XSSDS: Server-Side Detection of Cross-Site Scripting Attacks

Johns, Martin; Engelmann, B.; Posegga, Joachim

doi:10.1109/acsac.2008.36

Cited by 74 publications

(37 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The types of storage intentions can furthermore be enough from the previous research. According to [19] nigh the reflected XSS detector, anent 95% of the revile applications did moan substitute every Tom false-positives at all over; the tread polemic (which is unescorted encountered in approximately 1% of the cases), lies at about 5 alarms per 100 pages. It is also shown in surface 1.…”

Section: Discussionmentioning

confidence: 99%

Vulnerability Detection in Remote Code Execution A Survey

Sharma¹,

Tomar²,

Kumar³

2014

International Journal of Advanced Research in Computer and Comm

View full text Add to dashboard Cite

Abstract:We are totally dependent on the web in today's age. It makes everything in communication easy. But the other side is the darker side. Communication on the web is easy and convenient way for data sending and receiving but the chances of data accessing from the remote side is also increasing. Now a days Remote Code Execution (RCE) threat is in the dangerous span over the internet. In RCE the attacker transform their code to the legal client with the help of scripting language and control the code according to their choice and the legal user not know what happened to their side. We can say that it is a type of cross site scripting (XSS) attack. In this attack geographical location doesn't matter, where you are? IT only knows the scripting and the controller. It is the higher risk today in web world. So in this paper we have discussed RCE in detail with the control techniques which are suggested in the previous research as well as the future scope of betterment.

show abstract

Section: Discussionmentioning

confidence: 99%

Vulnerability Detection in Remote Code Execution A Survey

Sharma¹,

Tomar²,

Kumar³

2014

International Journal of Advanced Research in Computer and Comm

View full text Add to dashboard Cite

show abstract

“…In XSS, attacker embeds malicious script into a website. Whenever a user browser run this code the attacker can shape the browser to do whatever it wants .XSS attacks occur whenever an application takes un-trusted data and sends it to web browser without proper validation and sanitization [5]. So in XSS attacks three parties are involved-the attacker, the client and the website.…”

Section: Cross-site Scripting Attacksmentioning

confidence: 99%

“…Johns et al has proposed a passive detection system to identify successful XSS attacks [5]. It uses two different approaches based on generic observations of XSS attacks and web applications.…”

Section: Related Workmentioning

confidence: 99%

Study of Cross-Site Scripting Attacks and Their Countermeasures

Kaur¹

2014

IJCATR

View full text Add to dashboard Cite

-In present-day time, most of the associations are making use of web services for improved services to their clients. With the upturn in count of web users, there is a considerable hike in the web attacks. Thus, security becomes the dominant matter in web applications. The disparate kind of vulnerabilities resulted in the disparate types of attacks. The attackers may take benefit of these vulnerabilities and can misuse the data in the database. Study indicates that more than 80% of the web applications are vulnerable to cross-site scripting (XSS) attacks. XSS is one of the fatal attacks & it has been practiced over the maximum number of well-known search engines and social sites. In this paper, we have considered XSS attacks, its types and different methods employed to resist these attacks with their corresponding limitations. Additionally, we have discussed the proposed approach for countering XSS attack and how this approach is superior to others.

show abstract

“…XSSDS [1], XSS-GUARD [19] use Firefox components like rbNarcissus [20] to precisely identify scripts in a web page. Wassermann's [21] work is based on tainted information flow with string analysis.…”

Section: B Passive Defensementioning

confidence: 99%

“…There are three types of known XSS flaws [1]- [3]: 1)Stored XSS, 2)Reflected XSS, 3)DOM based XSS, among which Stored XSS vulnerability always allows the most powerful attacks. During this type of attack, attack vectors are submitted to web server and stored on the server (in a database, file system or other locations).…”

Section: Introductionmentioning

confidence: 99%

L-WMxD: Lexical based Webmail XSS Discoverer

Tang

Zhu

Cao

et al. 2011

2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)

View full text Add to dashboard Cite

Abstract-XSS (Cross-Site Scripting) is a major security threat for web applications. Due to lack of source code of web application, fuzz technique has become a popular approach to discover XSS in web application except Webmail. This paper proposes a Webmail XSS fuzzer called L-WMxD (Lexical based Webmail XSS Discoverer). L-WMxD , which works on a lexical based mutation engine, is an active defense system to discover XSS before the Webmail application is online for service. The engine is initialized by normal JavaScript code called seed. Then, rules are applied to the sensitive strings in the seed which are picked out through a lexical parser. After that, the mutation engine issues multiple test cases. Newly-generated test cases are used for XSS test. Two prototype tools are realized by us to send the newly-generated test cases to various Webmail servers to discover XSS vulnerability. Experimental results of L-WMxD are quite encouraging. We have run L-WMxD over 26 real-world Webmail applications and found vulnerabilities in 21 Webmail services, including some of the most widely used Yahoo!Mail, Mirapoint Webmail and ORACLE' Collaboration Suite Mail.

show abstract

XSSDS: Server-Side Detection of Cross-Site Scripting Attacks

Cited by 74 publications

References 11 publications

Vulnerability Detection in Remote Code Execution A Survey

Vulnerability Detection in Remote Code Execution A Survey

Study of Cross-Site Scripting Attacks and Their Countermeasures

L-WMxD: Lexical based Webmail XSS Discoverer

Contact Info

Product

Resources

About