Department of Computer Science and Information Systems

Permanent URI for this collectionhttp://localhost:4000/handle/123456789/1928

Browse

Filters

2016 - 20206

Settings

Author: search.filters.author.Gupta, ShashankSubject: search.filters.subject.JavaScript code injection attacks

Search Results

Now showing 1 - 6 of 6
  • No Thumbnail Available
    Item
    CSSXC: Context-sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments
    (Elsevier, 2016) Gupta, Shashank
    This paper presents a context-sensitive sanitization based XSS defensive framework for the cloud environment. It discovers all the hidden injection points in HTML5-based web applications deployed on the platforms of cloud and sanitizes the XSS attack payloads injected in such points in a context sensitive manner. The identification of such injection points permits our technique to retrieve each possible web page of application, allowing a wider exploration and accelerating the process of applying the sanitizers on the untrusted variables of web application. The XSS attack mitigation capability of our framework was evaluated on web applications deployed for the cloud users in the cloud environment. The experimental results reveal that this technique detects the XSS attack payloads with minimum rate of false negatives and less runtime overhead.
  • No Thumbnail Available
    Item
    Cross-site scripting (XSS) worms in Online Social Network (OSN): Taxonomy and defensive mechanisms
    (IEEE, 2016) Gupta, Shashank
    The propagation of XSS worms on the social networking sites like Twitter, LinkedIn, Facebook, etc. has observed exponential growth in modern era of Web 2.0 technology. According to recent survey, 43% of web applications are vulnerable to XSS worms. Such unbearable growth of XSS worms has raised some serious security and privacy concerns in OSN. This article discusses a detailed classification of XSS attacks and presents the recent occurrences of XSS attacks on numerous platforms of OSN-based web applications. Numerous existing XSS defensive solutions on OSN have been discussed in order to identify their main contributions and existing performance issues. We present the unique security challenges and issues that exist in the recent state-of-art techniques and based on this, we recommend the further scope.
  • No Thumbnail Available
    Item
    Hunting for DOM-Based XSS vulnerabilities in mobile cloud-based online social network
    (Elsevier, 2018-02) Gupta, Shashank
    This article presents a runtime Document Object Model (DOM) tree generator and nested context-aware sanitization based framework that alleviates the DOM-based XSS vulnerabilities from the mobile cloud-based OSN. The frameworks executes in dual mode: offline and online. The offline mode captures all the traces of modules of web applications and transformed such traces into static DOM tree for the extraction of benign script nodes. The legitimate script content embedded in such nodes will be marked in the whitelist of scripts. The online mode detects the injection of untrusted script content in the DOM tree generated at runtime. This was done by usually matching the script content embedded in this DOM tree with the whitelist of script code generated at offline mode. Any deviation observed in the script content will be marked as the injection of malicious script content in the dynamically generated DOM tree. This mode also identifies the different context of malicious variables embedded in such scripts and consequently executes the process of nested context-sensitive sanitization on them. The prototype of our mobile cloud-based framework was developed in Java and integrated the functionality of its components on iCanCloud simulator by creating different virtual machines with their proper link-to-link connectivity. The experimental testing and performance evaluation of our work was carried out on the open source OSN websites that are integrated in the virtual cloud servers. Evaluation results revealed that our framework is capable enough to detect the injection of untrusted/malicious script in the dynamically generated DOM tree with very low rate of false positives, false negatives and suffer from acceptable performance overhead.
  • No Thumbnail Available
    Item
    A client-server JavaScript code rewriting-based framework to detect the XSS worms from online social network
    (Wiley, 2018-05) Gupta, Shashank
    This article presents a client-server JavaScript code rewriting-based framework that protects and preserves the privacy of online users against XSS worms on Online Social Network (OSN). The server-side generates an estimation graph which is explored for extracting the JavaScript code and shifts such code in a separate file. This shifting is done for completely isolating the untrusted JavaScript code and data. The client-side performs runtime monitoring of the dynamic JavaScript code to recognize the tainted flow of untrusted JavaScript variables. The context of such dynamic tainted variables is determined, for performing the string analysis to examine whether it may be considered as vulnerable point or not. Finally, decoding operation is performed on the obfuscated malicious JavaScript code and the JavaScript code embedded in the parameter values of HTTP request. If match is found, then XSS attack vector is present. Otherwise, it is not. The authors have developed their prototype on the Java development framework and have estimated the malicious script alleviation capability of this proposed work on tested web applications (Humhub, Elgg, WordPress, Joomla, Drupal).
  • No Thumbnail Available
    Item
    SFC: A Three Layer Smart Phone-Fag-Cloud Framework for Defending Against JavaScript Code Injection Vulnerabilities on OSN
    (IEEE, 2018) Gupta, Shashank
    This article introduced a Fog centric model in the proximity of smart phone devices and virtual Cloud Data Centers (CDC) that senses and avoids an execution of JavaScript code injection vulnerabilities on Online Social Network (OSN). Such offline CDC statically computes the features of clustered-sanitized compressed patterns of JavaScript attack vectors embedded in the HTTP response messages and inject them on the online edge servers of Fog Computing network. The online edge web server dynamically re-computes the features of JavaScript code and compares these features with the statically calculated features in offline mode. Any discrepancy observed in these features will alarm the signal of injection of malicious script code on the edge server. The prototype of our Fog centric framework was developed in Java and installed on the offline virtual machines of Cloud platforms and online edge servers of Fog computing architecture. The online evaluation results exposed that the JavaScript attack vectors sensing rate of our work is high with tolerable rate of False Negatives (FNs), False Positives (FPs) and lesser overall performance overhead during the peak congestion of generation of sanitized HTTP response on the fog nodes.
  • No Thumbnail Available
    Item
    Nested context-aware sanitisation and feature injection in clustered templates of JavaScript worms on the cloud-based OSN
    (Inder Science, 2020) Gupta, Shashank
    This article presents an enhanced JavaScript feature-injection based framework that obstructs the execution of cross-site scripting (XSS) worms from the virtual machines of cloud-based online social network (OSN). It calculates the features of clustered-sanitised compressed templates of JavaScript attack vectors embedded in the HTTP response messages. Any variation observed in such JavaScript feature set indicates the injection of XSS worms on the cloud-based OSN server. The injected worms will further undergo through the process of nested context-aware sanitisation for its safe interpretation on the web browser. The prototype of our framework was developed in Java and installed in the virtual machines of cloud environment. The experimental evaluation of our framework was performed on the platform of OSN-based web applications deployed in the cloud platform. The performance analysis done revealed that our framework detects the injection of malicious JavaScript code with low false negative rate and acceptable performance overhead.