Professional Documents
Culture Documents
S.Ravivarman
M.Tech.,Department of Networking
0436
SHANMUGASUNDARAM et al: A STUDY ON REMOVAL TECHNIQUES OF CROSS-SITE SCRIPTING FROM WEB APPLICA nONS
<SCRIPT>varpos=document. URL.indexOf("userna
me=")+5;document.write(document.URL.substring(
pos,document.URL.length));
</SCRIPT>
Welcome you all !
1 <%Stringempidno=request.getParameter("empidno"); %>
2 ...
3
4Employee IDNO:
</HTML>
This JSP code gets an employee IDNO: empidno, by
sending a HTTP request through a browser and outputs
them. XSS are not done in a single way, there are three
ways to imply of XSS are continued further in the next part.
1)
2)
For example:
http://portal.example/index.php?sessionid=12312312&usern
ame=<script>document.location='http://attackerhost.exampl
e/cgi-bin/cookiesteal.cgi?'+document.cookie</script>
3)
For example:
<SCRIPT>document.location='http://attackerhost.example/c
gibinicookiesteal.cgi?'+document.cookie</SCRIPT>
C. DOM Based cross site scripting
For example:
1)
Standardize:
URL/UTF-7IUnicode/USASCIIIetc
<HTML>
<TITLE>Welcome ... </TITLE>Hello
2)
0437
3)
4)
B. Data Sanitization
HTML contexts
referenced:
c. Output Escaping
inputs
are
usually
2)
JavaScript (line 2)
3)
4)
URL parameter(line 8)
5)
The
propose
XSSVs
consists
user
1)
where
A. XSSV Detection
newbuf.append("&#").append((int) chars[i]);
B. XSSV Removal
returnnewbuf.toStringO;
A. XSSV Detection
0438
SHANMUGASUNDARAM et al: A STUDY ON REMOVAL TECHNIQUES OF CROSS-SITE SCRIPTING FROM WEB APPLICA nONS
3)
C. Building AspectShield
B. Sanitization
1)
1)
2)
1)
0439
NonPersistent
DOM
,(
,(
,(
./
,(
./
,(
,(
Fiddler
Web App/ications
Java
Java
Java
PHP
Java
Enableloopbackutility
A. Tools
Apache Patches
XSSer
Runtime
Enforcement
ofWeb
Browsers
is
mechanism provided by the Mozilla interprets the
web applications before execution and preform
0440
SHANMUGASUNDARAM et al: A STUDY ON REMOVAL TECHNIQUES OF CROSS-SITE SCRIPTING FROM WEB APPLICA nONS
DISCUSSION
Drawbacks of existing techniques
Usability of tool
DOM
SaferXSS
,(
./
Aspect
Shield
Apache
Patches
,(
./
,(
XSSer
,(
Fiddler
,(
Enable
loopback
utility
Ra2 DOM
Scanner
./
,(
./
./
Developer
side
./
Client
side
./
./
./
./
./
./
3)
4)
1)
2)
3)
4)
Stored
CONCLUSION
NonPersistent
2)
Vulnerability discussed
TOOL
1)
REFERENCES
[I] LwinKhinShar, HeeBengKuan Tan, "Automated removal of cross site
scripting vulnerabilities in web applications", Information and Software
Technology 54 (2012) p.467-478.
044 1
tool
http://xsser.sourceforge.net/xsser/
[23]
Fiddler:
http://www.herdprotect.com/fiddler.exe-344714aI95c63
9143da5a2675b458a3215ela3 75.aspx
[24] Software Informer - Paros: http://paros.software.informer.com/3.2/
[25] ra2-dom-xss-scanner: https:!/code.google.com/p/ra2-dom-xss-scanner/
[26] OSWAP _CROSS_SITE_SCRIPTING: https:!/www.owasp.org/
index.php/XSS_(Cross_Site_Scripting)]revention_Cheat_Sheet#XSS]re
vention Rules
0442