An Efficient Detecting Mechanism for Cross-Site Script Attacks in the Cloud

  • Wei Kan
  • Tsu-Yang Wu
  • Tao Han
  • Chun-Wei Lin
  • Chien-Ming Chen
  • Jeng-Shyang Pan
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 260)


Cloud computing is one of the most prospect technologies due to its flexibility and low-cost usage. Several security issues in the cloud are raised by researchers. Cross-site script (XSS) attack is one of the most threats in the Internet. In the past, there are many literatures for detecting XSS attacks were proposed. Unfortunately, fewer studies focus on the detection of XSS attacks in the cloud. In this paper, we propose a mechanism to detect XSS attacks in cloud environments. The framework is also presented. In particular, our mechanism is not need to modify browsers and applications. We demonstrate our mechanism has higher accuracy rate and lower impact on performance of applications in the experiment. It sufficiently shows our mechanism is suitable for real-time detection in XSS attacks for cloud environments.


XSS attack Cloud computing Detection Real-time 



The authors thank the referees for their valuable comments and constructive suggestions. This research was partially supported by Shenzhen peacock project, China under contract No. KQC201109020055A and Shenzhen Strategic Emerging Industries Program, China under Grants No. ZDSY20120613125016389 China.


  1. 1.
    Jovanovic N, Kruegel K, Kirda E (2006) Precise alias analysis for static detection of web application vulnerabilities. In: 2006 workshop on programming languages and analysis for security. ACM press, New York, pp 27–36Google Scholar
  2. 2.
    Wassermann G, Su z (2008) Static detection of cross-site scripting vulnerabilities. In: 30th international conference on software engineering. IEEE press, New York, pp 171–180Google Scholar
  3. 3.
    Zhang XH, Wang ZJ (2010) A static analysis tool for detecting web application injection vulnerabilities for asp program. In: 2nd international conference on e-business and information system security. IEEE press, New York, pp 1–5Google Scholar
  4. 4.
    Jim T, Swamy N, Hicks M (2007) Defeating script injection attacks with browser-enforced embedded policies. In: 16th international conference on World Wide Web. ACM press, New York, pp 601–610Google Scholar
  5. 5.
    Vogt P, Nentwich F, Jovanovic N, Kirda E, Christopher K, Vigna G (2007) Cross-site scripting prevention with dynamic data tainting and static analysis. In: international symposium on network and distributed system security. IEEE press, New York, pp 201–210Google Scholar
  6. 6.
    Lam MS, Martin M, Whaley J (2008) Securing web applications with static and dynamic information flow tracking. In: 2008 ACM SIGPLAN symposium on evaluation and semantics-based program manipulation. ACM press, New York, pp 3–12Google Scholar
  7. 7.
    Zhang Q, Chen H, Sun J (2010) An execution-flow based method for detecting cross-site scripting attacks. In: 2nd international conference on software engineering and data mining. IEEE press, New York, pp 160–165Google Scholar
  8. 8.
    Guarnieri S, Pistoia M, Tripp O, Dolby J, Teihet S, Berg R (2011) Saving the World Wide Web from vulnerable JavaScript. In: 11th international symposium on software testing and analysis. ACM press, New York, pp 177–187Google Scholar
  9. 9.
    Gundy M, Chen H (2009) Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: International symposium on network and distributed system security. IEEE press, New York, pp 123–130Google Scholar
  10. 10.
    Johns M, Engelmann B, Posegga J (2011) S2XS2: a server side approach to automatically detect XSS attacks. In: International conference on computer security applications. IEEE press, New York, pp 335–344Google Scholar
  11. 11.
    Shahriar H, Zulkernine M (2009) Injecting comments to detect JavaScript code injection attacks. In: 35th international conference on computer software and applications. IEEE press, New York, pp 104–109Google Scholar
  12. 12.
    Wurzinger P, Platzer C, Ludl C, Kirda E, Kruegel C (2009) SWAP: mitigating XSS attacks using a reverse proxy. In: 2009 ICSE workshop on software engineering for secure systems. IEEE press, New York, pp 33–39Google Scholar
  13. 13.
    Komiya R, Paik I, Hisada M (2011) Classification of malicious web code by machine learning. In: 3rd international conference on awareness science and technology. IEEE press, New York, pp 406–411Google Scholar
  14. 14.
    Choi J, Kim H, Choi C, Kim Pk (2011) Efficient malicious code detection using n-gram analysis and SVM. In: 14th international conference on network-based information systems. IEEE press, New York, pp 618–621Google Scholar
  15. 15.
    Nunan AE, Souto E, Santos EMD, Feitosa E (2012) Automatic classification of cross-site scripting in web pages using document-based and URL-based features. In: 2012 IEEE symposium on computers and communications. IEEE press, New York, pp 702–707Google Scholar
  16. 16.
    Shar LK, Tan HBK (2012) Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: 2012 ICSE international conference on software engineering. IEEE press, New York, pp 1293–1296Google Scholar
  17. 17.
    Iha G, Doi H (2009) An implementation of the binding mechanism in the web browser for preventing XSS attacks. In: international conference on availability, reliability and security. IEEE press, New York, pp 996–971Google Scholar
  18. 18.
    Putthacharoen R, Bunyatnoparat P (2011) Protecting cookies from cross site script attacks using dynamic cookies rewriting technique. In: international conference on advanced communication technology. IEEE press, New York, pp 1090–1094Google Scholar
  19. 19.
    Shar LK, Tan HBK (2012) Auditing the XSS defence features implemented in web application programs. IET Software 6(4):377–390CrossRefGoogle Scholar
  20. 20.
    XSS Attacks Information.

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  • Wei Kan
    • 1
  • Tsu-Yang Wu
    • 1
    • 2
  • Tao Han
    • 1
  • Chun-Wei Lin
    • 1
    • 2
  • Chien-Ming Chen
    • 1
    • 2
  • Jeng-Shyang Pan
    • 1
    • 2
  1. 1.Innovative Information Industry Research Center, Shenzhen Graduate SchoolHarbin Institute of TechnologyShenzhenChina
  2. 2.Shenzhen Key Laboratory of Internet Information CollaborationShenzhenChina

Personalised recommendations