MITIGATION OF XSS USING SIGNATURE BASED MODEL ON SERVER SIDE SEMINAR BY Dhanashree Waikar Abhijeet Kate Shailesh Khachane GUIDED BY Mrs. M.A. Pradhan (Head Of Department)

XSS ? ? ? ? (Cross Site Scripting) Allow code injection by malicious web users XSS attacks the end user -- it runs arbitrary code in their browser. The browser is behind your firewall and is acting within the user’s security context

Allow code injection by malicious web users

XSS attacks the end user -- it runs arbitrary code in their browser.

The browser is behind your firewall and is acting within the user’s security context

JavaScript power JavaScript can control what appears on screen. JavaScript has access to your history. Sites often store session tokens in GET request. JavaScript can intercept cookies. JavaScript can enumerate your network.

JavaScript can control what appears on screen.

JavaScript has access to your history.

Sites often store session tokens in GET request.

JavaScript can intercept cookies.

JavaScript can enumerate your network.

EXAMPLE Code:- <script>alert(&quot;/XSS&quot;/)</script> <script>alert(&quot;XSS&quot;)</script> <script>alert(&quot;XSS&quot;)</script>; <script>alert(String.fromCharCode(88,83,83))</script> Effect

Code:- <script>alert(&quot;/XSS&quot;/)</script> <script>alert(&quot;XSS&quot;)</script> <script>alert(&quot;XSS&quot;)</script>; <script>alert(String.fromCharCode(88,83,83))</script>

Effect

Available options to prevent XSS attacks Signature Based Positive signature Negative signature Behavior based Client side or server side

Signature Based

Positive signature

Negative signature

Behavior based

Client side or server side

Signature based model Prevention using negative signature based model Configurable black listed tags Placed at the top most layer of the web application. Recognized attacks are blocked

Prevention using negative signature based model

Configurable black listed tags

Placed at the top most layer of the web application.

Recognized attacks are blocked

Modules for xss prevation Blocker Parser Validator Tag cluster

Blocker

Parser

Validator

Tag cluster

Blocker Checks for the existence of special characters For example ‘<’, ‘>’, ‘%’, ‘&’, ‘\’, ‘&#’ are few of the special characters used to embed JavaScript functions in the tags Blocker is responsible to allow or to reject the input string from the user According to the status which it receives from validator

Blocker

Checks for the existence of special characters

For example ‘<’, ‘>’, ‘%’, ‘&’, ‘\’, ‘&#’ are few of the special characters used to embed JavaScript functions in the tags

Blocker is responsible to allow or to reject the input string from the user

According to the status which it receives from validator

Parser Called by the Blocker Breaks the input into multiple tokens, as tags and attributes Stores it as a element in a vector object The vector object created by the parser component which invokes the validator For <img src=http://www.sample.com/image1.gif> The vector elements are img, src=http://www.sample.com/image1.gif

Parser

Called by the Blocker

Breaks the input into multiple tokens, as tags and attributes

Stores it as a element in a vector object

The vector object created by the parser component which invokes the validator

For <img src=http://www.sample.com/image1.gif>

The vector elements are

img, src=http://www.sample.com/image1.gif

Validator Checks input for vulnarability by executing the rules using the tag cluster Compares tags or attributes of input script If mached then marked as vulnabrable Verifier() detectMalicious()

Validator

Checks input for vulnarability by executing the rules using the tag cluster

Compares tags or attributes of input script

If mached then marked as vulnabrable

Verifier()

detectMalicious()

Tag cluster The prohibited tags and the prohibited attributes of tags are categorized as black listed cluster Rules for vulnerability identification

Tag cluster

The prohibited tags and the prohibited attributes of tags are categorized as black listed cluster

Rules for vulnerability identification

Flow diagram

Flow diagram

Future Enhancements modular based . Modules for Other web application attacks can be added easily. E.g. sql injection, Buffer-overflow attacks Updates can be provided for the tag cluster

modular based .

Modules for Other web application attacks can be added easily.

E.g. sql injection, Buffer-overflow attacks

Updates can be provided for the tag cluster

Limitations Only known attacks can be blocked Web application’s response performance is reduced.

Only known attacks can be blocked

Web application’s response performance is reduced.

Conclusion The presented server side solution approach meets the need to protect the web Applications with the perspective to improve the response time while addressing the XSS attacks

The presented server side solution

approach meets the need to protect the web

Applications with the perspective to improve the response time while addressing the XSS attacks

References 1. G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, P. Tramontana, &quot;Identifying Cross Site Scripting Vulnerabilities in Web Applications,&quot; Sixth IEEE International Workshop on Web Site Evolution(WSE'04) , pp. 71-80, , 2004. 2. M. M. Burnett and J. C. Foster, “Hacking the Code: ASP.NET Web Application Security,” Chapter 5 - Filtering User Input, Syngress Publishing © 2004 3. Scott, D., Sharp, R. “Developing Secure Web Applications.” IEEEInternet Computing, 6(6), pp. 38-45, Nov 2002. 4. Jin-Cherng Lin, Jan-Min Chen, &quot;An Automatic Revised Tool for Anti-Malicious Injection,&quot; cit, p. 164, Sixth IEEE International Conference on Computer and Information Technology (CIT'06), 2006. 5. Zhendong Su, Gary Wassermann, “The essence of command injection attacks in web applications,” Annual Symposium on Principles of Programming Languages, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles 6. Christopher Krugel, G.Vigna, William Robertson, “A multimodel approach to the detection of web based attacks,”Computer Networks 48 (2005) pp.717-738 – ELSEVIER, 2005.

1. G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, P. Tramontana, &quot;Identifying Cross Site Scripting Vulnerabilities in Web Applications,&quot; Sixth IEEE International Workshop on Web Site Evolution(WSE'04) , pp. 71-80, , 2004.

2. M. M. Burnett and J. C. Foster, “Hacking the Code: ASP.NET Web Application Security,” Chapter 5 - Filtering User Input, Syngress Publishing © 2004

3. Scott, D., Sharp, R. “Developing Secure Web Applications.” IEEEInternet Computing, 6(6), pp. 38-45, Nov 2002.

4. Jin-Cherng Lin, Jan-Min Chen, &quot;An Automatic Revised Tool for Anti-Malicious Injection,&quot; cit, p. 164, Sixth IEEE International Conference on Computer and Information Technology (CIT'06), 2006.

5. Zhendong Su, Gary Wassermann, “The essence of command injection attacks in web applications,” Annual Symposium on Principles of Programming Languages, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles

6. Christopher Krugel, G.Vigna, William Robertson, “A multimodel approach to the detection of web based attacks,”Computer Networks 48 (2005) pp.717-738 – ELSEVIER, 2005.

Thank you We would like to specially thank Mrs. M. A. Pradhan madam , Mrs. Vaishali Vairale madam, and all respected teachers for their continuous help and support.

We would like to specially thank

Mrs. M. A. Pradhan madam ,

Mrs. Vaishali Vairale madam,

and all respected teachers for

their continuous help and support.

THANK YOU

THANK YOU

QUESTIONS

QUESTIONS