positives and acceptable performance overhead.

Keywords

Mobile cloud computing Cloud security JavaScript worms Cross-Site Scripting (XSS) attacks Online Social Network (OSN) 

References

  1. 1.
    Gupta, S., Gupta, B.B.: JS‐SAN: defense mechanism for HTML5‐based web applications against JavaScript code injection vulnerabilities. Secur. Commun. Netw. 9(11), 1477–1495 (2016) CrossRefGoogle Scholar
  2. 2.
    Gupta, S., Gupta, B.B.: BDS: browser dependent XSS sanitizer. In: Book on Cloud-Based Databases with Biometric Applications. IGI-Global’s Advances in Information Security, Privacy, and Ethics (AISPE) Series, pp. 174–191. IGI-Global, Hershey (2014)Google Scholar
  3. 3.
    Gupta, B.B., et al.: Cross-Site Scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense. J. Inf. Priv. Secur. 11(2), 118–136 (2015)Google Scholar
  4. 4.
    Grossman, J., Hansen, R., Petkov, P.D., Rager, A., Fogie, S.: XSS attacks: cross-site scripting exploits and defense. Syngress, Burlington (2007). http://www.sciencedirect.com/science/book/9781597491549. ISBN 9781597491549
  5. 5.
    Gupta, S., Gupta, B.B.: Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manag. 1–19 (2015)Google Scholar
  6. 6.
    Gupta, S., Gupta, B.B.: PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM International Conference on Computing Frontiers. ACM (2015)Google Scholar
  7. 7.
    Hydara, I., et al.: Current state of research on Cross-Site Scripting (XSS)–a systematic literature review. Inf. Softw. Technol. 58, 170–186 (2015)CrossRefGoogle Scholar
  8. 8.
    Gupta, S., Gupta, B.B.: XSS-SAFE: a server-side approach to detect and mitigate Cross-Site Scripting (XSS) attacks in JavaScript code. Arab. J. Sci. Eng. 41(3), 897–920 (2015)CrossRefGoogle Scholar
  9. 9.
    Almorsy, M., Grundy, J., Mueller, I.: An analysis of the cloud computing security problem. In: The Proceedings of the 2010 Asia Pacific Cloud Workshop, Colocated with APSEC 2010, Australia (2010)Google Scholar
  10. 10.
    Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with BEK. In: Proceedings of the 20th USENIX Conference on Security, p. 1. USENIX Association (2011)Google Scholar
  11. 11.
    Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 387–401. IEEE, Oakland (2008)Google Scholar
  12. 12.
    Cao, Y., Yegneswaran, V., Porras, P.A., Che, Y.: PathCutter: severing the self-propagation path of XSS JavaScript worms in social web networks. In: NDSS (2012)Google Scholar
  13. 13.
    Pelizzi, R., Sekar, R.: Protection, usability and improvements in reflected XSS filters. In: ASIACCS, p. 5 (2012)Google Scholar
  14. 14.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM (2010)Google Scholar
  15. 15.
    Saxena, P., Molnar, D., Livshits, B.: SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 601–614. ACM (2011)Google Scholar
  16. 16.
    Dinh, H.T., Lee, C., Niyato, D., Wang, P.: A survey of mobile cloud computing: architecture, applications, and approaches. Wireless Commun. Mobile Comput. 13(18), 1587–1611 (2013)CrossRefGoogle Scholar
  17. 17.
    HTML5 Security Cheat Sheet. http://html5sec.org/
  18. 18.
  19. 19.
    Technical Attack Sheet for Cross Site Penetration Tests. http://www.vulnerability-lab.com/resources/documents/531.txt
  20. 20.
    @XSS Vector Twitter Account. https://twitter.com/XSSVector
  21. 21.
    Joomla social networking site. https://www.joomla.org/download.html
  22. 22.
    Drupal social networking site. https://www.drupal.org/download
  23. 23.
    Gupta, S., Gupta, B.B.: XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimedia Tools Appl. 1–33 (2016) Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Department of Computer EngineeringNational Institute of Technology KurukshetraHaryanaIndia

Personalised recommendations