Asian Journal of Information Technology

Year: 2017
Volume: 16
Issue: 2
Page No. 169 - 177

A Taxonomy Study of XSS Vulnerabilities

Authors : Nayeem Khan, Johari Abdullah and Adnan Shahid Khan

References

Ball, T., 1999. The Concept of Dynamic Analysis. In: Software Engineering-ESEC/FSE 99, Nierstrasz, O. and M. Lemoine (Eds.). Springer, Berlin, Germany, pp: 216-234.

Bates, D., A. Barth and C. Jackson, 2010. Regular expressions considered harmful in client-side XSS filters. Proceedings of the 19th International Conference on World Wide Web, April 26-30, 2010, ACM, Raleigh, North Carolina, ISBN:978-1-60558-799-8, pp: 91-100.

Bazzoli, E., C. Criscione, F. Maggi and S. Zanero, 2014. XSS Peeker: A systematic analysis of cross-site scripting vulnerability scanners. Master Thesis, Cornell University Library, Ithaca, New York, USA.

Bisht, P. and V.N. Venkatakrishnan, 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. Proceedings of the International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, July 10-11, 2008, France, pp: 23-43.

Cao, Y., V. Yegneswaran, P.A. Porras and Y. Chen, 2012. Path cutter: Severing the self-propagation path of XSS JavaScript worms in social web networks. Proceeding of the Symposium on Network and Distributed System Security, February 6-9, 2012, DBLP Publisher, San Diego, California, USA., pp: 1-14.

Chandra, V.S. and S. Selvakumar, 2011. Bixsan: Browser independent XSS sanitizer for prevention of XSS attacks. ACM. SIGSOFT Software Eng. Notes, 36: 1-7.
CrossRef  |  Direct Link  |  

Das, D., U. Sharma and D.K. Bhattacharyya, 2015. Detection of cross-site scripting attack under multiple scenarios. Comput. J., 58: 808-822.
Direct Link  |  

Dong, G., Y. Zhang, X. Wang, P. Wang and L. Liu, 2014. Detecting cross site scripting vulnerabilities introduced by HTML5. Proceedings of the 11th International Joint Conference on Computer Science and Software Engineering (JCSSE), May 14-16, 2014, IEEE, Beijing, China, ISBN:978-1-4799-5822-1, pp: 319-323.

Garcia-Alfaro, J. and G. Navarro-Arribas, 2007. Prevention of cross-site scripting attacks on current web applications. Proceedings of the OTM Confederated International Conferences on the Move to Meaningful Internet Systems, November 25-30, 2007, Portugal, pp: 1770-1784.

Hallaraker, O. and G. Vigna, 2005. Detecting malicious javascript code in mozilla. Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, June 16-20, 2005, IEEE, Santa Barbara, California, USA., ISBN:0-7695-2284-X, pp: 85-94.

Hydara, I., A.B.M. Sultan, H. Zulzalil and N. Admodisastro, 2014. An approach for cross-site scripting detection and removal based on genetic algorithms. Proceedings of the 9th International Conference on Software Engineering Advances ICSEA, October 12-16, 2014, IARIA, Nice, France, ISBN:978-1-61208-367-4, pp: 227-232.

Ismail, O., M. Etoh, Y. Kadobayashi and S. Yamaguchi, 2004. A proposal and implementation of automatic detection-collection system for cross-site scripting vulnerability. Proceedings of the 18th International Conference on Advanced Information Networking and Applications (AINA04), Vol. 1, March 29-31, 2004, IEEE, Japan, ISBN:0-7695-2051-0, pp: 145-151.

Jacob, B., 2011. Automatic XSS detection and Snort signatures-ACLs generation by the means of a cloud-based honeypot system. Ph.D Thesis, Edinburgh Napier University, Dinburgh, Scotland.

Jim, T., N. Swamy and M. Hicks, 2007. Defeating script injection attacks with browser-enforced embedded policies. Proceedings of the 16th International Conference on World Wide Web, May 08-12, 2007, ACM, Banff, Alberta, Canada, ISBN:978-1-59593-654-7, pp: 601-610.

Johns, M., B. Engelmann and J. Posegga, 2008. Xssds: Server-side detection of cross-site scripting attacks. Proceedings of the ACSAC 2008 Annual Conference on Computer Security Applications, December 8-12, 2008, IEEE, Passau, Germany, ISBN:978-0-7695-3447-3, pp: 335-344.

Kan, W., T.Y. Wu, T. Han, C.W. Lin, C.M. Chen and J.S. Pan, 2014. An Efficient Detecting Mechanism for Cross-Site Script Attacks in the Cloud. In: Advanced Technologies, Embedded and Multimedia for Human-centric Computing. Huang, Yueh-Min., C. Han-Chieh , D. Der-Jiunn, J.J.H.P. James.(Ed.). Springer, Netherlands, pp: 663-672.

Kapodistria, H., S. Mitropoulos and C. Douligeris, 2011. An advanced web attack detection and prevention tool. Inf. Manage. Comput. Secur., 19: 280-299.
Direct Link  |  

Kim, J., K.S. Han, B. Jiang and E.G. Im, 2013. BOSF: BY-owner script filtering. Proceedings of the Third International Conference on Digital Information Processing and Communications, January 30- February 1, 2013, SDIWC, Dubai, UAE., pp: 26-30.

Kirda, E., C. Kruegel, G. Vigna and N. Jovanovic, 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. Proceedings of the ACM Symposium on Applied Computing, April 23-27, 2006, Dijon, France, pp: 330-337.

Kirda, E., N. Jovanovic, C. Kruegel and G. Vigna, 2009. Client-side cross-site scripting protection. Comput. Secur., 28: 592-604.
CrossRef  |  

Klein, A., 2005. DOM based cross site scripting or XSS of the third kind. Web Appl. Secur. Consortium Articles, 4: 365-372.

Kruegel, C., G. Vigna and W. Robertson, 2005. A multi-model approach to the detection of web-based attacks. Comput. Networks, 48: 717-738.
CrossRef  |  Direct Link  |  

Lan, D., W.S. Ting, Y. Xing and Z. Wei, 2013. Analysis and prevention for cross-site scripting attack based on encoding. Proceedings of the IEEE 4th International Conference on Electronics Information and Emergency Communication (ICEIEC), November 15-17, 2013, IEEE, New York, USA., ISBN:978-1-4673-4933-8, pp: 102-105.

Li, X., W. Yan and Y. Xue, 2012. SENTINEL: Securing database from logic flaws in web applications. Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, February 07-09, 2012, ACM, San Antonio, Texas, USA., ISBN:978-1-4503-1091-8, pp: 25-36.

Matsuda, T., D. Koizumi and M. Sonoda, 2012. Cross site scripting attacks detection algorithm based on the appearance position of characters. Proceedings of the 2012 Mosharaka International Conference on Communications Computers and Applications (MIC-CCA), October 12-14, 2012, IEEE, Japan, ISBN:978-1-4673-5230-7, pp: 65-70.

Mohosina, A. and M. Zulkernine, 2012. DESERVE: A framework for detecting program security vulnerability exploitations. Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability (SERE), June 20-22, 2012, IEEE, Kingston, Ontario, Canada, ISBN:978-1-4673-2067-2, pp: 98-107.

Nadji, Y., P. Saxena and D. Song, 2009. Document structure integrity: A robust basis for cross-site scripting defense. Proceedings of the Conference on Network and Distributed System Security Symposium, February 11-18, 2009, DBLP Publisher, San Diego, California, USA., pp: 1-20.

Nenad, J., C. Kruegel and E. Kirda, 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. Master Thesis, TU Wien, Vienna, Austria.

Perez, P.M., J. Filipiak and J.M. Sierra, 2011. LAPSE+ Static Analysis Security Software: Vulnerabilities Detection in Java EE Applications. In: Future Information Technology, Park, J.J., L.T. Yang and C. Lee (Eds.). Springer, Berlin, Germany, pp: 148-156.

Ruse, M.E. and S. Basu, 2013. Detecting cross-site scripting vulnerability using concolic testing. Proceedings of the 10th International Conference on Information Technology: New Generations (ITNG), April 15-17, 2013, IEEE, Ames, Iowa, USA., ISBN:978-0-7695-4967-5, pp: 633-638.

Ruse, M.E., 2013. Model checking techniques for vulnerability analysis of Web applications. Ph.D Thesis, Lowa State University, Ames, Iowa.

Schwartz, E.J., T. Avgerinos and D. Brumley, 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). Proceedings of the IEEE Symposium on Security and Privacy (SP), May 16-19, 2010, IEEE, Pittsburgh, Pennsylvania, USA., ISBN:978-1-4244-6894-2, pp: 317-331.

Seffernick, M., 2014. Preventing cross-site scripting with script-free HTML. J. Undergraduate Res. Ohio State, 4: 1-7.
Direct Link  |  

Shahriar, H. and M. Zulkernine, 2011. S2XS2: A server side approach to automatically detect XSS attacks. Proceedings of the 2011 IEEE 9th International Conference on Dependable, Autonomic and Secure Computing (DASC), December 12-14, 2011, IEEE, Kingston, Ontario, Canada, ISBN:978-1-4673-0006-3, pp: 7-14.

Shar, L.K. and H.B.K. Tan, 2010. Auditing the defense against cross site scripting in web applications. Proceedings of the 2010 International Conference on Security and Cryptography (SECRYPT), July 26-28, 2010, IEEE, New York, USA., ISBN:978-989-8425-18-8, pp: 1-7.

Sharma, P., R. Johari and S.S. Sarma, 2012. Integrated approach to prevent SQL injection attack and reflected cross site scripting attack. Intl. J. Syst. Assur. Eng. Manage., 3: 343-351.
CrossRef  |  Direct Link  |  

Stamm, S., B. Sterne and G. Markham, 2010. Reining in the web with content security policy. Proceedings of the 19th International Conference on World Wide Web, April 26-30, 2010, ACM, Raleigh, North Carolina, USA., ISBN:978-1-60558-799-8, pp: 921-930.

Stock, B., S. Lekies, T. Mueller, P. Spiegel and M. Johns, 2014. Precise client-side protection against DOM-based cross-site scripting. Proceedings of the 23rd USENIX Conference on Security Symposium, August 20-22, 2014, USENIX, San Diego, California, USA., ISBN:978-1-931971-15-7, pp: 655-670.

Tang, Z., H. Zhu, Z. Cao and S. Zhao, 2011. L-WMxD: Lexical based webmail XSS discoverer. Proceedings of the 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), April 10-15, 2011, IEEE, China, ISBN:978-1-4577-0249-5, pp: 976-981.

Wurzinger, P., C. Platzer, C. Ludl, E. Kirda and C. Kruegel, 2009. SWAP: Mitigating XSS attacks using a reverse proxy. Proceedings of the Workshop on Software Engineering for Secure System, May 19, 2009, Vancouver, BC., pp: 33-39.

Xiao, W., J. Sun, H. Chen and X. Xu, 2014. Preventing client side XSS with rewrite based dynamic information flow. Proceedings of the 2014 6th International Symposium on Parallel Architectures, Algorithms and Programming (PAAP), July 13-15, 2014, IEEE, Changsha, China, ISBN:978-1-4799-3845-2, pp: 238-243.

Zhang, Q., H. Chen and J. Sun, 2010. An execution-flow based method for detecting cross-site scripting attacks. Proceedings of the 2nd International Conference on Software Engineering and Data Mining, June 23-25, 2010, Chengdu, China, pp: 160-165.

Zheng, Y. and X. Zhang, 2013. Path sensitive static analysis of web applications for remote code execution vulnerability detection. Proceedings of the 2013 International Conference on Software Engineering, May 18-26, 2013, IEEE Press, San Francisco, California, USA., ISBN:978-1-4673-3076-3, pp: 652-661.

Design and power by Medwell Web Development Team. © Medwell Publishing 2022 All Rights Reserved