Research Article
BibTex RIS Cite

Malicious XSS Code Detection with Decision Tree

Year 2020, Volume: 23 Issue: 1, 67 - 72, 01.03.2020
https://doi.org/10.2339/politeknik.470332

Abstract

Dynamic applications such as e-commerce, blogs, forums, e-governance, e-banking and portals that are in these platforms have become a part of our lives. However, a tremendous increase in the use of dynamic web and mobile applications has resulted in security vulnerabilities originating from the Hypertext Markup Language (HTML) coding system. Site-to-site Script Execution (XSS) attack is the largest contributors to security exploits. There are different models according to the dynamic content that XSS attacks use. The interest of the study is composed of attacks on visual content with the "img" tag. In study, an algorithm has been developed to detect XSS attacks with the decision tree which is motivated by the fact that they tend to be easier to implement and interpret than other quantitative data-driven methods. The algorithm that successfully classifies 392 of 400 malicious and clean codes in the data set with 8 different features. This result contributes to the use of secure internet without XSS attacks that use visual content..

References

  • Ömer Kasim, “Evolving Web Process and Security”, 9. International Conference on Information Security and Cryptology, (2016). Wichers Dave, “https://www.. owasp.org/index.php/Top_10_2013-Top_10”, Date of Access: 15.07.2017.
  • Garcia Alfaro, Navarro Arribas, "Prevention Of Cross-Site Scripting Attacks On Current Web Applications Greece", Proceedings of The OTM Confederated International, (2007).
  • Yusof Imran, Al-Sakib Khan Pathan, "Preventing Persistent Cross-Site Scripting (XSS) Attack By Applying Pattern Filtering Approach", IEEE The 5th International Conference On Information And Communication Technology, (2014).
  • Jasmine M. S., Kirthiga Devi, Geogen George. "Detecting XSS Based Web Application Vulnerabilities", International Journal Of Computer Technology & Applications, Pp. 291-297, (2017).
  • Gupta, B. B., Gupta, S., Gangwar, S., Kumar, M., Meena, P. K., “Cross-Site Scripting (XSS) Abuse And Defense: Exploitation On Several Testing Bed Environments And Its Defense.” Journal Of Information Privacy And Security, Vol.11, No.2, Pp. 118-136, (2015).
  • Dong, Ri-Zhan, Jie Ling, And Yi Liu. "DOM Based XSS Detecting Method Based On Phantomjs." Proceedings Of The International Conference On Applied Mechanics, Mechatronics And Intelligent Systems, (2015).
  • Vural, Yılmaz, Şeref SAĞIROĞLU. "Kurumsal Bilgi Güvenliği Ve Standartları Üzerine Bir İnceleme." Gazi Üniversitesi Journal of Faculty of Engineering and Architecture Vol.23, No.2, (2008).
  • S. Saha, “Consideration Points Detecting Cross-Site Scripting," International Journal Of Computer Science And Information Security, Vol. 4, No. 1, (2009).
  • Zou, Cliff Changchun, Weibo Gong, Don Towsley. "Code Red Worm Propagation Modeling And Analysis." Proceedings Of The 9th ACM Conference On Computer And Communications Security, (2002).
  • Bisht, Prithvi, V. N. Venkatakrishnan. "XSS-GUARD: Precise Dynamic Prevention Of Cross-Site Scripting Attacks." International Conference On Detection Of Intrusions And Malware, And Vulnerability Assessment, (2008).
  • Baykara Muhammet, Resul Daş, İsmail Karadoğan. "Bilgi Güvenliği Sistemlerinde Kullanılan Araçların İncelenmesi." 1st International Symposium On Digital Forensics And Security, Vol. 27. (2013).
  • GA Di Lucca, AR Fasolino, M Mastoianni, "Identifying Cross Site Scripting Vulnerabilities In Web Applications." Sixth IEEE International Workshop On Web Site Evolution, (2004).
  • Bhuyan, Monowar H., Dhruba K. Bhattacharyya, Jugal K. Kalita. "Survey On Incremental Approaches For Network Anomaly Detection." Arxiv Preprint Arxiv:1211.4493, (2012).
  • Bisht, Prithvi, V. N. Venkatakrishnan. "XSS-GUARD: Precise Dynamic Prevention Of Cross-Site Scripting Attacks." International Conference on Detection Of Intrusions And Malware, And Vulnerability Assessment, (2008).
  • Boro, Debojit, Dhruba K. Bhattacharyya. "Dyprosd: A Dynamic Protocol Specific Defense For High-Rate Ddos Flooding Attacks.", Microsystem Technologies, Pp. 593-611, (2017).
  • Shahriar, Hossain, Vamshee Krishna Devendran, Hisham Haddad. "Proclick: A Framework For Testing Clickjacking Attacks In Web Applications." Proceedings Of The 6th International Conference On Security Of Information And Networks, (2013).
  • S Goswami, N Hoque, DK Bhattacharyya "An Unsupervised Method For Detection Of XSS Attack." International Journal Of Network Security, Vol.19, No.5, Pp.761-775, Sept. (2017).
  • Likarish, Peter, Eunjin Jung, Insoon Jo, "Obfuscated Malicious Javascript Detection Using Classification Techniques.", IEEE 4th International Conference On Malicious And Unwanted Software, (2009).
  • Sheet, XSS Filter Evasion Cheat, “https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_

Malicious XSS Code Detection with Decision Tree

Year 2020, Volume: 23 Issue: 1, 67 - 72, 01.03.2020
https://doi.org/10.2339/politeknik.470332

Abstract

Dynamic applications such as e-commerce, blogs, forums, e-governance, e-banking and portals that are in these platforms have become a part of our lives. However, a tremendous increase in the use of dynamic web and mobile applications has resulted in security vulnerabilities originating from the Hypertext Markup Language (HTML) coding system. Site-to-site Script Execution (XSS) attack is the largest contributors to security exploits. There are different models according to the dynamic content that XSS attacks use. The interest of the study is composed of attacks on visual content with the "img" tag. In study, an algorithm has been developed to detect XSS attacks with the decision tree which is motivated by the fact that they tend to be easier to implement and interpret than other quantitative data-driven methods. The algorithm that successfully classifies 392 of 400 malicious and clean codes in the data set with 8 different features. This result contributes to the use of secure internet without XSS attacks that use visual content..

References

  • Ömer Kasim, “Evolving Web Process and Security”, 9. International Conference on Information Security and Cryptology, (2016). Wichers Dave, “https://www.. owasp.org/index.php/Top_10_2013-Top_10”, Date of Access: 15.07.2017.
  • Garcia Alfaro, Navarro Arribas, "Prevention Of Cross-Site Scripting Attacks On Current Web Applications Greece", Proceedings of The OTM Confederated International, (2007).
  • Yusof Imran, Al-Sakib Khan Pathan, "Preventing Persistent Cross-Site Scripting (XSS) Attack By Applying Pattern Filtering Approach", IEEE The 5th International Conference On Information And Communication Technology, (2014).
  • Jasmine M. S., Kirthiga Devi, Geogen George. "Detecting XSS Based Web Application Vulnerabilities", International Journal Of Computer Technology & Applications, Pp. 291-297, (2017).
  • Gupta, B. B., Gupta, S., Gangwar, S., Kumar, M., Meena, P. K., “Cross-Site Scripting (XSS) Abuse And Defense: Exploitation On Several Testing Bed Environments And Its Defense.” Journal Of Information Privacy And Security, Vol.11, No.2, Pp. 118-136, (2015).
  • Dong, Ri-Zhan, Jie Ling, And Yi Liu. "DOM Based XSS Detecting Method Based On Phantomjs." Proceedings Of The International Conference On Applied Mechanics, Mechatronics And Intelligent Systems, (2015).
  • Vural, Yılmaz, Şeref SAĞIROĞLU. "Kurumsal Bilgi Güvenliği Ve Standartları Üzerine Bir İnceleme." Gazi Üniversitesi Journal of Faculty of Engineering and Architecture Vol.23, No.2, (2008).
  • S. Saha, “Consideration Points Detecting Cross-Site Scripting," International Journal Of Computer Science And Information Security, Vol. 4, No. 1, (2009).
  • Zou, Cliff Changchun, Weibo Gong, Don Towsley. "Code Red Worm Propagation Modeling And Analysis." Proceedings Of The 9th ACM Conference On Computer And Communications Security, (2002).
  • Bisht, Prithvi, V. N. Venkatakrishnan. "XSS-GUARD: Precise Dynamic Prevention Of Cross-Site Scripting Attacks." International Conference On Detection Of Intrusions And Malware, And Vulnerability Assessment, (2008).
  • Baykara Muhammet, Resul Daş, İsmail Karadoğan. "Bilgi Güvenliği Sistemlerinde Kullanılan Araçların İncelenmesi." 1st International Symposium On Digital Forensics And Security, Vol. 27. (2013).
  • GA Di Lucca, AR Fasolino, M Mastoianni, "Identifying Cross Site Scripting Vulnerabilities In Web Applications." Sixth IEEE International Workshop On Web Site Evolution, (2004).
  • Bhuyan, Monowar H., Dhruba K. Bhattacharyya, Jugal K. Kalita. "Survey On Incremental Approaches For Network Anomaly Detection." Arxiv Preprint Arxiv:1211.4493, (2012).
  • Bisht, Prithvi, V. N. Venkatakrishnan. "XSS-GUARD: Precise Dynamic Prevention Of Cross-Site Scripting Attacks." International Conference on Detection Of Intrusions And Malware, And Vulnerability Assessment, (2008).
  • Boro, Debojit, Dhruba K. Bhattacharyya. "Dyprosd: A Dynamic Protocol Specific Defense For High-Rate Ddos Flooding Attacks.", Microsystem Technologies, Pp. 593-611, (2017).
  • Shahriar, Hossain, Vamshee Krishna Devendran, Hisham Haddad. "Proclick: A Framework For Testing Clickjacking Attacks In Web Applications." Proceedings Of The 6th International Conference On Security Of Information And Networks, (2013).
  • S Goswami, N Hoque, DK Bhattacharyya "An Unsupervised Method For Detection Of XSS Attack." International Journal Of Network Security, Vol.19, No.5, Pp.761-775, Sept. (2017).
  • Likarish, Peter, Eunjin Jung, Insoon Jo, "Obfuscated Malicious Javascript Detection Using Classification Techniques.", IEEE 4th International Conference On Malicious And Unwanted Software, (2009).
  • Sheet, XSS Filter Evasion Cheat, “https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_
There are 19 citations in total.

Details

Primary Language English
Subjects Engineering
Journal Section Research Article
Authors

Ömer Kasım 0000-0003-4021-5412

Publication Date March 1, 2020
Submission Date October 14, 2018
Published in Issue Year 2020 Volume: 23 Issue: 1

Cite

APA Kasım, Ö. (2020). Malicious XSS Code Detection with Decision Tree. Politeknik Dergisi, 23(1), 67-72. https://doi.org/10.2339/politeknik.470332
AMA Kasım Ö. Malicious XSS Code Detection with Decision Tree. Politeknik Dergisi. March 2020;23(1):67-72. doi:10.2339/politeknik.470332
Chicago Kasım, Ömer. “Malicious XSS Code Detection With Decision Tree”. Politeknik Dergisi 23, no. 1 (March 2020): 67-72. https://doi.org/10.2339/politeknik.470332.
EndNote Kasım Ö (March 1, 2020) Malicious XSS Code Detection with Decision Tree. Politeknik Dergisi 23 1 67–72.
IEEE Ö. Kasım, “Malicious XSS Code Detection with Decision Tree”, Politeknik Dergisi, vol. 23, no. 1, pp. 67–72, 2020, doi: 10.2339/politeknik.470332.
ISNAD Kasım, Ömer. “Malicious XSS Code Detection With Decision Tree”. Politeknik Dergisi 23/1 (March 2020), 67-72. https://doi.org/10.2339/politeknik.470332.
JAMA Kasım Ö. Malicious XSS Code Detection with Decision Tree. Politeknik Dergisi. 2020;23:67–72.
MLA Kasım, Ömer. “Malicious XSS Code Detection With Decision Tree”. Politeknik Dergisi, vol. 23, no. 1, 2020, pp. 67-72, doi:10.2339/politeknik.470332.
Vancouver Kasım Ö. Malicious XSS Code Detection with Decision Tree. Politeknik Dergisi. 2020;23(1):67-72.