Abstract

Attacks on web applications are growing rapidly with the opening of new technologies, HTML tags and JavaScript functions. Cross-Site Scripting (XSS) vulnerabilities are being exploited by the attackers to steal web browser's resources (cookies, credentials etc. ) by injecting the malicious JavaScript code on the victim's web applications. The existing techniques like filtering of tags and special characters, maintaining a list of vulnerable sites etc. cannot eliminate the XSS vulnerabilities completely. In this paper, initially we have tried out the experiments on the exploitation of XSS vulnerabilities using local host server (i. e. XAMPP). After this, we have investigated for the XSS vulnerabilities on social networking sites (like Facebook, Orkut, Blogs, Twitter etc. ) and tried to exploit the same on blogs. Finally, on the basis of some analysis and results, we have discussed a novel technique of mitigating this XSS vulnerability by introducing a Sandbox environment on the web browser.

References

• D. Kristol, "HTTP State Management Mechanism" in Internet Society, 2000. http:// www. ietf. org/rfc/rfc2965. txt
• Open Web Application Security Project: https://www. owasp. org/index. php/Top_10
• White Hat Security. Website Security StatisticsReporthttp://www. whitehatsec. com/home/ resource/stats. html, 2008.
• J. Garcia-Alfaro and G. Navarro-Arribas, "Prevention of Cross-Site Scripting Attacks on Current Web Applications," Available: http://hacks-galore. org/guille/pubs/is-otm-07. pdf
• S. Saha, "Consideration Points: Detecting Cross-Site Scripting," (IJCSIS) International Journal of Computer Science and Information Security,Vol. 4, No. 1 & 2, 2009.
• Brian Blankenship, Introduction to Cross-Site Scripting using WebGoat, The OWASP LiveCD Education Project, 2005.
• Acunetix, Vulnerability Scanner "http:// www. acunetix. com/vulnerability_scanner".
• Zhushou Tang, Haojin Zhu, Zhenfu Cao, Shuai Zhao, L-WMxD: Lexical Based Webmail XSS Discoverer, IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2011, pp. 976-981.
• Gary Wassermann, Zhendong Su, Static Detection of Cross-Site Scripting Vulnerabilities, ACM/IEEE 30th International Conference on Software Engineering (ICSE), 2008, pp. 171-180.
• N. Jovanovic, C. Kruegel and E. Kirda, Precise alias analysis for static detection of web application vulnerabilities. In: ACMSIGPLAN Workshop on Programming languages and Analysis for Security, Ottawa, Canada, 2006.
• AppScan,http://www01. ibm. com/software/awdtools/appscan/.
• Nessus, http://www. nessus. org/.
• D. Scott and R. Sharp. Abstracting Application-level Web Security. In 11th World Wide Web Conference, 2002.
• M. T. Louw and V. N. Venkatakrishnan, "Blueprint: Robust Prevention of Cross-Site Scripting Attacks for Existing Browsers", Proc. 30th IEEE Symp. Security and Privacy (SP 09), IEEE CS, 2009, pp. 331-346.
• W. Halfond, A. Orso, and P. Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation", IEEE Trans. Software Eng. , Jan. 2008, pp. 65-81.
• E. Kirda et al. , "Client-Side Cross-Site Scripting Protection," Computers & Security, Oct. 2009, pp. 592-604.
• P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In 14th Annual Network and Distributed System Security Symposium (NDSS), 2007.
• O. Hallaraker and G. Vigna, Detecting Malicious JavaScript Code in Mozilla. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), 2005.