Skip to main content
SpringerLink
Log in

XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

This article presents a novel framework XSS-Secure, which detects and alleviates the propagation of Cross-Site Scripting (XSS) worms from the Online Social Network (OSN)-based multimedia web applications on the cloud environment. It operates in two modes: training and detection mode. The former mode sanitizes the extracted untrusted variables of JavaScript code in a context-aware manner. This mode stores such sanitized code in sanitizer snapshot repository and OSN web server for further instrumentation in the detection mode. The detection mode compares the sanitized HTTP response (HRES) generated at the OSN web server with the sanitized response stored at the sanitizer snapshot repository. Any variation observed in this HRES message will indicate the injection of XSS worms from the remote OSN servers. XSS-Secure determines the context of such worms, perform the context-aware sanitization on them and finally sanitized HRES is transmitted to the OSN user. The prototype of our framework was developed in Java and integrated its components on the virtual machines of cloud environment. The detection and alleviation capability of our cloud-based framework was tested on the platforms of real world multimedia-based web applications including the OSN-based Web applications. Experimental outcomes reveal that our framework is capable enough to mitigate the dissemination of XSS worm from the platforms of non-OSN Web applications as well as OSN web sites with acceptable false negative and false positive rate.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

References

  1. Almorsy M, Grundy J, Mueller I (2010) An analysis of the cloud computing security problem. Proc 2010 Asia Pacific Cloud Workshop, Colocated with APSEC2010, Australia

  2. Balzarotti D, Cova M, Felmetsger V, Jovanovic N, Kirda E, Kruegel C, Vigna G (2008) Saner: composing static and dynamic analysis to validate sanitization in web applications. In Sec Privacy, 2008. SP 2008. IEEE Symp:387–401. IEEE

  3. Bates D, Barth A, Jackson C (2010) Regular expressions considered harmful in client-side XSS filters. Proc World Wide Web: 91–100

  4. Blogit. Available at: http://www.blogit.com/Blogs/

  5. Byong JH, Jung I-Y, Kim K-H, Lee D-k, Rho S, Jeong CS (2013) Cloud-based active content collaboration platform using multimedia processing. EURASIP J Wireless Commun Networking (JWCN), Springer, 2013:63

  6. Cao Y, Yegneswaran V, Porras PA, Chen Y (2012) PathCutter: severing the self-propagation path of XSS javascript worms in social web networks. NDSS

  7. CVE Details (2013) Vulnerabilities by type. Retrieved from http://www.cvedetails.com/vulnerabilitie-by-types.php

  8. Drupal social networking site. Available: https://www.drupal.org/download

  9. Elgg social networking engine. Available at: https://elgg.org

  10. Gupta S, Gupta BB (2014) BDS: browser dependent XSS sanitizer, book on cloud-based databases with biometric applications, IGI-Global’s advances in information security, privacy, and ethics (AISPE) series, 174–191, USA

  11. Gupta S, Gupta BB (2015) Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of- art. Int J Syst Assurance Eng Manag, Springer

  12. Gupta S, Gupta BB (2015) XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arab J Sci Eng: 1–24

  13. Gupta S, Gupta BB (2016) Automated discovery of javascript code injection attacks in PHP web applications. Proc Comput Sci 78:82–87

    Article  Google Scholar 

  14. Gupta BB, Shashank G, Gangwar S, Kumar M, Meena PK et al (2015) Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense, special issue of secured communication in wireless and wired networks. J Inform Privacy Sec, Taylor & Francis Online 11(2):118–136

    Article  Google Scholar 

  15. Gupta MK et al. (2015) XSSDM: towards detection and mitigation of cross-site scripting vulnerabilities in web applications. Adv Comput, Commun Inform (ICACCI), 2015 Int Conf. IEEE

  16. Hooimeijer P, Livshits B, Molnar D, Saxena P, Veanes M (2011) Fast and precise sanitizer analysis with BEK. Proc 20th USENIX Conf Security: 1-1. USENIX Association

  17. Humhub social networking site. Available at: https://www.humhub.org/en

  18. Jabbar S, Naseer K, Moneeb G, Rho S, Chang HB (2016) Trust model at service layer of cloud computing for educational institutes. J Supercomput (JoS), Springer 72(1):247–274

    Article  Google Scholar 

  19. Joomla social networking site. Available at: https://www.joomla.org/download.html

  20. Myspace samy worm [online]. Available: http://namb.la/popular/tech.html

  21. Orkut and Twitter XSS worm [online]. Available: http://www.xssed.com/news/120/Twitter_and_Orkut_XSS_worms_in_the_news/

  22. OsCommerce. Available at: http://www.oscommerce.com/

  23. Parameshwaran I et al. (2015) DexterJS: robust testing platform for DOM-based XSS vulnerabilities. Proc 2015 10th Joint Meet Found Software Eng. ACM

  24. Pelizzi, Riccardo, and R. Sekar. “Protection, usability and improvements in reflected XSS filters.” In ASIACCS, p. 5. 2012.

  25. phpBB v2. Available at: http://sourceforge.net/projects/phpbb/files/phpBB%202/phpBB%20v2.0.23/

  26. Rsnake (2008) XSS Cheat Sheet. http://ha.ckers.org/xss.html

  27. Saxena P, Molnar D, Livshits B (2011) SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. Proc 18th ACM Conf Comput Commun Sec: 601–614. ACM

  28. Stock B et al. (2015) From facepalm to brain bender: exploring client-side cross-site scripting. Proc 22nd ACM SIGSAC Conf Comput Commun Sec. ACM

  29. Wackopicko. Available at: https://github.com/adamdoupe/wackopicko

  30. Weinberger J, Saxena P, Akhawe D, Finifter M, Shin R, Song D (2011) A systematic analysis of XSS sanitization in web application frameworks. Comput Sec–ESORICS 2011:150–171. Springer Berlin Heidelberg

  31. Wordpress. Available at: https://wordpress.org/

  32. Xiao W et al. (2014) Preventing client side XSS with rewrite based dynamic information flow. Parallel Architect, Algorit Prog (PAAP), 2014 Sixth Int Symp. IEEE

Download references

Acknowledgments

The authors would like to thank members of Information and Cyber Security Research Group working in the National Institute of Technology Kurukshetra, India for their valuable feedback and worthwhile discussions. This work was financially supported by TEQIP-II.

Author information

Authors and Affiliations

  1. National Institute of Technology Kurukshetra, Kurukshetra, India

    Shashank Gupta & B. B. Gupta

Authors
  1. Shashank Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. B. B. Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to B. B. Gupta.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gupta, S., Gupta, B.B. XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimed Tools Appl 77, 4829–4861 (2018). https://doi.org/10.1007/s11042-016-3735-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-016-3735-1

Keywords

Search

Navigation