JS‐SAN: defense mechanism for HTML5‐based web applications against javascript code injection vulnerabilities

Gupta, Shashank; Gupta, Brij B.

doi:10.1002/sec.1433

Cited by 32 publications

(15 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, we did not apply any advanced sanitisation mechanisms on such suspicious JS code for alleviating the effect of JS injection vulnerabilities. In addition, we introduced another technique (Gupta and Gupta, 2016c) that integrates the XSS defensive framework of PHP-Sensor on the virtual machines of cloud platforms.…”

Section: Existing Defensive Methodologiesmentioning

confidence: 99%

RAJIVE: restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications

Gupta

2018

IJICA

Self Cite

View full text Add to dashboard Cite

This article introduces a novel defensive framework that detects and obstructs the exploitation of malicious JavaScript (JS) injection by spotting the violation in the expected workflow of web applications deployed on the cloud data centres. The framework initially generates some categories of axioms by examining the strings of HTTP request and response. Likewise, it detects the deviation in the intended workflow of web application by examining the violation in such generated axioms. The prototype of our work was developed in Java development framework and installed on the virtual machines of cloud data centres located at the core of network. Susceptible web applications were utilised for evaluating the workflow violation detection capability in order to obstruct the execution of XSS worms on the cloud data centres. Evaluation result revealed that framework detects the injection of XSS worms with high precision rate and lesser rate of false positives and false negatives.

show abstract

Section: Existing Defensive Methodologiesmentioning

confidence: 99%

RAJIVE: restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications

Gupta

2018

IJICA

Self Cite

View full text Add to dashboard Cite

show abstract

“…Find edge set containing edges starting at node C; (6) Randomly choose an edge (C, X) from ; (7) Append X to L; (8) Add X into T; (9) current node C = X; (10) return L; Algorithm 2: All-nodes-covered path identification. covered.…”

Section: Inputmentioning

confidence: 99%

“…Compared with HTML4, HTML5 defines more specific input attributes such as telephone number, color, and email address. However, on the other hand, some studies have also presented the security issues affiliated with HTML5 [1][2][3][4][5], especially the injection attacks on the websites [6][7][8][9]. Even though in HTML5 regular users can only enter a valid value through the user interfaces supported by browsers, malicious users can skip the user interface and directly send malformed HTTP requests to the web server.…”

Section: Introductionmentioning

confidence: 99%

Automatic Test Pattern Generator for Fuzzing Based on Finite State Machine

Wang

Chen

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

With the rapid development of the Internet, several emerging technologies are adopted to construct fancy, interactive, and userfriendly websites. Among these technologies, HTML5 is a popular one and is widely used in establishing modern sites. However, the security issues in the new web technologies are also raised and are worthy of investigation. For vulnerability investigation, many previous studies used fuzzing and focused on generation-based approaches to produce test cases for fuzzing; however, these methods require a significant amount of knowledge and mental efforts to develop test patterns for generating test cases. To decrease the entry barrier of conducting fuzzing, in this study, we propose a test pattern generation algorithm based on the concept of finite state machines. We apply graph analysis techniques to extract paths from finite state machines and use these paths to construct test patterns automatically. According to the proposal, fuzzing can be completed through inputting a regular expression corresponding to the test target. To evaluate the performance of our proposal, we conduct an experiment in identifying vulnerabilities of the input attributes in HTML5. According to the results, our approach is not only efficient but also effective for identifying weak validators in HTML5.

show abstract

“…Such situations have instigated an enlarged quantity of cyber-attacks on the world wide web (WWW). The most popular threat that is considered to be a plague for the modern online social network-based web application is cross-site scripting (XSS) worm [1][2][3]. Such attacks are generally crafted by injecting untrusted/malicious JavaScript code [4] on the injection points of web application.…”

Section: Introductionmentioning

confidence: 99%

XSS‐immune: a Google chrome extension‐based XSS defensive framework for contemporary platforms of web applications

Gupta

2016

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

In this paper, the authors analyzed and discussed the performance issues in the existing cross-site scripting (XSS) filters and based on that, proposed a JavaScript string comparison and context-aware sanitization-based framework, XSS-immune. It is a browser-resident framework that compares the set of scripts embedded in hypertext transfer protocol request (H REQ ) and hypertext transfer protocol response (H RES ) for discovering any similar untrusted/malicious JavaScript code. This similar code points towards the untrusted JavaScript code that will be utilized by an attacker to exploit the vulnerabilities of XSS worms. In addition, our technique determines the context of such worms and performs the sanitization on them accordingly for alleviating the effect of such XSS worms from the real world web applications. We have also introduced a mechanism that can detect the injection of malicious parameter values by modifying the existing JavaScript code, that is, partial script injections. The prototype of XSS-immune was developed in Java and installed as an extension on the Google Chrome. In addition, we have verified the implementation of our design of prototype against five open-source XSS attack vector repositories, and very few XSS attack worms were able to evade our proposed design. Experimental evaluation and testing of XSS-immune were performed by adding support from the tested suite of real world web applications. The performance evaluation results revealed that our framework is able to detect the XSS worms with acceptable low false positive and false negative rate in comparison with the performance of existing XSS filters. Experimental results also incurred acceptable runtime overhead because of minor alterations on client-side browser and computationally fast execution of modules deployed in our browser-resident framework.

show abstract

JS‐SAN: defense mechanism for HTML5‐based web applications against javascript code injection vulnerabilities

Cited by 32 publications

References 12 publications

RAJIVE: restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications

RAJIVE: restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications

Automatic Test Pattern Generator for Fuzzing Based on Finite State Machine

XSS‐immune: a Google chrome extension‐based XSS defensive framework for contemporary platforms of web applications

Contact Info

Product

Resources

About