Skip to main content

Toward Automated Audit of Client-Side Vulnerability Against Cross-Site Scripting

  • 194 Accesses

Part of the Lecture Notes in Networks and Systems book series (LNNS,volume 346)

Abstract

There are many types of web attacks on the Internet. While cross-site scripting (XSS) is one of the most popular among attackers, it is also one of the most underrated attack vectors. The typical use of XSS attacks is to steal cookies and expose sensitive information. An XSS attack occurs when the attacker tricks a legitimate web application to accept a malicious request. In this context, XSS is a server-side vulnerability. Hence, many previous studies had focused on evaluating server-side vulnerability against XSS attacks. Some studies have focused on evaluating client-side vulnerability against XSS attacks. The latest version of web browsers, plugins, and operating systems is a basic countermeasure against XSS attacks. However, keeping the latest updates on all computers requires time and effort. Furthermore, this does not reveal the actual impact of vulnerability. In this paper, we propose an automated audit method of client-side vulnerability against XSS. Our method is based on Browser Exploitation Framework (BeEF), which is designed to provide effective client-side attack vectors and to exploit any potential vulnerabilities in the web browser. Our method automates the penetration testing process using the RESTful API. The experimental result shows that our method provides a remote testing option for client computers and evaluates the actual impact of XSS vulnerability.

Keywords

  • XSS
  • Penetration test
  • Client-side vulnerability

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-90072-4_15
  • Chapter length: 10 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   219.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-90072-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   279.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.

Notes

  1. 1.

    https://beefproject.com/.

References

  1. Bland, J.A., Petty, M.D., Whitaker, T.S., Maxwell, K.P., Cantrell, W.A.: Machine learning cyberattack and defense strategies. Comput. Secur. 92, 101,738 (2020). https://doi.org/10.1016/j.cose.2020.101738. https://www.sciencedirect.com/science/article/pii/S0167404818309799

  2. Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: toward preventing server-side XSS via automatic code and data separation. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1205–1216. ACM (2013). https://doi.org/10.1145/2508859.2516708

  3. Jaballah, W.B., Kheir, N.: A grey-box approach for detecting malicious user interactions in web applications. In: You, I., Bertino, E., (eds.) Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST@CCS 2016, Vienna, Austria, 28 October 2016, pp. 1–12. ACM (2016). http://dl.acm.org/citation.cfm?id=2995966

  4. Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1193–1204. ACM (2013). https://doi.org/10.1145/2508859.2516703

  5. Liu, M., Wang, B.: A web second-order vulnerabilities detection method. IEEE Access 6, 70,983–70,988 (2018). https://doi.org/10.1109/ACCESS.2018.2881070

  6. Maeda, R., Mimura, M.: Automating post-exploitation with deep reinforcement learning. Comput. Secur. 100, 102,108 (2021). https://doi.org/10.1016/j.cose.2020.102108. https://www.sciencedirect.com/science/article/pii/S0167404820303813

  7. Pan, J., Mao, X.: Detecting DOM-sourced cross-site scripting in browser extensions. In: 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017, Shanghai, China, 17–22 September 2017, pp. 24–34. IEEE Computer Society (2017). https://doi.org/10.1109/ICSME.2017.11

  8. Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., Zhou, T.: CSPAutoGen: black-box enforcement of content security policy upon real-world websites. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 653–665. ACM (2016). https://doi.org/10.1145/2976749.2978384

  9. Panja, B., Gennarelli, T., Meharia, P.: Handling cross site scripting attacks using cache check to reduce webpage rendering time with elimination of sanitization and filtering in light weight mobile web browser. In: 2015 First Conference on Mobile and Secure Services (MOBISECSERV), pp. 1–7 (2015). https://doi.org/10.1109/MOBISECSERV.2015.7072878

  10. Steinhauser, A., Gauthier, F.: JSPChecker: static detection of context-sensitive cross-site scripting flaws in legacy web applications. In: Murray, T.C., Stefan, D. (eds.) Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS@CCS 2016, Vienna, Austria, 24 October 2016, pp. 57–68. ACM (2016). https://doi.org/10.1145/2993600.2993606

  11. Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 655–670. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/stock

Download references

Acknowledgements

This work was supported by JSPS KAKENHI Grant Number 21K11898.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mamoru Mimura .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Mimura, M., Yamasaki, T. (2022). Toward Automated Audit of Client-Side Vulnerability Against Cross-Site Scripting. In: Barolli, L. (eds) Advances on Broad-Band Wireless Computing, Communication and Applications. BWCCA 2021. Lecture Notes in Networks and Systems, vol 346. Springer, Cham. https://doi.org/10.1007/978-3-030-90072-4_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90072-4_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90071-7

  • Online ISBN: 978-3-030-90072-4

  • eBook Packages: EngineeringEngineering (R0)