Towards Cross-site Scripting Vulnerability Detection in Mobile Web Applications

 
 
 
  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract


    Cross-site scripting vulnerabilities are among the top ten security vulnerabilities affecting web applications for the past decade and mobile version web applications more recently. They can cause serious problems for web users such as loss of personal information to web attackers, including financial and health information, denial of service attacks, and exposure to malware and viruses. Most of the proposed solutions focused only on the Desktop versions of web applications and overlooked the mobile versions. Increasing use of mobile phones to access web applications increases the threat of cross-site scripting attacks on mobile phones. This paper presents work in progress on detecting cross-site scripting vulnerabilities in mobile versions of web applications. It proposes an enhanced genetic algorithm-based approach that detects cross-site scripting vulnerabilities in mobile versions of web applications. This approach has been used in our previous work and successfully detected the said vulnerabilities in Desktop web applications. It has been enhanced and is currently being tested in mobile versions of web applications. Preliminary results have indicated success in the mobile versions of web applications also. This approach will enable web developers find cross-site scripting vulnerabilities in the mobile versions of their web applications before their release.

     

     


  • Keywords


    Cross-site scripting; cross-site scripting vulnerability; software security; software testing; vulnerability detection.

  • References


      [1] OWASP, Cross-site Scripting (XSS) - OWASP, OWASP Foundation, 2016. Available online: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Accessed: January 26, 2017.

      [2] S. Vonnegut, XSS: The Definitive Guide to Cross-Site Scripting Prevention, Checkmarx.com, 2015. Available online: https://www.checkmarx.com/2015/04/14/xss-the-definitive-guide-to-cross-site-scripting-prevention/. Accessed: January 26, 2017.

      [3] A. Javed and J. Schwenk (2014), Towards Elimination of Cross-Site Scripting on Mobile Versions of Web Applications, in 14th WISA: International Workshop on Information Security Applications, vol. LNCS 8267, pp. 103–123.

      [4] Y. L. Chen, H. M. Lee, A. B. Jeng, and T. E. Wei (2015), DroidCIA: A novel detection method of code injection attacks on HTML5-based mobile apps, in Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015, vol. 1, pp. 1014–1021.

      [5] OWASP, Mobile Top 10 2014-M7 - OWASP, OWASP Foundation, 2014. Available online: https://www.owasp.org/index.php/Mobile_Top_10_2014-M7. Accessed: January 26, 2017.

      [6] S. Shah (2012), HTML5 Top 10 Threats - Stealth Attacks and Silent Exploits, in BlackHat USA 2012, pp. 1–21.

      [7] I. Hydara, A. B. M. Sultan, H. Zulzalil, and N. Admodisastro (2014), An Approach for Cross-Site Scripting Detection and Removal Based on Genetic Algorithms, in ICSEA 2014 : The Ninth International Conference on Software Engineering Advances, no. November 2014, pp. 227–232.

      [8] OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet, OWASP Foundation, 2016. Available online: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. Accessed: January 26, 2017.

      [9] OWASP, DOM based XSS Prevention Cheat Sheet, OWASP Foundation, 2017. Available online: https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet. Accessed: October 9, 2017.

      [10] OWASP, OWASP ModSecurity Core Rule Set (CRS), OWASP Foundation, 2016. Available online: https://modsecurity.org/crs/. Accessed: January 26, 2017].

      [11] G. Dong, X. Wang, P. Wang, and L. Liu (2014), Detecting Cross Site Scripting Vulnerabilities Introduced by HTML5, in 11th International Joint Conference on Computer Science and Software Engineering, pp. 319–323.

      [12] P. Mutchler, A. Doupe, J. Mitchell, C. Kruegel, and G. Vigna (2015), A Large-Scale Study of Mobile Web App Security, Mob. Secur. Technol. 2015.

      [13] G. Kaur, B. Pande, A. Bhardwaj, G. Bhagat, and S. Gupta (2018), Efficient yet Robust Elimination of XSS Attack Vectors from HTML5 Web Applications Hosted on OSN-Based Cloud Platforms, Procedia Comput. Sci., vol. 125, pp. 669–675.

      [14] R. Wang, G. Xu, X. Zeng, X. Li, and Z. Feng (2017), TT-XSS: A novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting, J. Parallel Distrib. Comput., pp. 4–10.

      [15] L. K. Shar and H. B. K. Tan (2012), Automated removal of cross site scripting vulnerabilities in web applications, Inf. Softw. Technol., vol. 54, no. 5, pp. 467–478.

      [16] I. Hydara, A. B. Sultan, H. Zulzalil, and N. Admodisastro (2015), Cross-Site Scripting Detection Based on an Enhanced Genetic Algorithm, Indian J. Sci. Technol. ISSN, vol. 8, no. 30, pp. 1–7.

      [17] A. Avancini and M. Ceccato (2013), Circe: A grammar-based oracle for testing Cross-site scripting in web applications, in Proceedings - Working Conference on Reverse Engineering, WCRE, pp. 262–271.

      [18] M. A. Ahmed and F. Ali (2016), Multiple-path testing for cross site scripting using genetic algorithms, J. Syst. Archit., vol. 64, pp. 50–62.

      [19] A. Avancini and M. Ceccato (2010), Towards Security Testing with Taint Analysis and Genetic Algorithms, in Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, no. Section 5, pp. 65–71.

      [20] B. Shuai, M. Li, H. Li, Q. Zhang, and C. Tang (2013), Software vulnerability detection using genetic algorithm and dynamic taint analysis, 2013 3rd Int. Conf. Consum. Electron. Commun. Networks, pp. 589–593.

      [21] T. Weise, Global Optimization Algorithms – Theory and Application –, 2nd Ed. 2009. pp. 1-820.

      [22] S. H. Aljahdali, A. S. Ghiduk, and M. El-Telbany (2010, The limitations of genetic algorithms in software testing, ACS/IEEE Int. Conf. Comput. Syst. Appl. - AICCSA 2010, pp. 1–7.

      [23] A. Rathore (2011), Application of Genetic Algorithm and Tabu Search in Software Testing, in Proceedings of the Fourth Annual ACM Bangalore Conference, pp. 1–4.

      [24] P. R. Srivastava and T. Kim (2009), Application of Genetic Algorithm in Software Testing, Intenational J. Softw. Eng. Its Appl., vol. 3, no. 4, pp. 87–96.

      [25] Z. Banković, D. Stepanović, S. Bojanić, and O. Nieto-Taladriz (2007), Improving network security using genetic algorithm approach, Comput. Electr. Eng., vol. 33, no. 5–6, pp. 438–451.

      [26] A. B. . A. Al Islam, M. A. Azad, M. K. Alam, and M. S. Alam (2007), Security Attack Detection using Genetic Algorithm (GA) in Policy Based Network, 2007 Int. Conf. Inf. Commun. Technol., pp. 341–347.

      [27] JGAP, JGAP: Java Genetic Algorithms Package, 2016. Available online: http://jgap.sourceforge.net/. Accessed: December 29, 2016.


 

View

Download

Article ID: 19484
 
DOI: 10.14419/ijet.v7i4.1.19484




Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.