Skip to main content
SpringerLink
Log in

A Survey on Detection Techniques to Prevent Cross-Site Scripting Attacks on Current Web Applications

  • Conference paper
Critical Information Infrastructures Security (CRITIS 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5141))

Abstract

Security is becoming one of the major concerns for web applications and other Internet based services, which are becoming pervasive in all kinds of business models, organizations, and so on. Moreover, critical systems such as those related to health care, banking, or even emergency response, are relying on such applications and services. Web applications must therefore include, in addition to the expected value offered to their users, reliable mechanisms to ensure their security. In this paper, we focus on the specific problem of preventing crosssite scripting attacks against web applications. We present a study of this kind of attacks, and survey current approaches for their prevention. Applicability and limitations of each proposal are also discussed.

This work has been supported by funding from the Spanish Ministry of Science and Education, under the projects CONSOLIDER CSD2007-00004 “ARES” and TSI2006-03481.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alcorna, W.: Cross-site scripting viruses and worms – a new attack vector. Journal of Network Security 2006(7), 7–8 (2006)

    Article  Google Scholar 

  2. Amit, Y.: XSS vulnerabilities in Google.com (November 2005), http://seclists.org/fulldisclosure/2005/Dec/1107.html

  3. Anupam, V., Mayer, A.: Secure Web scripting. IEEE Journal of Internet Computing 2(6), 46–55 (1998)

    Article  Google Scholar 

  4. Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: IEEE Symposium on Security and Privacy, pp. 143–159 (2002)

    Google Scholar 

  5. Cary, C., Wen, H.J., Mahatanankoon, P.: A viable solution to enterprise development and systems integration: a case study of web services implementation. International Journal of Management and Enterprise Development 1(2), 164–175 (2004)

    Article  Google Scholar 

  6. Crane, D., Pascarello, E., James, D.: Ajax in Action. Manning Publications (2005)

    Google Scholar 

  7. Forrest, S., Hofmeyr, A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–129 (1996)

    Google Scholar 

  8. Google. Docs & Spreadsheets, http://docs.google.com/

  9. Google. Orkut: Internet social network service, http://www.orkut.com/

  10. Grossman, J., Hansen, R., Petkov, P., Rager, A., Fogie, S.: Cross site scripting attacks: XSS Exploits and defense. In: Syngress. Elsevier, Amsterdam (2007)

    Google Scholar 

  11. Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)

    Google Scholar 

  12. Hansen, R.: Cross Site Scripting Vulnerability in Google (July 2006), http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/

  13. Hansen, R.: XSS cheat sheet for filter evasion, http://ha.ckers.org/xss.html

  14. Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. Microsoft Press, Redmond (2003)

    Google Scholar 

  15. Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In: 18th Int. Conf. on Advanced Information Networking and Applications (AINA 2004) (2004)

    Google Scholar 

  16. Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social Phishing. Communications of the ACM (to appear)

    Google Scholar 

  17. Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. International World Wide Web Conferencem, WWW 2007 (May 2007)

    Google Scholar 

  18. Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: 2006 Workshop on Programming Languages and Analysis for Security, USA, pp. 27–36 (2006)

    Google Scholar 

  19. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.N.: A client-side solution for mitigating cross-site scripting attacks. In: 21st ACM Symposium on Applied Computing (2006)

    Google Scholar 

  20. Larson, E., Austin, T.: High coverage detection of input-related security faults. In: 12 USENIX Security Simposium, pp. 121–136 (2003)

    Google Scholar 

  21. Livshits, B., Erlingsson, U.: Using web application construction frameworks to protect against code injection attacks. In: 2007 workshop on Programming languages and analysis for security, pp. 95–104 (2007)

    Google Scholar 

  22. Microsoft. HotMail: The World’s FREE Web-based E-mail, http://hotmail.com/

  23. MySpace. Online Community, http://www.myspace.com/

  24. Mutton, P.: PayPal Security Flaw allows Identity Theft (June 2006), http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html

  25. Mutton, P.: PayPal XSS Exploit available for two years? (July 2006), http://news.netcraft.com/archives/2006/07/20/paypal_xss_exploit_available_for_two_years.html

  26. Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., Evans, D.: Automatically hardering web applications using precise tainting. 20th IFIP International Information Security Conference (2005)

    Google Scholar 

  27. Obscure. Bypassing JavaScript Filters – the Flash! Attack (2002), http://www.cgi-security.com/lib/flash-xss.htm

  28. PayPal Inc. PayPal Web Site, http://paypal.com

  29. Pietraszeck, T., Vanden-Berghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  30. Ruderman, J.: The same origin policy, http://www.mozilla.org/projects/security/components/same-origin.html

  31. Samy. Technical explanation of The MySpace Worm, http://namb.la/popular/tech.html

  32. Sethumadhavan, R.: Orkut Vulnerabilities, http://xdisclose.com/XD100092.txt

  33. Scott, D., Sharp, R.: Abstracting application-level web security. In: 11th Internation Conference on the World Wide Web, pp. 396–407 (2002)

    Google Scholar 

  34. Su, Z., Wasserman, G.: The essence of command injections attacks in web applications. In: 33rd ACM Symposium on Principles of Programming Languages, pp. 372–382 (2006)

    Google Scholar 

  35. Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing Web Services. White Paper, Computer Associates (2005)

    Google Scholar 

  36. Wikimedia Project. Wikipedia: The Free Encyclopedia, http://wikipedia.org/

  37. Wordpress. Blog Tool and Weblog Platform, http://wordpress.org/

  38. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: 15th USENIX Security Symposium (2006)

    Google Scholar 

  39. Slemko, M.: Microsoft Passport to Trouble, http://www.znep.com/~marcs/passport/

Download references

Author information

Authors and Affiliations

  1. Universitat Oberta de Catalunya, Rambla Poble Nou 156, 08018, Barcelona, Spain

    Joaquin Garcia-Alfaro

  2. Universitat Autònoma de Barcelona, Edifici Q, Campus de Bellaterra, 08193, Bellaterra, Spain

    Guillermo Navarro-Arribas

Authors
  1. Joaquin Garcia-Alfaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guillermo Navarro-Arribas
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Malaga, 29071, Málaga, Spain

    Javier Lopez

  2. Hochschule Technik und Architektur Luzern (HTA), Bodenhofstraße 29, 6005, Luzern, Switzerland

    Bernhard M. Hämmerli

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Garcia-Alfaro, J., Navarro-Arribas, G. (2008). A Survey on Detection Techniques to Prevent Cross-Site Scripting Attacks on Current Web Applications. In: Lopez, J., Hämmerli, B.M. (eds) Critical Information Infrastructures Security. CRITIS 2007. Lecture Notes in Computer Science, vol 5141. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89173-4_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-89173-4_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-89095-9

  • Online ISBN: 978-3-540-89173-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation