Balkan Journal of Electrical and Computer Engineering 2147-284X 2147-284X MUSA YILMAZ 10.17694/bajece.927417 Artificial Intelligence Computer Software Yapay Zeka Bilgisayar Yazılımı A Hybrid Machine Learning Model to Detect Reflected XSS Attack https://orcid.org/0000-0002-9455-1537 Buz Beraat ISTANBUL TECHNICAL UNIVERSITY https://orcid.org/0000-0002-2282-5404 Gülçiçek Berke ISTANBUL TECHNICAL UNIVERSITY https://orcid.org/0000-0003-0314-2621 Bahtiyar Şerif İSTANBUL TEKNİK ÜNİVERSİTESİ, BİLGİSAYAR VE BİLİŞİM FAKÜLTESİ 07 30 2021 9 3 235 241 04 25 2021 07 27 2021 Copyright © 2013, Balkan Journal of Electrical and Computer Engineering 2013 Balkan Journal of Electrical and Computer Engineering

Since web technologies are getting more advanced with longer codes, the number of vulnerabilities has increased considerably. Cross-site scripting (XSS) attacks are one of the most common attacks that use vulnerabilities in web applications. There are three types of cross-site scripting attacks namely, reflected, stored, and DOM-based attacks. Reflected XSS attacks are the most common type that is usually implemented by injecting a malicious code into the URL and then sending the URL to the targeted system by using phishing methods, which is a significant threat for recent web applications. Our motivation is the lack of a high performance detection method of reflected XSS attacks with high accuracy. In this paper, we propose a hybrid machine learning model to detect vulnerabilities related to reflected XSS attacks for a given URL of a website. Our model uses a scanner to discover vulnerabilities in a web site and convolutional neural networks to predict the most common vulnerabilities that may be used for reflected XSS attacks, which makes the proposed model hybrid. We analyzed the model experimentally. Analyses results show that the proposed model is able to detect vulnerable attack surfaces with 99 % accuracy.

 Reflected XSS Deep Learning Detection Vulnerability N-gram XSS Scanner [1] “Web Applications vulnerabilities and threats: statistics for 2019.” [Online]. Available: https://www.ptsecurity.com/ww en/analytics/web-vulnerabilities-2020/ [2] S. Gupta and B. B. Gupta, “Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art,” International Journal of System Assurance Engineering and Management, vol. 8, no. S1, pp. 512–530, Jan. 2017. [Online]. Available: http://link.springer.com/10.1007/s13198-015-0376-0 [3] “OWASP Top Ten Web Application Security Risks j OWASP.” [Online]. Available: https://owasp.org/www-project-top-ten/ [4] V. Nithya, S. L. Pandian, and C. Malarvizhi, “A Survey on Detection and Prevention of Cross-Site Scripting Attack,” International Journal of Security and Its Applications, vol. 9, no. 3, pp. 139–152, Mar. 2015. [5] U. Sarmah, D. Bhattacharyya, and J. Kalita, “A survey of detection methods for XSS attacks,” Journal of Network and Computer Applications, vol. 118, pp. 113–143, Sep. 2018. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1084804518302042 [6] M. Liu, B. Zhang, W. Chen, and X. Zhang, “A Survey of Exploitation and Detection Methods of XSS Vulnerabilities,” IEEE Access, vol. 7, pp. 182 004–182 016, 2019. [Online]. Available:https://ieeexplore.ieee.org/document/8935148/ [7] G. E. Rodr´ıguez, J. G. Torres, P. Flores, and D. E. Benavides, “Crosssite scripting (XSS) attacks and mitigation: A survey,” Computer Networks, vol. 166, p. 106960, Jan. 2020. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1389128619311247 [8] E. Gal´an, A. Alcaide, A. Orfila, and J. Blasco, “A multi-agent scanner to detect stored-xss vulnerabilities,” in 2010 International Conference for Internet Technology and Secured Transactions, 2010, pp. 1–6. [9] L. Li and L. Wei, “Automatic XSS Detection and Automatic Anti-Anti-Virus Payload Generation,” in 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC). Guilin, China: IEEE, Oct. 2019, pp. 71–76. [Online]. Available: https://ieeexplore.ieee.org/document/8945988/ [10] S. Syaifuddin, D. Risqiwati, and H. A. Sidharta, “Automation Snort Rule for XSS Detection with Honeypot,” in 2018 5th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI). Malang, Indonesia: IEEE, Oct. 2018, pp. 584–588. [Online]. Available: https://ieeexplore.ieee.org/document/8752961/ [11] X.-Y. Hou, X.-L. Zhao, M.-J. Wu, R. Ma, and Y.-P. Chen, “A Dynamic Detection Technique for XSS Vulnerabilities,” in 2018 4th Annual International Conference on Network and Information Systems for Computers (ICNISC). Wuhan, China: IEEE, Apr. 2018, pp. 34–43. [Online]. Available: https://ieeexplore.ieee.org/document/8842866/ [12] G. Habibi and N. Surantha, “XSS Attack Detection With Machine Learning and n-Gram Methods,” in 2020 International Conference on Information Management and Technology (ICIMTech). Bandung, Indonesia: IEEE, Aug. 2020, pp. 516–520. [Online]. Available:https://ieeexplore.ieee.org/document/9210946/ [13] G. Dong, Y. Zhang, X. Wang, P. Wang, and L. Liu, “Detecting cross site scripting vulnerabilities introduced by HTML5,” in 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE). Chon Buri: IEEE, May 2014, pp. 319–323. [Online]. Available: https://ieeexplore.ieee.org/document/6841888/ [14] L. Lei, M. Chen, C. He, and D. Li, “XSS Detection Technology Based on LSTM-Attention,” in 2020 5th International Conference on Control, Robotics and Cybernetics (CRC). Wuhan, China: IEEE, Oct. 2020, pp. 175–180. [Online]. Available: https://ieeexplore.ieee.org/document/9253484/ [15] D. M. W. Powers, “What the F-measure doesn’t measure: Features, Flaws, Fallacies and Fixes,” arXiv:1503.06410 [cs, stat], Sep. 2019, arXiv: 1503.06410. [Online]. Available: http://arxiv.org/abs/1503.06410