Improved cross site scripting filter for input validation against attacks in web services
Keywords:
Cross site scripting attacks, cross site scripting filters, security, semantic attack filter, web servicesAbstract
Nowadays, everybody needs to handle sensitive data like online banking account details and other information related to financial transactions on the Internet. In this scenario, many Web attacks such as injection attacks are targeted on these sensitive data. Such attacks are carried out by running scripts on users computers that utilize vulnerably coded client/server pages. Moreover, these attacks run malicious codes to steal personal information from the server. Though this code can easily be generated by the attacker, it is very difficult to prevent it by the current cross site scripting filters due to their lack in detection accuracy. Therefore, cross site scripting attack is a challenging issue for the Internet users. Hence, it is necessary to detect and prevent the injection attacks through efficient schemes. However, most of the existing schemes lack this capability in terms of accuracy and need further improvement. In this paper, a new self-aware message analysis cum validation algorithm has been proposed for detecting and filtering various types of Web Service attacks. This proposed system receives requests and generates suitable response from the dummy server page to analyze the nature of attack. New policies are created in this work to analyze the response and forward the legitimate request to original Web Service page. The proposed injection filters have been tested with all possible attacks for verifying the robustness of filtering policies. The results obtained from this work show that the proposed filtering policy is highly robust in refining the malicious message. The implementation and accuracy of the proposed approach has been proved through extensive testing using real-world cross site scripting generation and analysis. The results obtained from the work show that the proposed filtering policy is very strong in refining the malicious message, which contains attacks such as cross site scripting, injection, message replay and semantic attacks. We demonstrated the implementation and accuracy of our approach through extended testing using real-world cross site scripting exploits.
References
Adnan, Gutub., Abdul-Rahman, El-Shafe. Mohammed, Aabed. 2011. Implementation of a pipelined modular multiplier architecture for GF(p) elliptic curve cryptography computation. Kuwait Journal of Science and Engineering, 38(2B): 125-153.
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C. Vigna, G. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. Proceedings of the 2008 IEEE Symposium on Security and Privacy: 387-401.
Chuang, M. C., Lee, J. F Chen, M. C. 2013. SPAM: A secure password authentication mechanism for seamless handover in proxy mobile IPv6 networks. IEEE Systems Journal, 7(1) :102-113
Gundy, M. Chen, H. 2009. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. Proceedings of16th Annual Network Distributed System Security Symposium. NDSS Symposium.
Jovanovic, N., Kruegel, C. Kirda, E. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. Proceedings of IEEE Symposium on Security and Privacy: 258-263.
Kieyzun, A., Guo, P. J., Jayaraman, K. Ernst, M. D. 2009. Automatic creation of SQL injection and cross-site scripting attacks. Proceedings of 30th International Conference on Software Engineering (ICSE):199-209.
Liu, H., Ning, H., Zhang, Y., He, D., Xiong, Q. Yang, L.T. 2013. Grouping-proofs based authentication protocol for distributed RFID systems. IEEE Transactions on Parallel and Distributed Systems, 24(7):1321-1330.
Martin, M. Lam, M. S. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking.Proceedings of 17th USENIX Security Symposium: 31-43.
Minamide, Y. 2005. Static approximation of dynamically generated Web pages. Proceedings of the 14th International Conference on World Wide Web, Chiba, Japan : 432-441.
Nadji, Y., Saxena, P. Song, D. 2009. Document structure integrity: a robust basis for cross-site scripting defense. Proceedings of 16th Annual Network Distributed System Security Symposium, NDSS Symposium.
Negm, W. 2004. Anatomy of a Web services attack: A Guide to Threats and Preventative Countermeasures, http://www.bitpipe.com/detail/RES /1084293354294.html
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J. Evans, D. 2005. Automatically hardening web applications using precise tainting. Proceedings of 20th IFIP International Information Security Conference, Makuhari-Messe, Chiba, Japan:295-307
Pete, Lindstrom, A. 2004. Attacking and defending Web services. Technical Report, Spire Security, LLC.
Shar, L. K. Tan, H. B. K. 2012. Automated removal of cross site scripting vulnerabilities in web applications. Information Software Technology 54(5): 467-478.
Shen, D., Chen, G. Jose, B. Cruz. 2007. Theoretic solutions to cyber attack and network defense problems. Proceedings of 12th International Command and Control Research and Technology Symposium.
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C. Vigna, G. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis. Proceedings of Network and Distributed System Security Symposium, NDSS,San Diego.
Wasserman, G. Su, Z. 2008. Static Detection of cross-site scripting vulnerabilities. Proceedings of 30th International Conference on Software Engineering. :171-180.
Xie, Y. Aiken, N. 2006. Static detection of security vulnerabilities in scripting languages. Proceedings of the 15th USENIX Security Symposium: 179-192.