XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks

Smitha Sundareswaran; Anna Cinzia Squicciarini

doi:10.1007/978-3-642-31540-4_17

XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks

Smitha Sundareswaran, Anna Cinzia Squicciarini

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Scopus citations

Abstract

Cross-site scripting attacks represent one of the major security threats in today's Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.

Original language	English (US)
Title of host publication	Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings
Pages	223-238
Number of pages	16
DOIs	https://doi.org/10.1007/978-3-642-31540-4_17
State	Published - 2012
Event	26th Annual WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2012 - Paris, France Duration: Jul 11 2012 → Jul 13 2012

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7371 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	26th Annual WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2012
Country/Territory	France
City	Paris
Period	7/11/12 → 7/13/12

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-31540-4_17

Cite this

Sundareswaran, S., & Squicciarini, A. C. (2012). XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks. In Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings (pp. 223-238). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7371 LNCS). https://doi.org/10.1007/978-3-642-31540-4_17

Sundareswaran, Smitha ; Squicciarini, Anna Cinzia. / XSS-Dec : A hybrid solution to mitigate cross-site scripting attacks. Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings. 2012. pp. 223-238 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{a6563355b6b348dab57bad27dfe0c753,

title = "XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks",

abstract = "Cross-site scripting attacks represent one of the major security threats in today's Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.",

author = "Smitha Sundareswaran and Squicciarini, {Anna Cinzia}",

year = "2012",

doi = "10.1007/978-3-642-31540-4_17",

language = "English (US)",

isbn = "9783642315398",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "223--238",

booktitle = "Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings",

note = "26th Annual WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2012 ; Conference date: 11-07-2012 Through 13-07-2012",

}

Sundareswaran, S & Squicciarini, AC 2012, XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks. in Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7371 LNCS, pp. 223-238, 26th Annual WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2012, Paris, France, 7/11/12. https://doi.org/10.1007/978-3-642-31540-4_17

XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks. / Sundareswaran, Smitha; Squicciarini, Anna Cinzia.
Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings. 2012. p. 223-238 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7371 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - XSS-Dec

T2 - 26th Annual WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2012

AU - Sundareswaran, Smitha

AU - Squicciarini, Anna Cinzia

PY - 2012

Y1 - 2012

N2 - Cross-site scripting attacks represent one of the major security threats in today's Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.

AB - Cross-site scripting attacks represent one of the major security threats in today's Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.

UR - http://www.scopus.com/inward/record.url?scp=84864346176&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84864346176&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-31540-4_17

DO - 10.1007/978-3-642-31540-4_17

M3 - Conference contribution

AN - SCOPUS:84864346176

SN - 9783642315398

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 223

EP - 238

BT - Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings

Y2 - 11 July 2012 through 13 July 2012

ER -

Sundareswaran S, Squicciarini AC. XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks. In Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Proceedings. 2012. p. 223-238. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-31540-4_17

XSS-Dec: A hybrid solution to mitigate cross-site scripting attacks

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this