XSS Research Directions

By: Pooja

Indeed, there exists multitude of research work in the field of XSS attack detection and mitigation from the web application of different domains including social networks, blogs, CMS, and so on. Nevertheless, this article shed some light on the future research directions that will help researchers/developers to design robust defensive approaches.

These are discussed below:

Less Attention towards new type of XSS attack: Although much work has been accomplished in the field of XSS attack but most of them are focused on the detection of older types of XSS i.e., stored and reflected. Less focus is made towards the detection and mitigation of new form of XSS i.e., DOM-based XSS and mutation XSS. Therefore, it is the demand of the hour to design techniques that can effectively defend against.
Inappropriate Differentiation: Currently, web applications are developed using highly dynamic programming languages like JavaScript and attackers also mostly craft malicious scripts using JavaScript only. To prevent against XSS, web browser cannot simply block JavaScript as it supports genuine features of the web application. To achieve this, some technique has been developed to differentiate between benign and malicious JavaScript code. However, attacker uses obfuscation approach to inject malicious JavaScript code into the web applications. Consequently, it has become a tedious task to discriminate benign and malicious code. Therefore, researchers must incorporate such techniques that can accurately differentiate between benign and malicious code.
Improper Handling of Partial Script Injection: Formerly, attackers use full length malicious JavaScript code to trigger XSS. But, defensive techniques can easily identify them by using string matching algorithm that performs exact matching. Therefore, attacker exploits partial script injection approach to inject malicious script. Nevertheless, only few techniques existed that can identify partial script injection (modification of benign script) to detect XSS attack. Thus, techniques must incorporate the mechanisms to perform partial script injection detection to mitigate XSS attack completely.
Inappropriate Context Determination: It is must to identify the right context of the input location where an attacker injects the malicious JavaScript code. It is done to determine the correct sanitization routine/API that can be applied onto the malicious scripts as per their context. Techniques are designed that are using sanitization method but identification of context is not completed in correct manner. Moreover, nested context determination is achieved by few techniques. Therefore, most of the inner/nested context of vulnerable variables is uncovered with the sanitization routines that lead to the exploitation of XSS worms. The XSS defensive technique must incorporate a mechanism of determining the nested context of such malicious variables and must perform the accurate placement of sanitization routines in such contexts.
Incompetent Sanitization Support for New HTML5 Features: Presently, contemporary web applications are designed using the HTML5 features. It provides greater functionalities and aesthetics to the web applications. However, it introduces some new tags and attributes (such as <video>, <source>, <autofocus>, etc.) which can be utilized for creating new XSS attack vectors.

<video><source onerror=”alert(1)”></video>

The modern web browsers or existing XSS filters does not check for this HTML5 attack vector. A simple popup window will appear with message „1‟ on the screen. Therefore, a robust XSS defensive solution is the need of the hour that will detect and introduce an effective mechanism of sanitizing/filtering the HTML5 XSS attack vectors.

References

Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., & Song, D. (2011, September). A systematic analysis of XSS sanitization in web application frameworks. In European Symposium on Research in Computer Security (pp. 150-171). Springer, Berlin, Heidelberg.
Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A survey of detection methods for XSS attacks. Journal of Network and Computer Applications, 118, 113-143.
Deepa, G., & Thilagam, P. S. (2016). Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology, 74, 160-180.
Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, 106960.
Klein, A. (2005). DOM based cross site scripting or XSS of the third kind. Web Application Security Consortium, Articles, 4, 365-372.
Gupta, B. B., & Chaudhary, P. (2020). Cross-site Scripting Attacks: Classification, Attack, and Countermeasures. CRC Press.
Lin, A. W., & Barceló, P. (2016, January). String solving with word equations and transducers: towards a logic for analysing mutation XSS. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (pp. 123-136).
Shar, L. K., & Tan, H. B. K. (2013). Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Information and Software Technology, 55(10), 1767-1780
Kaur, G., Pande, B., Bhardwaj, A., Bhagat, G., & Gupta, S. (2018, January). Defense against HTML5 XSS attack vectors: a nested context-aware sanitization technique. In 2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence) (pp. 442-446). IEEE.
Pelizzi, R., & Sekar, R. (2012, May). Protection, usability and improvements in reflected XSS filters. In proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (pp. 5-5).

Cite this article:

Pooja (2021), XSS Research Directions. Insights2Techinfo, pp. 1

98810cookie-checkXSS Research Directions

Post Views: 546

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

XSS Research Directions

2 thoughts on “XSS Research Directions”

Leave a Reply Cancel reply

Detecting and Preventing Phishing Attacks in IoT-Based Smart Healthcare Systems

Data-Driven Insights into Rare Disease Diagnosis and Treatment with AI

Genetic Algorithms and Data Analytics for Cybersecurity in Phishing and Blockchain Systems

Machine Learning in Biometric Security Systems

The Role of AI and Machine Learning in Cloud Storage

How AI is Revolutionizing Cyber Forensics

Blockchain-Enabled Security: Revolutionizing Data Protection

Deep Learning in Cybersecurity: From Prediction to Prevention

Harnessing Machine Learning for Advanced Cyber Threat Detection

AI-Driven Security: Revolutionizing Cyber Protection in a Hyper-Connected World

From Data to Defense: Machine Learning’s Role in Modern Cybersecurity