检索结果-内蒙古大学图书馆

Hunting for DOM-Based XSS vulnerabilities in mobile cloud-based online social network

FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF ESCIENCE 2018年第Part1期79卷 319-336页

作者： Gupta, Shashank Gupta, B. B. Chaudhary, Pooja Natl Inst Technol Dept Comp Engn Kurukshetra Haryana India

This article presents a runtime Document Object Model (DOM) tree generator and nested context-aware sanitization based framework that alleviates the DOM-based XSS vulnerabilities from the mobile cloud based OSN. The frameworks executes in dual mode: offline and online. The offline mode captures all the traces of modules of web applications and transformed such traces into static DOM tree for the extraction of benign script nodes. The legitimate script content embedded in such nodes will be marked in the whitelist of scripts. The online mode detects the injection of untrusted script content in the DOM tree generated at runtime. This was done by usually matching the script content embedded in this DOM tree with the whitelist of script code generated at offline mode. Any deviation observed in the script content will be marked as the injection of malicious script content in the dynamically generated DOM tree. This mode also identifies the different context of malicious variables embedded in such scripts and consequently executes the process of nested context-sensitive sanitization on them. The prototype of our mobile cloud-based framework was developed in Java and integrated the functionality of its components on iCanCloud simulator by creating different virtual machines with their proper link-to-link connectivity. The experimental testing and performance evaluation of our work was carried out on the open source OSN websites that are integrated in the virtual cloud servers. Evaluation results revealed that our framework is capable enough to detect the injection of untrustedimalicious script in the dynamically generated DOM tree with very low rate of false positives, false negatives and suffer from acceptable performance overhead. (C) 2017 Elsevier B.V. All rights reserved.

关键词： Mobile cloud computing Cross-site scripting (XSS) worms javascript code injection attacks DOM-Based XSS attacks HTML5 Document Object Model (DOM) tree

来源：评论

学校读者我要写书评

暂无评论

XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud

引用

MULTIMEDIA TOOLS AND APPLICATIONS 2018年第4期77卷 4829-4861页

作者： Gupta, Shashank Gupta, B. B. Natl Inst Technol Kurukshetra Dept Comp Engn Kurukshetra Haryana India

This article presents a novel framework XSS-Secure, which detects and alleviates the propagation of Cross-Site Scripting (XSS) worms from the Online Social Network (OSN)-based multimedia web applications on the cloud environment. It operates in two modes: training and detection mode. The former mode sanitizes the extracted untrusted variables of javascript code in a context-aware manner. This mode stores such sanitized code in sanitizer snapshot repository and OSN web server for further instrumentation in the detection mode. The detection mode compares the sanitized HTTP response (HRES) generated at the OSN web server with the sanitized response stored at the sanitizer snapshot repository. Any variation observed in this HRES message will indicate the injection of XSS worms from the remote OSN servers. XSS-Secure determines the context of such worms, perform the context-aware sanitization on them and finally sanitized HRES is transmitted to the OSN user. The prototype of our framework was developed in Java and integrated its components on the virtual machines of cloud environment. The detection and alleviation capability of our cloud-based framework was tested on the platforms of real world multimedia-based web applications including the OSN-based Web applications. Experimental outcomes reveal that our framework is capable enough to mitigate the dissemination of XSS worm from the platforms of non-OSN Web applications as well as OSN web sites with acceptable false negative and false positive rate.

关键词： Cloud security Cross-site scripting (XSS) worms Online social networking (OSN) security Web security javascript code injection attacks Sanitization routines

来源：评论

学校读者我要写书评

暂无评论

Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art

引用

INTERNATIONAL JOURNAL OF SYSTEM ASSURANCE ENGINEERING AND MANAGEMENT 2017年第1期8卷 512-530页

作者： Gupta, Shashank Gupta, B. B. Natl Inst Technol Kurukshetra Kurukshetra Haryana India

Nowadays, web applications are becoming one of the standard platforms for representing data and service releases over the World Wide Web. Since web applications are progressively more utilized for security-critical services, therefore they have turned out to be a well-liked and precious target for the web-related vulnerabilities. Even though several defensive mechanisms have been building up to reinforce the modern web applications and alleviate the attacks instigated against them. We have analyzed the major concerns for web applications and Internet-based services which are persistent in several web applications of diverse organizations like banking, health care, financial service, retail and so on by the referring the Website Security Statistics Report of White Hat Security. In this paper, we highlight some of the serious vulnerabilities found in the modern web applications and revealed various serious vulnerabilities. Cross-Site Scripting (XSS) attack is the top most vulnerability found in the today's web applications which to be a plague for the modern web applications. XSS attacks permit an attacker to execute the malicious scripts on the victim's web browser resulting in various side-effects such as data compromise, stealing of cookies, passwords, credit card numbers etc. We have also discussed a high level of taxonomy of XSS attacks and detailed incidences of these attacks on web applications. A detailed comprehensive analysis of the exploitation, detection and prevention mechanisms of XSS attacks has also been discussed. Based on explored strength and flaws of these mechanisms, we have discussed some further work.

关键词： Cross-Site Scripting (XSS) White Hat Security Internet World Wide Web (WWW) javascript code injection attacks Malicious javascript

来源：评论

学校读者我要写书评

暂无评论

XSS-immune: a Google chrome extension-based XSS defensive framework for contemporary platforms of web applications

引用

SECURITY AND COMMUNICATION NETWORKS 2016年第17期9卷 3966-3986页

作者： Gupta, Shashank Gupta, Brij Bhooshan Natl Inst Technol Dept Comp Engn Kurukshetra Haryana India

In this paper, the authors analyzed and discussed the performance issues in the existing cross-site scripting (XSS) filters and based on that, proposed a javascript string comparison and context-aware sanitization-based framework, XSS-immune. It is a browser-resident framework that compares the set of scripts embedded in hypertext transfer protocol request (H-REQ) and hypertext transfer protocol response (H-RES) for discovering any similar untrusted/malicious javascript code. This similar code points towards the untrusted javascript code that will be utilized by an attacker to exploit the vulnerabilities of XSS worms. In addition, our technique determines the context of such worms and performs the sanitization on them accordingly for alleviating the effect of such XSS worms from the real world web applications. We have also introduced a mechanism that can detect the injection of malicious parameter values by modifying the existing javascript code, that is, partial script injections. The prototype of XSS-immune was developed in Java and installed as an extension on the Google Chrome. In addition, we have verified the implementation of our design of prototype against five open-source XSS attack vector repositories, and very few XSS attack worms were able to evade our proposed design. Experimental evaluation and testing of XSS-immune were performed by adding support from the tested suite of real world web applications. The performance evaluation results revealed that our framework is able to detect the XSS worms with acceptable low false positive and false negative rate in comparison with the performance of existing XSS filters. Experimental results also incurred acceptable runtime overhead because of minor alterations on client-side browser and computationally fast execution of modules deployed in our browser-resident framework. Copyright (C) 2016 John Wiley & Sons, Ltd.

关键词： XSS worms XSS filters web browser web application vulnerabilities javascript code injection attacks HTTP

来源：评论

学校读者我要写书评

暂无评论

CSSXC: Context-Sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments

CSSXC: Context-Sensitive Sanitization Framework for Web Appl...

引用

International Conference on Computational Modelling and Security (CMS)

作者： Gupta, Shashank Gupta, B. B. NIT Kurukshetra Dept Comp Engn Kurukshetra Haryana India

This paper presents a context-sensitive sanitization based XSS defensive framework for the cloud environment. It discovers all the hidden injection points in HTML5-based web applications deployed on the platforms of cloud and sanitizes the XSS attack payloads injected in such points in a context sensitive manner. The identification of such injection points permits our technique to retrieve each possible web page of application, allowing a wider exploration and accelerating the process of applying the sanitizers on the untrusted variables of web application. The XSS attack mitigation capability of our framework was evaluated on web applications deployed for the cloud users in the cloud environment. The experimental results reveal that this technique detects the XSS attack payloads with minimum rate of false negatives and less runtime overhead. (C) 2016 The Authors. Published by Elsevier B.V.

关键词： Cloud Computing Cross-Site Scripting (XSS) attacks javascript code injection attacks HTML5 Cloud Security

来源：评论

学校读者我要写书评

暂无评论

CSSXC: Context-sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments

引用

Procedia Computer Science 2016年 85卷 198-205页

作者： Shashank Gupta B.B. Gupta Department of Computer Engineering NIT Kurukshetra India

关键词： Cloud Computing Cross-Site Scripting (XSS) attacks javascript code injection attacks HTML5 Cloud Security.

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：