Indeed, there exists multitude of research work in the field of XSS attack detection and mitigation from the web application of different domains including social networks, blogs, CMS, and so on. Nevertheless, this article shed some light on the future research directions that will help researchers/developers to design robust defensive approaches.
These are discussed below:
- Less Attention towards new type of XSS attack: Although much work has been accomplished in the field of XSS attack but most of them are focused on the detection of older types of XSS i.e., stored and reflected. Less focus is made towards the detection and mitigation of new form of XSS i.e., DOM-based XSS and mutation XSS. Therefore, it is the demand of the hour to design techniques that can effectively defend against.
- Incompetent Sanitization Support for New HTML5 Features: Presently, contemporary web applications are designed using the HTML5 features. It provides greater functionalities and aesthetics to the web applications. However, it introduces some new tags and attributes (such as <video>, <source>, <autofocus>, etc.) which can be utilized for creating new XSS attack vectors.
The modern web browsers or existing XSS filters does not check for this HTML5 attack vector. A simple popup window will appear with message „1‟ on the screen. Therefore, a robust XSS defensive solution is the need of the hour that will detect and introduce an effective mechanism of sanitizing/filtering the HTML5 XSS attack vectors.
- Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., & Song, D. (2011, September). A systematic analysis of XSS sanitization in web application frameworks. In European Symposium on Research in Computer Security (pp. 150-171). Springer, Berlin, Heidelberg.
- Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A survey of detection methods for XSS attacks. Journal of Network and Computer Applications, 118, 113-143.
- Deepa, G., & Thilagam, P. S. (2016). Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology, 74, 160-180.
- Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, 106960.
- Klein, A. (2005). DOM based cross site scripting or XSS of the third kind. Web Application Security Consortium, Articles, 4, 365-372.
- Gupta, B. B., & Chaudhary, P. (2020). Cross-site Scripting Attacks: Classification, Attack, and Countermeasures. CRC Press.
- Lin, A. W., & Barceló, P. (2016, January). String solving with word equations and transducers: towards a logic for analysing mutation XSS. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (pp. 123-136).
- Shar, L. K., & Tan, H. B. K. (2013). Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Information and Software Technology, 55(10), 1767-1780
- Kaur, G., Pande, B., Bhardwaj, A., Bhagat, G., & Gupta, S. (2018, January). Defense against HTML5 XSS attack vectors: a nested context-aware sanitization technique. In 2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence) (pp. 442-446). IEEE.
- Pelizzi, R., & Sekar, R. (2012, May). Protection, usability and improvements in reflected XSS filters. In proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (pp. 5-5).
Cite this article:
Pooja (2021), XSS Research Directions. Insights2Techinfo, pp. 1