Abstract
Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models, organizations, and so on. Moreover, critical systems such as those related to health care, banking, or even emergency response, are relying on such applications and services. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing crosssite scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. Applicability and limitations of each proposal are also discussed.
This work has been supported by funding from the Spanish Ministry of Science and Education, under the projects CONSOLIDER CSD2007-00004 “ARES” and TSI2006-03481.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alcorna, W.: Cross-site scripting viruses and worms – a new attack vector. Journal of Network Security 2006(7), 7–8 (2006)
Amit, Y.: XSS vulnerabilities in Google.com (November 2005), http://seclists.org/fulldisclosure/2005/Dec/1107.html
Anupam, V., Mayer, A.: Secure Web scripting. IEEE Journal of Internet Computing 2(6), 46–55 (1998)
Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: IEEE Symposium on Security and Privacy, pp. 143–159 (2002)
Cary, C., Wen, H.J., Mahatanankoon, P.: A viable solution to enterprise development and systems integration: a case study of web services implementation. International Journal of Management and Enterprise Development 1(2), 164–175 (2004)
Crane, D., Pascarello, E., James, D.: Ajax in Action. Manning Publications (2005)
Forrest, S., Hofmeyr, A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–129 (1996)
Google. Docs & Spreadsheets, http://docs.google.com/
Google. Orkut: Internet social network service, http://www.orkut.com/
Grossman, J., Hansen, R., Petkov, P., Rager, A., Fogie, S.: Cross site scripting attacks: XSS Exploits and defense. In: Syngress. Elsevier, Amsterdam (2007)
Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)
Hansen, R.: Cross Site Scripting Vulnerability in Google (July 2006), http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
Hansen, R.: XSS cheat sheet for filter evasion, http://ha.ckers.org/xss.html
Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. Microsoft Press, Redmond (2003)
Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In: 18th Int. Conf. on Advanced Information Networking and Applications (AINA 2004) (2004)
Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social Phishing. Communications of the ACM (to appear)
Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. International World Wide Web Conferencem, WWW 2007 (May 2007)
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: 2006 Workshop on Programming Languages and Analysis for Security, USA, pp. 27–36 (2006)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.N.: A client-side solution for mitigating cross-site scripting attacks. In: 21st ACM Symposium on Applied Computing (2006)
Larson, E., Austin, T.: High coverage detection of input-related security faults. In: 12 USENIX Security Simposium, pp. 121–136 (2003)
Livshits, B., Erlingsson, U.: Using web application construction frameworks to protect against code injection attacks. In: 2007 workshop on Programming languages and analysis for security, pp. 95–104 (2007)
Microsoft. HotMail: The World’s FREE Web-based E-mail, http://hotmail.com/
MySpace. Online Community, http://www.myspace.com/
Mutton, P.: PayPal Security Flaw allows Identity Theft (June 2006), http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html
Mutton, P.: PayPal XSS Exploit available for two years? (July 2006), http://news.netcraft.com/archives/2006/07/20/paypal_xss_exploit_available_for_two_years.html
Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., Evans, D.: Automatically hardering web applications using precise tainting. 20th IFIP International Information Security Conference (2005)
Obscure. Bypassing JavaScript Filters – the Flash! Attack (2002), http://www.cgi-security.com/lib/flash-xss.htm
PayPal Inc. PayPal Web Site, http://paypal.com
Pietraszeck, T., Vanden-Berghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Ruderman, J.: The same origin policy, http://www.mozilla.org/projects/security/components/same-origin.html
Samy. Technical explanation of The MySpace Worm, http://namb.la/popular/tech.html
Sethumadhavan, R.: Orkut Vulnerabilities, http://xdisclose.com/XD100092.txt
Scott, D., Sharp, R.: Abstracting application-level web security. In: 11th Internation Conference on the World Wide Web, pp. 396–407 (2002)
Su, Z., Wasserman, G.: The essence of command injections attacks in web applications. In: 33rd ACM Symposium on Principles of Programming Languages, pp. 372–382 (2006)
Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing Web Services. White Paper, Computer Associates (2005)
Wikimedia Project. Wikipedia: The Free Encyclopedia, http://wikipedia.org/
Wordpress. Blog Tool and Weblog Platform, http://wordpress.org/
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: 15th USENIX Security Symposium (2006)
Slemko, M.: Microsoft Passport to Trouble, http://www.znep.com/~marcs/passport/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Garcia-Alfaro, J., Navarro-Arribas, G. (2008). A Survey on Detection Techniques to Prevent Cross-Site Scripting Attacks on Current Web Applications. In: Lopez, J., Hämmerli, B.M. (eds) Critical Information Infrastructures Security. CRITIS 2007. Lecture Notes in Computer Science, vol 5141. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89173-4_24
Download citation
DOI: https://doi.org/10.1007/978-3-540-89173-4_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89095-9
Online ISBN: 978-3-540-89173-4
eBook Packages: Computer ScienceComputer Science (R0)