Browse > Article
http://dx.doi.org/10.3837/tiis.2021.10.015

Assessment of Dynamic Open-source Cross-site Scripting Filters for Web Application  

Talib, Nurul Atiqah Abu (Computer Science and Engineering, Hanyang University ERICA)
Doh, Kyung-Goo (Computer Science and Engineering, Hanyang University ERICA)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.15, no.10, 2021 , pp. 3750-3770 More about this Journal
Abstract
This study investigates open-source dynamic XSS filters used as security devices in web applications to account for the effectiveness of filters in protecting against XSS attacks. The experiment involves twelve representative filters, which are examined individually by placing them into the final output function of a custom-built single-input-form web application. To assess the effectiveness of the filters in their tasks of sanitizing XSS payloads and in preserving benign payloads, a black-box testing method is applied using an automated XSS testing framework. The result in working with malicious and benign payloads shows an important trade-off in the filters' tasks. Because the filters that only check for dangerous or safe elements, they seem to neglect to validate their values. As some safe values are mistreated as dangerous elements, their benign payload function is lost in the way. For the filters to be more effective, it is suggested that they should be able to validate the respective values of malicious and benign payloads; thus, minimizing the trade-off. This particular assessment of XSS filters provides important insight regarding the filters that can be used to mitigate threats, including the possible configurations to improve them in handling both malicious and benign payloads.
Keywords
Cross-site scripting; filters; open-source; web application; security; assessment;
Citations & Related Records
연도 인용수 순위
  • Reference
1 MITRE Corporation, "CVE Details: The Ultimate Security Vulnerability Datasource," 2013. [Online]. Available: https://www.cvedetails.com/vulnerabilities-by-types.php, Accessed on: Mar. 20, 2019
2 The Hacker News, "The Hacker News - Cyber Security, Hacking, Technology News." [Online]. Available: http://thehackernews.com/, Accessed on: May 09, 2016
3 J. Kallin and I. Lobo Valbuena, "Excess XSS: A comprehensive tutorial on cross-site scripting." [Online]. Available: https://excess-xss.com/, Accessed on: Mar. 22, 2017
4 S. Lekies, B. Stock, and M. Johns, "25 Million Flows Later - Large-scale Detection of DOM-based XSS," in Proc. of ACM SIGSAC Conf. Comput. Commun. Secur. (CCS 2013), Berlin, Germany, pp. 1193-1204, 2013.
5 D. Anderson, "XSSDB Exports." [Online]. Available: http://xssdb.net/, Accessed on: Mar. 07, 2017
6 Cure53, "HTML5 Security Cheatsheet." [Online]. Available: https://html5sec.org/, Accessed on: Mar. 07, 2017
7 J. Manico and R. Hansen, "XSS Filter Evasion Cheat Sheet," [Online]. Available: https://owasp.org/www-community/xss-filter-evasion-cheatsheet, Accessed on: May 28, 2021
8 D. Miessler, "SecLists." [Online]. Available: https://github.com/danielmiessler/SecLists/, Accessed on: Sep. 24, 2019
9 W3Schools, "W3Schools Online Web Tutorials." [Online]. Available: https://www.w3schools.com/, Accessed on: Mar. 15, 2017
10 S. J. Murdoch and R. Anderson, "Tools and Technology of Internet Filtering," Access Denied: The Practice and Policy of Global Internet Filtering, The MIT Press, ch. 3, pp. 57-72, 2008.
11 C. Yue and H. Wang, "Characterizing Insecure JavaScript Practices on the Web," in Proc of the 18th International Conference on World Wide Web, (WWW 2019), Madrid, Spain, 2pp. 961-970, 2009.
12 K. Mcquade, "Open Source Web Vulnerability Scanners : The Cost Effective Choice?," in Proc. of Conf. Inf. Secur. Appl. Res., Baltimore, Maryland, USA, vol. 2014, pp. 1-13, 2014.
13 M. Volpi, "How open-source software took over the world | TechCrunch," 2019. [Online]. Available: https://techcrunch.com/2019/01/12/how-open-source-software-took-over-the-world/, Accessed on: May 05, 2020
14 MDN, "HTML elements reference - HTML: Hypertext Markup Language | MDN." [Online]. Available: https://developer.mozilla.org/en-US/docs/Web/HTML/Element, Accessed on: Sep. 24, 2019
15 J. Hedley, "Prevent cross site scripting with jsoup." [Online]. Available: https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer, Accessed on: Feb. 26, 2019
16 J. Fonseca, N. Seixas, M. Vieira, and H. Madeira, "Analysis of Field Data on Web Security Vulnerabilities," IEEE Trans. Dependable Secur. Comput., vol. 11, no. 2, pp. 89-100, 2014.   DOI
17 G. Hill, "Comparison of Automated XSS Fuzzing & Injection Tools," Abertay University.
18 J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song, "A systematic analysis of XSS sanitization in web application frameworks," in Proc. of European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, 2011, Lecture Notes in Computer Science, vol 6879, Springer, pp. 150-171, 2011.
19 Kurobeats, "XSS Vectors Cheat Sheet." [Online]. Available: https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45, Accessed on: Mar. 07, 2017
20 MDN, ": The Input (Form Input) element - HTML: Hypertext Markup Language | MDN." [Online]. Available: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input, Accessed on: May 06, 2020
21 Naver Corp., "Lucy-XSS." [Online]. Available: https://github.com/naver/lucy-xss-filter, Accessed on: Feb. 26, 2019
22 E. Z. Yang, "HTML Purifier - Filter your HTML the standards-compliant way!" [Online]. Available: http://htmlpurifier.org/, Accessed on: Dec. 22, 2016
23 OWASP Foundation, "OWASP Top 10 2017," 2017. [Online]. Available: https://github.com/OWASP/Top10/issues, Accessed on: Feb. 26, 2019
24 InfoSec Institute, "InfoSec Resources - How to Prevent Cross-Site Scripting Attacks." [Online]. Available: http://resources.infosecinstitute.com/how-to-prevent-cross-site-scripting-attacks/, Accessed on: Mar. 16, 2017
25 M. Ter Louw and V. N. Venkatakrishnan, "Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers," in Proc. of 2009 30th IEEE Symp. Secur. Priv., Oakland, CA, USA, pp. 331-346, 2009.
26 L. Shi, "xss-filter." [Online]. Available: https://github.com/superRaytin/xss-filter, Accessed on: Feb. 26, 2019
27 Mario, "PHP-XSS-Filter." [Online]. Available: https://github.com/JBlond/PHP-XSS-Filter, Accessed on: Feb. 26, 2019
28 N. Suteva, D. Zlatkovski, and A. Mileva, "Evaluation and Testing of Several Free / Open Source Web," in Proc. of 10th Conf. Informatics Inf. Technol., Bitola, Macedonia, no. Ciit, pp. 221-224, 2013.
29 P'unk Avenue, "sanitize-html." [Online]. Available: https://www.npmjs.com/package/sanitizehtml, Accessed on: Feb. 26, 2019
30 T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda, "An empirical analysis of input validation mechanisms in web applications and languages," in Proc. of 27th Annu. ACM Symp. Appl. Comput. (SAC 2012), Trento, Italy, pp. 1419-1426, 2012.
31 E. Gavryushin and V. Grinenko, "html-differ - npm." [Online]. Available: https://www.npmjs.com/package/html-differ, Accessed on: Sep. 24, 2019
32 B. Stock, S. Lekies, T. Mueller, P. Spiegel, and M. Johns, "Precise client-side protection against DOM-based Cross-Site Scripting," in Proc. of 23rd USENIX Secur. Symp. (SEC 2014), San Diego, CA, USA, pp. 655-670, 2014.
33 C. Arthur, "Why the default settings on your device should be right first time | Technology | The Guardian," 2013. [Online]. Available: https://www.theguardian.com/technology/2013/dec/01/default-settings-change-phonescomputers, Accessed on: Oct. 21, 2019
34 D. Bates, A. Barth, and C. Jackson, "Regular expressions considered harmful in client-side XSS filters," in Proc. of 19th Int. Conf. World wide web (WWW 2010), Raleigh, North Carolina, USA, pp. 91-100, 2010.
35 K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and a D. Keromytis, "Detecting Targeted Attacks Using Shadow Honeypots," in Proc. of USENIX Security Symposium (SSYM' 2005), Berkeley, CA, USA, pp. 129-144, 2005.
36 B. V. Chess and G. E. McGraw, "Static analysis for security," IEEE Secur. Priv., vol. 2, no. 6, pp. 76-79, Nov.-Dec. 2004.
37 Panda Security, "Default Settings, and Why the Initial Configuration is not the Most Secure," 2017. [Online]. Available: https://www.pandasecurity.com/mediacenter/security/default-settings-initialconfiguration-not-secure/, Accessed on: Oct. 21, 2019
38 J. O'Connell, C. Hendersen, and M. Wever, Semb, "XSS HTML Filter: A Java library for protecting against cross site scripting." [Online]. Available: http://finn-no.github.io/xss-htmlfilter/, Accessed on: Dec. 22, 2016
39 G. Toonstra, "xssprotect." [Online]. Available: https://code.google.com/archive/p/xssprotect/, Accessed on: Feb. 26, 2019
40 E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, "Noxes : A Client-Side Solution for Mitigating Cross-Site Scripting Attacks," in Proc. of 2006 ACM Symp. Appl. Comput. (SAC 2006), pp. 330-337, Dijon, France, 2006.
41 Yahoo! Inc., "Secure XSS Filters." [Online]. Available: https://www.npmjs.com/package/xssfilters, Accessed on: Feb. 26, 2019
42 Z. Lei, "xss." [Online]. Available: https://www.npmjs.com/package/xss, Accessed on: Feb. 26, 2019
43 C. Bolat, "PHP Anti-XSS Library." [Online]. Available: https://code.google.com/archive/p/phpantixss/, Accessed on: Dec. 22, 2016
44 M. Bijon, "xss_clean." [Online]. Available: https://gist.github.com/mbijon/1098477, Accessed on: Dec. 22, 2016
45 S. Kojarski and D. H. Lorenz, "Comparing White-Box, Black-Box, and Glass-Box Composition of Aspect Mechanisms," in Proc. of the 9 International Conference on Software Reuse (ICSR 2006), Turin, Italy, pp. 246-259, 2006.
46 B. Muthukadan, "WebDriver API - Selenium Python Bindings 2 documentation." [Online]. Available: http://selenium-python.readthedocs.io/api.html, Accessed on: Jul. 12, 2018.
47 OWASP Foundation, "OWASP Top Ten." [Online]. Available: https://owasp.org/www-projecttop-ten/, Accessed on: Mar. 20, 2019
48 Microsoft, "Email Address test cases - Testing Testing 1,2,3." [Online]. Available: https://blogs.msdn.microsoft.com/testing123/2009/02/06/email-address-test-cases/, Accessed on: Sep. 24, 2019