Security of Web Applications From Cross Site Scripting Attacks on Browser Side

Abstract

Cross-Site Scripting has been known to be the most common and serious attack against web based services. Confidentiality of browsers has been compromised in many ways since they support the execution of embedded scripts. With this capability of sites to be attacked, the attackers have the capacity to take control of the sites through cross site scripting attacks.. How to combat and prevent the attacks has to be looked at seriously. With this in mind I have come up with a tool to detect and deter these attacks. I elaborate how well overly we can solve the problem with a tool that deals with the cross-site scripting attacks. The network has developed from static sites to dynamic sites and the social media from Facebook, twitter, whatsapp, e.t.c are the leading online interaction sites. The participants in these networks use these malicious injected script codes without knowing. The current browsers are so limited in detecting the attacks and hence tools need to be developed to deal with this problem on the browser side. The tool is developed using python and java to deal with the attacks. In this work have come up with a tool that is secure, light in weight and fast in detecting malicious codes that appear within the script. The project is specific to look at the gap, build and test the components of the tool and evaluate the tool’s performance, reliability and accuracy as compared with other tools. These project tries to answer most of the asked questions such as, is it possible to stop XSS attacks in a more secure and easy way, what do the current tools offer, what are the shortfalls of these tools and previous researches and can we develop a secure and light tool that can be incorporated within the web service scripts to reduce overhead load associated with current tools? The project covers the area of XSS related attacks more so on the client side of the browsers, malicious attacks and input area. In this project the research design method used is Design science. Design science is an outcome based information technology research methodology, which offers specific guidelines for evaluation and iteration within research projects. With the project intent in having a functional algorithm and an artifact, this design method best suits this project. The XSS tool will be based on other tools that have crawling, attack and analysis component: The crawling component looks for pages within the web application. It acts as the scanner and if its poor then it will miss major vulnerability. This component is the most crucial part since it must get all the pages within the web application. The attack component scans and extracts all linkstaht are within the web application and then all the page forms which have the URL parameters and injects some patterns of attack. The patterns have parameters

that can be either part of the HTTP POST request or URL query string. The two are not hard to exploit and can be so easily attacked. The analysis component determines the servers response and uses attack-specific keywords and pattern to determine how successful this was. An attack vector consists of a JavaScript code that is encoded into a algorithm and is reflected on the embedded HTTP response.. The sampling process involves the acquisition of known and reported attacks from the websites that have archives of these attacks. The sampling involved using of random data reported year by year. This is because the attacks evolve over period and hence this random collection achieved the best procedure. The results indicated over 85% accuracy in detection. This was quite impressive since the tool is more client side oriented and these attacks originate from different areas with diverse attack patterns. In conclusion the project has a strong ground for developing a tool that is based on the client side and can actually detect the attacks on the client system. This relieves the overload from the servers and allows the developers time to focus on the development of the systems and leave the security to the clients. The recommendation on the future development tools that affectively detect and deter XSS attacks should consider the overload associated with having the tools on the server side as opposed to client side. The XSS tool developed in this work is over 85% effective, from the test done, and future researchers can and should use this as a base to implement more effective tools.