Detection of XSS Attacks in Web Applications: A Machine Learning Approach

Authors

  • Bronjon Gogoi Scientist, Regional Centre of Excellence for Application Security, National Informatics Centre, Guwahati, Assam, India Author
  • Tasiruddin Ahmed Scientist, Regional Centre of Excellence for Application Security, National Informatics Centre, Guwahati, Assam, India Author
  • Hemanta Kumar Saikia Scientist, Regional Centre of Excellence for Application Security, National Informatics Centre, Guwahati, Assam, India Author

Keywords:

Web Application, XSS Attacks, Machine Learning

Abstract

With the increased use of the internet, web  applications and websites are becoming more and more  common. With the increased use, cyber-attacks on web  applications and websites are also increasing. Of all the  different types of cyber-attacks on web applications and  websites, XSS (Cross-Site Scripting) attacks are one of the  most common forms of attack. XSS attacks are a major  problem in web security and ranked as number two web  application security risks in the OWASP (Open Web  Application Security Project) Top 10. Traditional methods  of defence against XSS attacks include hardware and  software-based web application firewalls, most of which are  rule and signature-based. Rule-based and signature-based  web application firewalls can be bypassed by obfuscating  the attack payloads. As such, rule-based and signature based web application firewalls are not effective against  detecting XSS attacks for payloads designed to bypass web  application firewalls. This paper aims to use machine  learning to detect XSS attacks using various ML (machine  learning) algorithms and to compare the performance of the  algorithms in detecting XSS attacks in web applications and  websites. 

Downloads

Download data is not yet available.

References

Cross Site Scripting Exploits and Defense, Jeramiah Grossman, Rober Hansen, Petko D. Petkov, Anton Rager, Seth Fogie, Syngress, pp. 2-11

H. Huang, Z. Zhang, H. Cheng and S. W. Shieh, "Web Application Security: Threats, Countermeasures, and Pitfalls," in Computer, vol. 50, no. 6, pp. 81-85, 2017, doi: 10.1109/MC.2017.183.

Anderson, P. (2008). The Use and Limitations of Static Analysis Tools to Improve Software Quality. CrossTalk Journal of Defense Software Engineering. 21.

Rami Sihwail, Khairuddin Omar, K. A. Z. Ariffin, A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid [5] G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, and P.

Tramontana, “Identifying cross site scripting vulnerabilities in web applications,” in 26th Annual International Telecommunications Energy Conference, pp. 71–80, 2004.

E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, “Noxes: A client-side solution for mitigating crosssite scripting attacks,” in Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330– 337, New York, NY, USA, 2006.

E. Athanasopoulos, A. Krithinakis, and E. P. Markatos, “Hunting cross-site scripting attacks in the network,” in Third International Conference on Advanced Computing (ICoAC’11), pp. 89–92, 2011.

“SWAP: Mitigating XSS attacks using a reverse proxy,” in Proceeding of 5th International Workshop on Software Engineering for Secure Systems, IEEE Computer Society, 2009.

B. B. Gupta, S. Gupta, S. Gangwar, M. Kumar, and P. K. Meena, “Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense,” Journal of Information Privacy and Security, vol. 11, no. 2, pp. 118–136, 2015.

S. Chun, C. Jing, H. ChangZhen, X. JingFeng, W. Hao, and M. Raphael, “A xss attack detection method based on skip list,” International Journal of Security and Its Applications, vol. 10, no. 5, pp. 95– 106, 2008.

M. I. P. Salas and E. Martins, “Security testing methodology for vulnerabilities detection of XSS in web services and ws security,” Electron Notes in Theoritical Computer Science, vol. 302, pp. 133–154, 2014.

Vishnu, B.A.; Jevitha, K.P. Prediction of cross-site scripting attack using machine learning algorithms. In Proceedings of the 2014 International Conference on Interdisciplinary Advances in Applied Computing, Amritapuri, India, 10–11 October 2014; p. 55.

Komiya, R., Paik, I., Hisada, M.: Classification of malicious web code by machine learning. In: Awareness Science & Technology (iCAST), pp. 406–411. IEEE (2011)

Likarish, P., Jung, E., Jo, I.: Obfuscated malicious JavaScript detection using classification techniques. In: Malicious and Unwanted Software (MALWARE), pp. 47– 54. IEEE (2009)

Wang, W.H., Yin-Jun, L.V., Chen, H.B., Fang, Z.L.: A static malicious javascript detection using SVM. In: International Conference on Computer Science and Electronics Engineering, vol. 40, pp. 21–30. Atlantis Press (2013)

Nunan, A.E., Souto, E., dos Santos, E.M., Feitosa, E.: Automatic classification of cross-site scripting in web pages using document-based and url-based features. In: Computers and Communications, pp. 702–707. IEEE (2012)

R. Baeza-Yates and B. Ribeiro-Neto. Modern Information Retrieval. ACM Press, New York, 1999

Kowsari, Jafari Meimandi, Heidarysafa, Mendu, Barnes, and Brown, “Text Classification Algorithms: A Survey,” Information, vol. 10, no. 4, p. 150, Apr. 2019.

Vapnik, V.; Chervonenkis, A.Y. A class of algorithms for pattern recognition learning. Avtomat. Telemekh 1964, 25, 937–945

Boser, B.E.; Guyon, I.M.; Vapnik, V.N. A training algorithm for optimal margin classifiers. In Proceedings of the Fifth Annual Workshop on Computational Learning Theory, Pittsburgh, PA, USA, 27–29 July 1992; pp. 144–152

Downloads

Published

2021-01-30

Issue

Vol. 9 No. 1 (2021): International Journal of Innovative Research in Computer Science and Technology (Jan)2021

Section

Articles

How to Cite

Detection of XSS Attacks in Web Applications: A Machine Learning Approach . (2021). International Journal of Innovative Research in Computer Science & Technology, 9(1), 1–10. Retrieved from https://acspublisher.com/journals/index.php/ijircst/article/view/11696