BITS Faculty Publications

Permanent URI for this communityhttp://localhost:4000/handle/123456789/1867

Browse

Filters

2015 - 20175

Settings

Subject: search.filters.subject.Web applications

Search Results

Now showing 1 - 5 of 5
  • No Thumbnail Available
    Item
    BDS: Browser Dependent XSS Sanitizer
    (IGI Global, 2015) Gupta, Shashank
    Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.
  • No Thumbnail Available
    Item
    JS-SAN: defense mechanism for HTML5-based web applications against javascript code injection vulnerabilities
    (Wiley, 2016-02) Gupta, Shashank
    This paper presents an injection and clustering-based sanitization framework, i.e. JS-SAN (JavaScript SANitizer) for the mitigation of JS code injection vulnerabilities. It generates an attack vector template by performing the clustering on the extracted JS attack vector payloads corresponding to their level of similarity. As a result, it then sanitizes the extracted JS attack vector template by an automated technique of placement of sanitizers in the source code of generated templates of web applications. We have also performed the deepest possible crawling of web pages for finding the possible user-injection points and injected the latest HTML5-based XSS attack vectors for testing the mitigation capability of our framework. The implementation of our design was done on the browser-side JavaScript library and tested as an extension on the Google Chrome. The attack mitigation capability of JS-SAN was evaluated by incorporating the support from a tested suite of open source web applications that are vulnerable to JS code injection vulnerabilities. The proposed framework validates its novelty by producing a less rate of false negatives and tolerable runtime overhead as compared to existing sanitization-based approaches
  • No Thumbnail Available
    Item
    XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud
    (Springer, 2016-07) Gupta, Shashank
    This article presents a novel framework XSS-Secure, which detects and alleviates the propagation of Cross-Site Scripting (XSS) worms from the Online Social Network (OSN)-based multimedia web applications on the cloud environment. It operates in two modes: training and detection mode. The former mode sanitizes the extracted untrusted variables of JavaScript code in a context-aware manner. This mode stores such sanitized code in sanitizer snapshot repository and OSN web server for further instrumentation in the detection mode. The detection mode compares the sanitized HTTP response (HRES) generated at the OSN web server with the sanitized response stored at the sanitizer snapshot repository. Any variation observed in this HRES message will indicate the injection of XSS worms from the remote OSN servers. XSS-Secure determines the context of such worms, perform the context-aware sanitization on them and finally sanitized HRES is transmitted to the OSN user. The prototype of our framework was developed in Java and integrated its components on the virtual machines of cloud environment. The detection and alleviation capability of our cloud-based framework was tested on the platforms of real world multimedia-based web applications including the OSN-based Web applications. Experimental outcomes reveal that our framework is capable enough to mitigate the dissemination of XSS worm from the platforms of non-OSN Web applications as well as OSN web sites with acceptable false negative and false positive rate.
  • No Thumbnail Available
    Item
    XSS-immune: a Google chrome extension-based XSS defensive framework for contemporary platforms of web applications
    (Wiley, 2016-08) Gupta, Shashank
    In this paper, the authors analyzed and discussed the performance issues in the existing cross-site scripting (XSS) filters and based on that, proposed a JavaScript string comparison and context-aware sanitization-based framework, XSS-immune. It is a browser-resident framework that compares the set of scripts embedded in hypertext transfer protocol request (HREQ) and hypertext transfer protocol response (HRES) for discovering any similar untrusted/malicious JavaScript code. This similar code points towards the untrusted JavaScript code that will be utilized by an attacker to exploit the vulnerabilities of XSS worms. In addition, our technique determines the context of such worms and performs the sanitization on them accordingly for alleviating the effect of such XSS worms from the real world web applications. We have also introduced a mechanism that can detect the injection of malicious parameter values by modifying the existing JavaScript code, that is, partial script injections. The prototype of XSS-immune was developed in Java and installed as an extension on the Google Chrome. In addition, we have verified the implementation of our design of prototype against five open-source XSS attack vector repositories, and very few XSS attack worms were able to evade our proposed design. Experimental evaluation and testing of XSS-immune were performed by adding support from the tested suite of real world web applications. The performance evaluation results revealed that our framework is able to detect the XSS worms with acceptable low false positive and false negative rate in comparison with the performance of existing XSS filters. Experimental results also incurred acceptable runtime overhead because of minor alterations on client-side browser and computationally fast execution of modules deployed in our browser-resident framework.
  • No Thumbnail Available
    Item
    Enhancing the Browser-Side Context-Aware Sanitization of Suspicious HTML5 Code for Halting the DOM-Based XSS Vulnerabilities in Cloud
    (IGI Global, 2017) Gupta, Shashank
    This article presents a cloud-based framework that thwarts the DOM-based XSS vulnerabilities caused due to the injection of advanced HTML5 attack vectors in the HTML5 web applications. Initially, the framework collects the key modules of web application, extracts the suspicious HTML5 strings from the latent injection points and performs the clustering on such strings based on their level of similarity. Further, it detects the injection of malicious HTML5 code in the script nodes of DOM tree by detecting the variation in the HTML5 code embedded in the HTTP response generated. Any variation observed will simply indicate the injection of suspicious script code. The prototype of our framework was developed in Java and installed in the virtual machines of cloud environment on the Google Chrome extension. The experimental evaluation of our framework was performed on the platform of real world HTML5 web applications deployed in the cloud platform.