Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning

Melicher, William; Fung, Clement; Bauer, Lujo; Jia, Limin

doi:10.1145/3442381.3450062

Cited by 19 publications

(7 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Melicher et al [ 17 ] trained deep neural network using taint tracking methods to predict the vulnerability of payloads by analyzing JavaScript functions. Liu et al proposed an approach GraphXSS, for the detection of XSS attacks, which converted an XSS payload into a graph of interconnected words and characters.…”

Section: Related Workmentioning

confidence: 99%

“…Fang et al [ 14 , 20 ] performed decoding of XSS payloads and applied neural network techniques to identify malicious XSS payloads. Lei et al [ 15 ] used the LSTM model for XSS detection, and Melicher et al [ 17 ] applied deep neural network for detecting DOM-based XSS attacks. Liu et al [ 25 ] applied graph convolution networks, and Abimov and Bianchi [ 49 ] used convolutional deep neural network (CNN) for the detection of XSS attacks.…”

Section: Empirical Evaluation With Existing Approachesmentioning

confidence: 99%

“…Machine learning (ML) [9][10][11][12][13] and neural network (NN) [14][15][16][17] techniques have recently been used to detect XSS vulnerability in source code. Genetic algorithms and fuzzy inference are combined with ML and NN to generate a large number of permutations and combinations of payloads using the existing datasets to mitigate the newer adversarial attacks [18][19][20][21].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

Gupta

Singh

Mohapatra

2022

Computational Intelligence and Neuroscience

View full text Add to dashboard Cite

According to OWASP 2021, cross-site scripting (XSS) attacks are increasing through specially crafted XML documents. The attacker injects a malicious payload with a new pattern and combination of scripts, functions, and tags that deceits the existing security mechanisms in web services. This paper proposes an approach, GeneMiner, encompassing GeneMiner-E to extract new features and GeneMiner-C for classification of input payloads as malicious and nonmalicious. The proposed approach evolves itself to the changing patterns of attack payloads and identifies adversarial XSS attacks. The experiments have been conducted by collecting data from open source and generating various combinations of scripts, functions, and tags using an incremental genetic algorithm. The experimental results show that the proposed approach effectively detects newly crafted malicious XSS payloads with an accuracy of 98.5%, which is better than the existing classification techniques. The approach learns variations in the existing attack sample space and identifies the new attack payloads with reduced efforts.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Empirical Evaluation With Existing Approachesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

Gupta

Singh

Mohapatra

2022

Computational Intelligence and Neuroscience

View full text Add to dashboard Cite

show abstract

“…• Hybrid dynamic analysis: hybrid dynamic analysis combines two or more dynamic analysis techniques for the detection of injection vulnerabilities. Two hybrid solutions have been found in the literature [157,105]. Melicher et al [157] proposed and experimented the use of a deep learning model as a pre-filter for a dynamic taint-tracker.…”

Section: Xss Vulnerability Detection Techniquesmentioning

confidence: 99%

“…Two hybrid solutions have been found in the literature [157,105]. Melicher et al [157] proposed and experimented the use of a deep learning model as a pre-filter for a dynamic taint-tracker. A deep learner model is used to check the vulnerability of JavaScript codes, only unconfirmed malicious samples are subject to a dynamic taint-tracker for analysis.…”

Section: Xss Vulnerability Detection Techniquesmentioning

confidence: 99%

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Hannousse¹,

Yahiouche²,

Nait-Hamoud³

2022

Preprint

View full text Add to dashboard Cite

Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its reveal in late 1999 by Microsoft security engineers, several techniques have been developed in the aim to secure web navigation and protect web applications against XSS attacks. The problem became worse with the emergence of advanced web technologies such as Web services and APIs and new programming styles such as AJAX, CSS3 and HTML5. While new technologies enable complex interactions and data exchanges between clients and servers in the network, new programming styles introduce new and complicate injection flaws to web applications. XSS has been and still in the TOP 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks became one of the major concerns of several web security communities. In this paper, we contribute by conducting a systematic mapping and a comprehensive survey. We summarize and categorize existent endeavors that aim to protect against XSS attacks and develop XSS-free web applications. The present review covers 147 high quality published studies since 1999 including early publications of 2022. A comprehensive taxonomy is drawn out describing the different techniques used to prevent, detect, protect and defend against XSS attacks. Although the diversity of XSS attack types and the scripting languages that can be used to state them, the systematic mapping revealed a remarkable bias toward basic and JavaScript XSS attacks and a dearth of vulnerability repair mechanisms. The survey highlighted the limitations, discussed the potentials of existing XSS attack defense mechanisms and identified potential gaps.

show abstract

Load-and-Act: Increasing Page Coverage of Web Applications

Weidmann,

Barber,

Wressnegger

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning

Cited by 19 publications

References 28 publications

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Load-and-Act: Increasing Page Coverage of Web Applications

Contact Info

Product

Resources

About