Information Theoretic XSS Attack Detection in Web Applications

Information Theoretic XSS Attack Detection in Web Applications

Hossain Shahriar (Department of Computer Science, Kennesaw State University, Kennesaw, GA, USA), Sarah North (Department of Computer Science, Kennesaw State University, Kennesaw, GA, USA), Wei-Chuen Chen (Department of Computer Science, Kennesaw State University, Kennesaw, GA, USA) and Edward Mawangi (Department of Computer Science, Kennesaw State University, Kennesaw, GA, USA)
Copyright: © 2014 |Pages: 15
DOI: 10.4018/ijsse.2014070101
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Cross-Site Scripting (XSS) has been ranked among the top three vulnerabilities over the last few years. XSS vulnerability allows an attacker to inject arbitrary JavaScript code that can be executed in the victim's browser to cause unwanted behaviors and security breaches. Despite the presence of many mitigation approaches, the discovery of XSS is still widespread among today's web applications. As a result, there is a need to improve existing solutions and to develop novel attack detection techniques. This paper proposes a proxy-level XSS attack detection approach based on a popular information-theoretic measure known as Kullback-Leibler Divergence (KLD). Legitimate JavaScript code present in an application should remain similar or very close to the JavaScript code present in a rendered web page. A deviation between the two can be an indication of an XSS attack. This paper applies a back-off smoothing technique to effectively detect the presence of malicious JavaScript code in response pages. The proposed approach has been applied for a number of open-source PHP web applications containing XSS vulnerabilities. The initial results show that the approach can effectively detect XSS attacks and suffer from low false positive rate through proper choice of threshold values of KLD. Further, the performance overhead has been found to be negligible.
Article Preview

1. Introduction

Vulnerabilities are frequently discovered in web applications. Among all known vulnerabilities, Cross-Site Scripting (XSS) has been ranked among the top three vulnerabilities over the last few years (OWASP 2013). XSS vulnerability opens up the possibility for an attacker to inject arbitrary JavaScript code (OWASP-XSS 2013) that can execute in the context of a victim’s browser. The injected script code causes unwanted behaviors (e.g., generating pop up windows) and security breaches (e.g., session hijacking (Msujaws 2011)). A recent survey also shows that on average 60% or more web applications are currently suffering from XSS vulnerabilities (Tudor 2013). Given that statistic, addressing the mitigation of XSS vulnerabilities is important.

Despite the presence of many mitigation approaches for XSS attacks at both client and server sides (Shar et al. 2012; Frenz et al. 2012; Jim et al. 2007; Kirda et al. 2006; Iha et al. 2009; Gundy et al. 2009; Wurzinger et al. 2009), the discovery of XSS vulnerability is still widespread among today’s web applications. Most of these approaches rely on signature-based attack detection that are effective in detecting known attack symptoms. Thus, there is a need to develop anomaly-based attack detection techniques that may detect unknown and new attack signatures. This paper applies an information theoretic concept to detect XSS attacks. Further, very few works have explored detecting XSS attacks at the proxy level.

In this article, we propose a proxy-level XSS attack detection technique based on a popular information theoretic measure known as Kullback-Leibler Divergence (KLD)1. Our intuition is that legitimate JavaScript code present in web applications should remain similar or very close to the JavaScript code of a rendered web page. A high deviation between the two set of JavaScript code may indicate XSS attacks. Our contribution remains in addressing the missing elements when computing KLD between the set of expected and actual JavaScript code. In particular, we apply the constant back-off smoothing technique that we brought from information retrieval literature.

We apply the proposed XSS attack detection approach for web applications implemented in PHP language and containing known XSS vulnerabilities. The initial results show that the approach can detect most of the known XSS attack signatures and show negligible false positive warning. Further, it imposes negligible runtime overhead. The proposed approach can handle diverse types of JavaScript code commonly found in web applications such as inline, URL attribute, and Cascading Style Sheet (CSS). Moreover, it can be applied as a complementary defense technique for applications that may lack an adequate XSS input filtering mechanism.

This article is organized as follows: First, we show an example of XSS attack followed by a brief introduction of related work. Then the proposed KLD-based XSS attack detection framework is discussed along with a working example. We then discuss the experimental results. Finally, we conclude the paper and discuss future work.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017): 2 Released, 2 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing