DOI: 10.4018/JOEUC.2020100105 Journal of Organizational and End User Computing Volume 32 • Issue 4 • October-December 2020 85 Designing a XSS Defensive Framework for Web Servers Deployed in the Existing Smart City Infrastructure Brij B. Gupta, National Institute of Technology, Kurukshetra, India & Asia University, Taiwan & Macquarie University, Australia Pooja Chaudhary, National Institute of Technology, Kurukshetra, India https://orcid.org/0000-0003-0766-0530 Shashank Gupta, Birla Institute of Technology and Science, Pilani, India ABSTRACT Cross-sitescriptingisoneofthenotableexceptionseffectingalmosteverywebapplication.Hence, thisarticleproposedaframeworktonegatetheimpactoftheXSSattackonwebserversdeployed in one of the major applications of the Internet of Things (IoT) i.e. the smart city environment. Theproposedframeworkimplements2approaches:first,itexecutesvulnerableflowtrackingfor filteringinjectedmaliciousscriptingcodeindynamicwebpages.Second,itaccomplishedtrusted remarkgenerationandvalidationforunveilinganysuspiciousactivityinstaticwebpages.Finally, thefilteredandmodifiedwebpageisinterfacedtotheuser.Theprototypeoftheframeworkhasbeen evaluatedonasuiteofreal-worldwebapplicationstodetectXSSattackmitigationcapability.The performanceanalysisoftheframeworkhasrevealedthatthisframeworkrecognizestheXSSworms withverylowfalsepositives,falsenegativesandacceptableperformanceoverheadascomparedto existentXSSdefensivemethodologies. KEyWORDS Smart City Cyber Security, Trusted Remark Statement Injection, Untrusted Javascript Code, XSS Attack 1. INTRODUCTION Urbanizationandmigrationrequireglobaldevelopmentofeconomic,social,institutionalandphysical infrastructure.Consequently,itputspressureonthecity’sorganizationasrequestforresourceslike education,healthcare,transportation,government,andsafetyexceedtheiravailability.Toovercome theseissues,citiesarefocusingontheutilizationoftechnologyi.e.becoming‘smart’.Smartcities (Ferraz & Ferraz, 2014; Seth, 2013) are the cities that harness Information and Communication Technologytoautomateandenhanceservicesforimprovingthelivingstandardoftheircitizensand attainsustainabledevelopment.Thisconceptof“smartcities”istheoutcomeofthenewcomputing paradigm,thatis,InternetofThings.Internethasbeenrisenuptothelevelwhereeverythingnearby usisconnectedandturnsouttobepartofsomeformofnetwork.Informally,wecandefineIoTasa networkformedbydevicescapableofgenerating,sendingandreceivinginformationrelatedtoany business,accessesbyanyperson,anytimeirrespectiveofthegeographicallocation.Technology shouldbeusedtomakecitiessmartintermsoftheservicesprovidedsuchassmarttrafficcontrol, Thisarticle,originallypublishedunderIGIGlobal’scopyrightonOctober1,2020willproceedwithpublicationasanOpenAccessarticle startingonJanuary21,2021inthegoldOpenAccessjournal,JournalofOrganizationalandEndUserComputing(convertedtogoldOpen AccessJanuary1,2021),andwillbedistributedunderthetermsoftheCreativeCommonsAttributionLicense(http://creativecommons.org/ licenses/by/4.0/)whichpermitsunrestricteduse,distribution,andproductioninanymedium,providedtheauthoroftheoriginalworkand originalpublicationsourceareproperlycredited.
27
Embed
Designing a XSS Defensive ... - researchers.mq.edu.au
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DOI: 10.4018/JOEUC.2020100105
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
Designing a XSS Defensive Framework for Web Servers Deployed in the Existing Smart City InfrastructureBrij B. Gupta, National Institute of Technology, Kurukshetra, India & Asia University, Taiwan & Macquarie University, Australia
Pooja Chaudhary, National Institute of Technology, Kurukshetra, India
https://orcid.org/0000-0003-0766-0530
Shashank Gupta, Birla Institute of Technology and Science, Pilani, India
ABSTRACT
Cross-sitescriptingisoneofthenotableexceptionseffectingalmosteverywebapplication.Hence,thisarticleproposedaframeworktonegatetheimpactoftheXSSattackonwebserversdeployedinoneof themajor applicationsof the InternetofThings (IoT) i.e. the smart city environment.Theproposedframeworkimplements2approaches:first,itexecutesvulnerableflowtrackingforfilteringinjectedmaliciousscriptingcodeindynamicwebpages.Second,itaccomplishedtrustedremarkgenerationandvalidationforunveilinganysuspiciousactivityinstaticwebpages.Finally,thefilteredandmodifiedwebpageisinterfacedtotheuser.Theprototypeoftheframeworkhasbeenevaluatedonasuiteofreal-worldwebapplicationstodetectXSSattackmitigationcapability.TheperformanceanalysisoftheframeworkhasrevealedthatthisframeworkrecognizestheXSSwormswithverylowfalsepositives,falsenegativesandacceptableperformanceoverheadascomparedtoexistentXSSdefensivemethodologies.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
86
smartparking,smarthealth-care,smart transportation,smartcitymanagementsystemlikewastemanagement,watermanagement,SmartStreetlightingandsoon(Hossain&Shamim,2018;Li,&Daming,2019).Therefore,inanutshell,smartcitymeanseverythingisembeddedwithsensorstoenablethemtointeractwiththeenvironment.SmartcitiescompriseofsomeofthemaincomponentsasillustratedinFigure1.Indeed,smartcityconcepthasgivenanewdirectionfornation’sgrowth;nevertheless,fortheexchangeofthedata,itutilizesserverinfrastructurewhichbringssomemajorchallenges also. Cyber security is the biggest challenge because people share large amount ofinformationcomprisingpersonalandprofessionalovertheInternet(Li,Jianzhong,2018;Almomani,Ammar,2013;Parada,Raúl,2018;Drennan,Judy,2019).Therearenumerouscyber-attacksthathavecontaminatedwebapplication.
Anautomatedtechniqueproposedby(Livshits&Chong,2013)ofsanitizerplacementbystaticallyanalyzingthestreamofinfecteddataintheprogram.However,placementofsanitizerisstaticandsometimes changes to dynamicwherever required. JSand (Agten et al., 2012) is a server-drivenJavaScript-basedsandboxingsupport,whichimplementsaserver-specificpolicyontheinjectedscriptswithnorequirementoffilteringormodificationofscripts.Thetechniquefacilitatesthedeveloperofawebsitetosafelyincorporatethird-partyscripts,withnorequirementofdisorderlyalterationstobothclientandserver-sideinfrastructure.XSS-Guard(Bisht&Venkatakrishnan,2008)isatechniquethatdetectsthecollectionofscriptsthatawebapplicationintendstocreateforanyHTMLwebrequest.Thetechniquecreatesashadowwebpagetolearnthewebapplication’sintentforeveryHTTPwebresponse,includingthelegitimateandexpectedscripts.Anydivergencebetweentherealgenerated
Figure 2. Architecture of smart city with possible threats
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
1.1. Key ContributionsOnthebasisoftheseissues,authorshavedesignedaframeworkbasedonvulnerableflowanalysisand injection of trusted Remark statements in the web page. At the server-side, our frameworkperforms2mainfunctions:classificationofresponsewebpageintostaticanddynamicwebpage;andinjectionoftrustedremarksstatementsatthebordersofvalidJavaScriptcodepresentinthewebpage.TheseremarkshelpindifferentiatingmaliciousJavaScriptfromthevalidJavaScriptasitincludesfeaturesofvalidJavaScriptintheformofprotocolswithrandomlygeneratednonce.TheseprotocolsformthebasisofcomparisonbetweenJavaScriptcodestodetectXSSattack.Attheclient-side,itdetectstheXSSattackbyapplyingdifferenttechniquesforstaticanddynamicwebpage.Forstaticresponse,it,firstly,extractsscriptsandthenmakeacomparisonwiththeremark.Ifvarianceisfoundthen,itindicatesXSSattack.Fordynamicresponse,initially,itidentifiesvulnerablesourcebycompletingvulnerableflowanalysis.Then, itdeterminesthecontextof thismalicioussourcefollowedbyapplyingfilteringonitwiththehelpoffilteringAPIs.Finally,modifiedresponsewebpageisdisplayedtotheuser.
1.2. Outline of this PaperTherestofthepaperisorganizedasfollows:Insection2,wehaveintroducedourworkindetail.Implementationandevaluationofourworkarediscussedinsection3.Finally,section4concludesourworkanddiscussesfurtherscopeofwork.
2.1. Abstract Design View of the FrameworkTheproposedframeworkworksinfourmainphases:1)staticallyclassifiesthewebpagesofthewebapplication;2)generatesremarkstatementscomprisingrandomlygeneratednoncesandfeaturesofvalidJavaScriptcodeblock;3)checksforthevalidityofinjectedremarkstatements,attheclient-side,todetectXSSattack.;4)dynamicallyperformsthetaintanalysisandperformsthefilteringonthetaintedstringvaluewiththefilteringAPIs.Figure3elaboratestheabstractdesignoverviewofourframework.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
89
ThisframeworkalleviatesthepropagationofXSSwormbyperformingtwomainmechanisms:dynamictaintanalysisandremarkstatementsinjectionandvalidation.Payloadtesteraccomplishestheclassificationofwebpagesintodynamicandstaticwebpages.Hereinafter,dynamicwebpageundergoestaintanalysisprocedurewiththehelpofvulnerableflowidentificationcomponent.ExploitgeneratorcomponentisusedtoidentifysuspiciouswebpagewiththehelpofinsertingtestingattackpayloadatthetaintsourcelocationandlaunchtheXSSattack.Ifattackissuccessfulthen,itfiltersthemaliciousstringvalue.Otherwise,dynamicwebpageisfreefromXSSattack.StaticwebpagesareexaminedfortheidentificationofmaliciousinjectedJavaScriptcode.ThisisdonebyinjectingremarkstatementsattheborderofthevalidJavaScriptcodeblock.Remarkvariancedetectorseizesthewebpageand implementsanumberof tests todetectXSSattack.Firstly, it identifies ifanyJavaScriptcodeblockwithoutremarkstatementispresentornot.Ifpresentthen,itisconsideredasinjectedcodeandremovedfromtheresponse.Otherwise,ittestsforthevalidityofremarkstatementscomprisingrandomnonceandfeaturesofvalidJavaScriptcode.Ifanonceisincorrectthen,itisdeclaredasinjectedcode.Otherwise,itmatchesthesuspectedfeaturesofJavaScriptcodewiththefeaturesincludedintheremarkstatements.Ifanydeviationisfoundthen,itisconsideredasinjected.Finally,itchecksforthepresenceofanyduplicateremarkstatementstoidentifyremarkstatementsinsertedbytheattacker.IfitidentifiesthepresenceoftheinjectedJavaScriptcodeintheresponsethen,itisremovedfromtheresponsewebpagealongwiththeinjectedremarkstatements.Figure4highlightsthedetailedworkingprocedureofourframeworkintheformofflowchart.Hereinafter,thenextsub-sectionhighlightsthedetailedillustrationofourframework.
2.2. Detailed Design View of the Proposed FrameworkThis section furnishes thecomprehensivearchitecturaldetailofourhybrid framework.Figure5shows thedetaileddesignoverviewofourclient-serverXSSdefensive framework.Theoutlinedframeworkexecutesinfourhigh-levelphases:1)ClassificationofHTTPresponsewebpages;2)Remarkgeneration;3)Remarkvalidation;4)Exploitationandfilteringphase.
2.2.1 Classification of HTTP Response Web PageThekeygoaloftheserver-sideimplementationistoefficientlyclassifythegeneratedHTTPresponsewebpageandinsertremarkstatementsatthebordersoftheJavaScriptcode.Thekeycomponentswhichimplementtheseoperationsare:InternalWebpageTracing,Webpageretrieval,Payloadtester.2.2.1.1 Internal Web Page Tracing
Figure 3. Abstract design overview of client-server framework
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
90
Itisaserver-sidecomponentthatimplementsscanningofthewebpagetoextractallthewebpagesoftherequestedwebapplicationandsavethemforthelaterprocessing.OncethecliententerstherequestedURL then, it inevitably crawls thewebapplicationwith thehelpof a selenium-basedcrawler.Initially,ituprootsalltheinternalandexternalURIlinksfromtheresponsewebpageandthenmakesarequesttoretrieveallwebpagesfromtheserver.
Figure 4. Flow chart of our proposed framework
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
91
2.2.1.2. Web Page RetrievalItisaserver-sidecomponentwhichisresponsiblefortheextractionofrequestedwebpageofthewebapplication.Thiscomponentreceivesthelogprovidedbytheinternalwebpagetracingcomponentasitsinput.Then,itcheckstherequestedURLtoidentifythespecifiedwebpageofwebapplicationasrequestedbytheuser.Finally,itextractsthewebpagefromthelogandsuppliedittotheothercomponentforlaterprocessing.2.2.1.3. Payload TesterItsmainaimistoclassifythewebpageintotwocategories:dynamicwebpageandstaticwebpage.2.2.1.3.1. Dynamic Web PageWebpagewhichcontainsanytypeofinputfieldsuchassearchbox,commentbox,formfieldsandsoon.Payloadtesterhasclassifiedthesewebpagesasdynamicbecauseusercanenteruntrustedinputvalueintotheinputfield.Forinstance,webapplicationdemandingusertofillaformregardingpersonalinformationviaawebpage.
Figure 5. Comprehensive design overview of our proposed framework
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
92
2.2.1.3.2. Static Web PageStaticwebpagesarethewebpageswhicharereadonly.Itdoesnotcontainanyinputfieldtoreceiveuserinput.Forinstance,webpagecontainingaproductspecification.
Here,nofilteringmechanismisappliedontheusernamebeforeitisusedintheresponsewebpage.Thus, thisfield isvulnerable to theXSSattack.Suppose,anadversary injectsamaliciousfunction as: <script>alert(“document.cookie”);</script>. Therefore, the original code becomes<input type=”text” name= “username” value=”<script>alert(“document.cookie”);</script>”>.Consequently,whenbrowserrendersthisresponsethenattackergetscookieinformationoftheuser.Therefore,functioncallandfunctiondefinitionpatternsareextractedoutfromthevalidJavaScriptcode,asitsuniquefeature.Table2illustratessomeoftheexamplesrelatedtotheprobablefeaturesofthevalidJavaScriptcodeincludingfunctioncallandfunctiondefinitionfeatures.Forexample,firstexampledescribestheinbuiltfunctioncallasMath.pow(4,5),werepresenttheprobablefeaturesas{pow,2,4,5}.Itmeansfunction‘pow’has2parameters4,5.Similarlyotherexamplesareshown.2.2.2.1.3. Protocol GenerationIt is a server-side component which is responsible for the encapsulation of extracted JavaScriptfeatures inprotocol.Theseprotocolsare thenincludedin the initial remarkstatement.This is toensure that legitimateJavaScriptpresent in theresponsewebpagecanbeproperlydistinguishedfromtheinjectedJavaScriptcodebycomparingtheirfeatureswithonesstoredinprotocol.Table3describesthescriptcode,protocolgenerationandremarkgeneration.ProtocolsarestoredbyusingProtocolID,type,nameandparamcount.Accordingtothenumberofparameters,paramfieldstorestheactualparameters.ModifiedremarksstatementcomprisesanonceandprotocolIDas/*N1,1*/.Infunctioncalltype,insteadofparamcount,weuseargcountandargfields.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
95
theauthenticationoftheremarkstatement.Thekeycomponentstoaccomplishthistaskare:Parser,Scriptseparation,Decoding,andRemarkVarianceDetector.2.2.3.1. ParserItistheclient-sidecomponentwhichreceivesthestaticwebpagewiththeremarkstatement.ItisresponsibleforconstructionoftheParsedTree(PT)correspondingtothatwebpage.Itistoensurethatthebrowserrendersthewebpagecorrectly.Forinstance,considerthefollowingcodesnippetas shown in listing 1. In the above example, untrusted user input is applied at S_GET(‘name’)and$_GET(‘age’).TheparsetreegeneratedfortheabovecodesnippetisshowninFigure6.EachnodeofthetreerepresentsHTMLtagsortext.Thistreewillbeprocessedtodeterminescriptnodeembeddedintothewebpage.
Adversarymayexploit thisvulnerabilitybyinjectingmaliciouscodeatnameparameterlike“<script>alert(document.cookie);</script>.Consequently, unamehold this JavaScript code andbrowserrendersattacker’sprovidedcode.Hence,thiscomponentextractstaintedsourceandsinkinformationas:taintsource(uname= request.getParametervalue(“name”)andtaintsink(document.write(tag)).ThisinformationisforwardedtothenextstepphasetodeterminethecontextandanalyzeitforthepresenceofXSSloopholes.
Figure 7. Algorithm implemented for JavaScript separation
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
98
2.2.4.2. Exploit GenerationThismoduleexaminesthevulnerableflowtoidentifyvulnerablesourceandsink.Then,itgeneratescontext-basedtestingattackpayloadthatcanbesimplyusedtoverifyvulnerablewebpages.It isachievedin3mainsteps:MaliciousFlowDecomposer,ContextRecognizerandTestingPayloadinjector.2.2.4.2.1. Malicious Flow DecomposerIt is thecomponentwhich receives the logs thatcontains informationabout thevulnerable flowpresentinthewebpage.Itextractsthefollowingfromthelog:1)TaintSourcewhichcontainsthe
Figure 8. Flow chart showing the working process of the remark variance detector
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
99
sourcetypeandthestringvalueinthesourceusedinsink.2)TaintSinkwhichdefinesthelocationwherestringvaluesuppliedbytheattackerisusedintheprogram.3)TaintIDwhichistheuniqueidentifiertoidentifyeachvulnerableflow.4)TaintURLwhichcontainstheURLofthewebpageinwhichvulnerableflowwasrevealed.2.2.4.2.2. Context RecognizerThiscomponentisresponsibleforthedeterminationofthecontextofthevulnerablesource.Itacceptstheinformationprovidedbythemaliciousflowdecomposerandthenusesittodeterminetheportionof the web page where vulnerable string value is injected. Figure 10 illustrates the algorithmimplementedforthisstep.Thisalgorithmworksasfollows:InputtotheabovealgorithmisthesetofIDsofuntrustedsourceT_ID.Con_logisalogmaintainedtostorecontextofeachuntrustedsource. For each tainted source TI∈ T_ID, it attached a context recognizer CR in the form asCI← (CR)TI.ThegeneratedoutputistheinternalrepresentationoftheextractedJavaScriptcodeembeddedwiththecontextrecognizerCRcorrespondstoeachuntrustedvariablepresentinit.Afterthis,itismergedwiththeCon_logasCon_log←CI∪ Con_log.ForeachCI∈Con_log,itgeneratesandsolvesthetypeconstraints.Here,Λ representsthetypeenvironmentthatperformsthemappingoftheJavaScriptvariabletotheContextrecognizerCR.Inthepathsensitivesystem,variable’scontextchangesfromonepointtootherpoint.Thus,tohandlethisissue,untrustedvariablesarerepresented
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
100
throughthetypingjudgmentsasΛ e:CR.Itindicatesthatatanyprogramlocation,ehascontextrecognizerCRinthetypeenvironmentΛ .Finally,allCIvariableshavebeenassignedthecontextdynamicallyandproducethemodifiedlogCon_logasoutput.Thisstepprovidestaintedsourcewiththeiridentifiedcontext,inwhichbrowserinterpretsit.2.2.4.2.3. Testing Payload InjectorToexploitthevulnerabilitypresentinthewebpage,itsubstitutesattackvectorattheplaceoftaintedstring.Testingattackvectormustbe injectedaccording to thecontextof the taintedstring. It isachievedwiththehelpofavailablerepositoryofXSSattackvector.Then,thismodulevalidatesthesuccessfulexecutionoftheinjectedattackvector.Ifattackissuccessfulthen,TaintedIDandTaintSourceinformationisforwardedtothefilteringmodule,otherwise,webpageisnotvulnerableandisreturnedtotheuser.2.2.4.2.4. FilteringThiscomponentacceptsthetaintSourceandtaintedIDinformationasitsinput.ItappliesfilteringonthetaintedstringpresentatthetaintSourceinthewebpage,withthehelpofFilteringAPIs.Thisisdonetohalttheexecutionofinjectedmaliciousstringandtriggersmaliciouseffects.Figure11showsthealgorithmprocessedforthecompletionofthefilteringprocess.Theworkingprocedureofthisalgorithmisexplainedbelow:AlgorithmtakesCon_logasitsinputwhichstoresidentifiedcontextofalluntrustedJavaScriptvariable.FAPI_libistheexternallyavailablelibrarywhichstoresfilteringAPIscorrespondingtoeachmaliciouscontext.T_IDisthelistcomprisingtheIDsofeachtaintedsource.ForeachUntrustedSource(i.etaintedvalue)TI∈T_ID,itextractsthecontextofTIasXIfromtheCon_log.Then,itidentifiesforthecorrespondingFilteringAPI,fromtheFAPI_lib,withmatchingcontextandstoresitinFI.ItappliestheidentifiedfilteringAPIontheTIandstoreresultintotheYI.ItthenmergesYIwithFAPI_libasFAPI_lib←YI∪ FAPI_lib;finally,itembedsallsanitizedvariableintotheHTTPresponseandproduceHTTPresponsefortheuser.
3.1. Experimental EvaluationAuthorshavecategorizedtheXSSattackvectorsintofourmaincategoriesi.e.CharacterEncodingScripts (CES), Embedded Character Tags (ECT), Event Handlers (EH) and HTML QuoteEncapsulation(HQE).Table5illustratestheattackpatternsofthesecategoriesofXSSattackvectors.TheobservedresultsofourframeworkonfiverealworldHTML5webapplicationscorrespondingtochosencategoriesofXSSwormshasbeenshownintheFigure12-16.
Figure 10. Algorithm implemented for the context recognizer
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
102
Figure 11. Algorithm for filtering process
Figure 12. Observed results on Simplecms
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
103
Table 5. Categories of XSS worms with their pattern examples
XSS Worm Category
Explanation Script Example
CES Thetechniquesofcharacterencodingareutilizedforexemplifyingadatabaseoftypescriptsthroughcertainencodingsystem.Suchtechniquesareutilizedforcalculation,datastoring,andbroadcastofdocumentedinfoandcouldbeutilizedforexploitingnumerousattacks.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
108
3.5 Comparative and Strengths of the Proposed WorkThissectiondiscussesthecomparisonofourframeworkwiththeotherrecentexistingXSSdefensivemethodologies.Table10comparestheexistingXSSdefensivemethodologieswithourworkbasedonnineusefulperformanceparameters:AM:AnalyzingMechanism,MP:MonitoringProcedure,TOXH:TypeofXSSWormHandled,Ttrac:TaintTracking,CRW:CodeRewriting,APPR:AutomatedPre-ProcessingRequired,PSID:PartialScriptInjectionDetection,SCM:SourceCodeMonitoringandSCMod:SourceCodeModifications.
ThisframeworksimplyisolatestheuntrustedJavaScriptcodefromtheactualdatabyexecutingtheprocessofcoderewriting,thatisnothandledbymostoftheexistingXSSdefensivetechniques.Inaddition, theproposedframeworkexecutestheruntimemonitoringontheJavaScriptcodefordetermining thedependencybetween the taintedsourceandsinkfunctions in theprogramcode.Moreover,contextofuntrustedvariablesembeddedinsuchcodeisdetermined.Now,here,insteadofperformingcontext-sensitivesanitizationonsuchvariables,ourframeworkperformsthedeepstringanalysisonsuchvariablesfortrackingtheirtaintedflow.Theexaminationoftaintedvariableswillbecarriedoutinordertodeterminewhetheritmayfunctionasvulnerablepointornot.Theexistingworkperformsthecontext-sensitivesanitizationonsuchvariables.
4. CONCLUSION
Digitalization in every aspect of life demands more technological advancements for providinginformationanytimeanywhere.Thismaterializesthevisionofmakingcities“smarter”.Undoubtedly,thisdevelopmentinducesmultiplebenefitstothepeople;nevertheless,itbringstolightmultiplethreatslikeXSS.Therefore,thispaperdescribedatechniquetoprotectusersfromXSSattack.Thisisachievedthroughclassifyingresponsewebpageintostaticanddynamicwebpages.StaticwebpagesareprocessedbyinjectingandverifyingtrustedremarkstatementstodetectpersistentXSSattack.Moreover,itaccomplishesvulnerableflowanalysisfollowedbyfilteringoftaintedstring,fordeterminingXSSattackindynamicwebpages.Authorshaveimplementedtheframeworkusingjavadevelopmentframeworkandhasevaluateditsdetectioncapabilityonfivereal-worldwebapplications.Theresultsrevealedlowfalsenegativeratewithtolerableperformanceoverheadduetoinjectionandremovalofremarks.
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
109
REFERENCES
Agten,P.,VanAcker,S.,Brondsema,Y.,Phung,P.H.,Desmet,L.,&Piessens,F.(2012,December).JSand:completeclient-sidesandboxingof third-partyJavaScriptwithoutbrowsermodifications.InProceedings of the 28th Annual Computer Security Applications Conference(pp.1-10).ACM.doi:10.1145/2420950.2420952
Almomani,A.et al..(2013).Phishingdynamicevolvingneuralfuzzyframeworkforonlinedetectionzero-dayphishingemail.Indian Journal of Science and Technology,6(1),3960–3964.
Bates, D., Barth, A., & Jackson, C. (2010, April). Regular expressions considered harmful in client-sideXSS filters. In Proceedings of the 19th international conference on World wide web (pp. 91-100). ACM.doi:10.1145/1772690.1772701
Bisht, P., & Venkatakrishnan, V. N. (2008, July). XSS-GUARD: precise dynamic prevention of cross-sitescriptingattacks.InProceedings of theInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(pp.23-43).Springer.doi:10.1007/978-3-540-70542-0_2
Chaudhary,P.,Gupta,B.B.,&Gupta,S.(2018).DefendingtheOSN-basedwebapplicationsfromXSSattacksusingdynamicjavascriptcodeandcontentisolation.InQuality, IT and Business Operations(pp.107–119).Singapore:Springer.doi:10.1007/978-981-10-5577-5_9
Chaudhary,P.,Gupta,B.B.,&Gupta,S.(2019).AFrameworkforPreservingthePrivacyofOnlineUsersAgainstXSSWormsonOnlineSocialNetwork.International Journal of Information Technology and Web Engineering,14(1),85–111.doi:10.4018/IJITWE.2019010105
Drennan,J.,Sullivan,G.,&Previte,J.(2006).Privacy,riskperception,andexpertonlinebehavior:Anexploratorystudyofhouseholdendusers.Journal of Organizational and End User Computing,18(1),1–22.doi:10.4018/joeuc.2006010101
Ferraz,F.S.,&Ferraz,C.A.G.(2014,December).Smartcitysecurityissues:depictinginformationsecurityissuesintheroleofanurbanenvironment.InProceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing(pp.842-847).IEEE.doi:10.1109/UCC.2014.137
Gupta,B.B.,Gupta,S.,&Chaudhary,P.(2017a).Enhancingthebrowser-sidecontext-awaresanitizationofsuspiciousHTML5codeforhaltingtheDOM-basedXSSvulnerabilitiesincloud.[IJCAC].International Journal of Cloud Applications and Computing,7(1),1–31.doi:10.4018/IJCAC.2017010101
Gupta,S.,&Gupta,B.B.(2016a).Aninfrastructure-basedframeworkforthealleviationofJavaScriptwormsfromOSNinmobilecloudplatforms.InProceedings of theInternational conference on network and system security(pp.98-109).Cham:Springer.doi:10.1007/978-3-319-46298-1_7
Gupta,S.,&Gupta,B.B.(2017b).SmartXSSattacksurveillancesystemforOSNinvirtualizedintelligencenetworkofnodesoffogcomputing.International Journal of Web Services Research,14(4),1–32.doi:10.4018/IJWSR.2017100101
Gupta,S.,&Gupta,B.B.(2018b).Robustinjectionpoint-basedframeworkformodernapplicationsagainstXSSvulnerabilitiesinonlinesocialnetworks.International Journal of Information and Computer Security,10(2-3),170–200.doi:10.1504/IJICS.2018.091455
Gupta,S.,&Gupta,B.B.(2018c).RAJIVE:RestrictingtheabuseofJavaScriptinjectionvulnerabilitiesonclouddatacentrebysensingtheviolationinexpectedworkflowofwebapplications.International Journal of Innovative Computing and Applications,9(1),13–36.doi:10.1504/IJICA.2018.090822
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
110
Gupta,S.,&Gupta,B.B.(2018d).EvaluationandmonitoringofXSSdefensivesolutions:Asurvey,openresearchissuesandfuturedirections.Journal of Ambient Intelligence and Humanized Computing,1–29.
Gupta,S.,&Gupta,B.B.(2018e).POND:Polishingtheexecutionofnestedcontext-familiarruntimedynamicparsing and sanitisationofXSSwormsononline edge servers of fog computing. International Journal of Innovative Computing and Applications,9(2),116–129.doi:10.1504/IJICA.2018.092588
Gupta,S.,&Gupta,B.B.(2018f).Arobustserver-sidejavascriptfeatureinjection-baseddesignforJSPwebapplicationsagainstXSSvulnerabilities.InCyber Security:Proceedings of CSI 2015(pp.459-465).SpringerSingapore.doi:10.1007/978-981-10-8536-9_43
Li,D.,Deng,L.,BhooshanGupta,B.,Wang,H.,&Choi,C.(2019).AnovelCNNbasedsecurityguaranteedimage watermarking generation scenario for smart city applications. Information Sciences, 479, 432–447.doi:10.1016/j.ins.2018.02.060
Li,J.,Yu,C.,Gupta,B.B.,&Ren,X.(2018).ColorimagewatermarkingschemebasedonquaternionHadamardtransform and Schur decomposition. Multimedia Tools and Applications, 77(4), 4545–4561. doi:10.1007/s11042-017-4452-0
Livshits, B., & Chong, S. (2013, January). Towards fully automatic placement of security sanitizers anddeclassifiers.ACM SIGPLAN Notices,48(1),385–398.doi:10.1145/2480359.2429115
Parada, R., Melià-Seguí, J., & Pous, R. (2018). Anomaly Detection Using RFID-Based InformationManagementinanIoTContext.Journal of Organizational and End User Computing,30(3),1–23.doi:10.4018/JOEUC.2018070101
Pelizzi,R.,&Sekar,R.(2012).Protection,usabilityandimprovementsinreflectedXSSfilters.InProceedings of the 7th ACM Symposium on Information, Computer and Communications Security (p. 5). ACM.doi:10.1145/2414456.2414458
Rhino JavaScript parser. (n.d.). Retrieved from https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Download_Rhino
Saxena,P.,Molnar,D.,&Livshits,B.(2011,October).SCRIPTGARD:automaticcontext-sensitivesanitizationforlarge-scalelegacywebapplications.InProceedings of the 18th ACM conference on Computer and communications security(pp.601-614).ACM.doi:10.1145/2046707.2046776
Sen,M.,Dutt,A.,Agarwal,S.,&Nath,A.(2013,April).Issuesofprivacyandsecurityintheroleofsoftwareinsmartcities.InProceedings of the2013 International Conference on Communication Systems and Network Technologies(pp.518-523).IEEE.doi:10.1109/CSNT.2013.113
Journal of Organizational and End User ComputingVolume 32 • Issue 4 • October-December 2020
111
B. B. Gupta received PhD degree from Indian Institute of Technology Roorkee, India in the area of information security. He has published more than 250 research papers in international journals and conferences of high repute. He has visited several countries to present his research work. His biography has published in the Marquis Who’s Who in the World, 2012. At present, he is working as an Assistant Professor in the Department of Computer Engineering, National Institute of Technology Kurukshetra, India. His research interest includes information security, cyber security, cloud computing, web security, intrusion detection, computer networks and phishing.
Pooja Chaudhary is currently pursuing her PhD degree in Information and Cyber security from National Institute of Technology, Kurukshetra, Haryana, India. She has completed her M.Tech in Computer Engineering from National Institute of Technology, Kurukshetra. She has received her B.Tech degree in Computer Science and Engineering from Bharat Institute of Technology, Meerut, Affiliated to Uttar Pradesh Technical University, India. Her areas of interest include online social network security, Big Data analysis and security, database security, and cyber security.
Shashank Gupta is currently working as an Assistant Professor in Computer Science and Information Systems Division at Birla Institute of Technology and Science, Pilani, Rajasthan, India. He has done his PhD under the supervision of Dr. B. B. Gupta in Department of Computer Engineering specialization in Web Security at National Institute of Technology Kurukshetra, Haryana, India. Recently, he was working as an Assistant Professor in the Department of Computer Science and Engineering at Jaypee Institute of Information Technology (JIIT), Noida, Sec-128. Prior to this, he has also served his duties as an Assistant Professor in the Department of IT at Model Institute of Engineering and Technology (MIET), Jammu. He has completed M.Tech. in the Department of Computer Science and Engineering Specialization in Information Security from Central University of Rajasthan, Ajmer, India. He has also done his graduation in Bachelor of Engineering (B.E.) in Department of Information Technology from Padmashree Dr. D.Y. Patil Institute of Engineering and Technology Affiliated to Pune University, India. He has also spent two months in the Department of Computer Science and IT, University of Jammu for completing a portion of Post-graduation thesis work. He bagged the 1st Cash Prize in Poster Presentation at National Level in the category of ICT Applications in Techspardha’2015 and 2016 event organized by National Institute of Kurukshetra, Haryana. He has numerous online publications in International Journals and Conferences including IEEE, Elsevier, ACM, Springer, Wiley, Elsevier, IGI-Global, etc., along with several book chapters. He is also serving as reviewer for numerous peer-reviewed Journals and conferences of high repute. He is also a professional member of IEEE and ACM. His research area of interest includes web security, cross-site scripting (XSS) attacks, online social network security, cloud security, fog computing and theory of computation.