Malicious XSS Code Detection with Decision Tree

Öz

Dynamic applications such as e-commerce, blogs, forums, e-governance, e-banking and portals that are in these platforms have become a part of our lives. However, a tremendous increase in the use of dynamic web and mobile applications has resulted in security vulnerabilities originating from the Hypertext Markup Language (HTML) coding system. Site-to-site Script Execution (XSS) attack is the largest contributors to security exploits. There are different models according to the dynamic content that XSS attacks use. The interest of the study is composed of attacks on visual content with the "img" tag. In study, an algorithm has been developed to detect XSS attacks with the decision tree which is motivated by the fact that they tend to be easier to implement and interpret than other quantitative data-driven methods. The algorithm that successfully classifies 392 of 400 malicious and clean codes in the data set with 8 different features. This result contributes to the use of secure internet without XSS attacks that use visual content..

Anahtar Kelimeler

• Security Vulnerability,XSS Attacks,Feature Extraction,Decision Tree

Kaynakça

1. Ömer Kasim, “Evolving Web Process and Security”, 9. International Conference on Information Security and Cryptology, (2016). Wichers Dave, “https://www.. owasp.org/index.php/Top_10_2013-Top_10”, Date of Access: 15.07.2017.
2. Garcia Alfaro, Navarro Arribas, "Prevention Of Cross-Site Scripting Attacks On Current Web Applications Greece", Proceedings of The OTM Confederated International, (2007).
3. Yusof Imran, Al-Sakib Khan Pathan, "Preventing Persistent Cross-Site Scripting (XSS) Attack By Applying Pattern Filtering Approach", IEEE The 5th International Conference On Information And Communication Technology, (2014).
4. Jasmine M. S., Kirthiga Devi, Geogen George. "Detecting XSS Based Web Application Vulnerabilities", International Journal Of Computer Technology & Applications, Pp. 291-297, (2017).
5. Gupta, B. B., Gupta, S., Gangwar, S., Kumar, M., Meena, P. K., “Cross-Site Scripting (XSS) Abuse And Defense: Exploitation On Several Testing Bed Environments And Its Defense.” Journal Of Information Privacy And Security, Vol.11, No.2, Pp. 118-136, (2015).
6. Dong, Ri-Zhan, Jie Ling, And Yi Liu. "DOM Based XSS Detecting Method Based On Phantomjs." Proceedings Of The International Conference On Applied Mechanics, Mechatronics And Intelligent Systems, (2015).
7. Vural, Yılmaz, Şeref SAĞIROĞLU. "Kurumsal Bilgi Güvenliği Ve Standartları Üzerine Bir İnceleme." Gazi Üniversitesi Journal of Faculty of Engineering and Architecture Vol.23, No.2, (2008).
8. S. Saha, “Consideration Points Detecting Cross-Site Scripting," International Journal Of Computer Science And Information Security, Vol. 4, No. 1, (2009).

9. Zou, Cliff Changchun, Weibo Gong, Don Towsley. "Code Red Worm Propagation Modeling And Analysis." Proceedings Of The 9th ACM Conference On Computer And Communications Security, (2002).
10. Bisht, Prithvi, V. N. Venkatakrishnan. "XSS-GUARD: Precise Dynamic Prevention Of Cross-Site Scripting Attacks." International Conference On Detection Of Intrusions And Malware, And Vulnerability Assessment, (2008).
11. Baykara Muhammet, Resul Daş, İsmail Karadoğan. "Bilgi Güvenliği Sistemlerinde Kullanılan Araçların İncelenmesi." 1st International Symposium On Digital Forensics And Security, Vol. 27. (2013).
12. GA Di Lucca, AR Fasolino, M Mastoianni, "Identifying Cross Site Scripting Vulnerabilities In Web Applications." Sixth IEEE International Workshop On Web Site Evolution, (2004).
13. Bhuyan, Monowar H., Dhruba K. Bhattacharyya, Jugal K. Kalita. "Survey On Incremental Approaches For Network Anomaly Detection." Arxiv Preprint Arxiv:1211.4493, (2012).
14. Bisht, Prithvi, V. N. Venkatakrishnan. "XSS-GUARD: Precise Dynamic Prevention Of Cross-Site Scripting Attacks." International Conference on Detection Of Intrusions And Malware, And Vulnerability Assessment, (2008).
15. Boro, Debojit, Dhruba K. Bhattacharyya. "Dyprosd: A Dynamic Protocol Specific Defense For High-Rate Ddos Flooding Attacks.", Microsystem Technologies, Pp. 593-611, (2017).
16. Shahriar, Hossain, Vamshee Krishna Devendran, Hisham Haddad. "Proclick: A Framework For Testing Clickjacking Attacks In Web Applications." Proceedings Of The 6th International Conference On Security Of Information And Networks, (2013).
17. S Goswami, N Hoque, DK Bhattacharyya "An Unsupervised Method For Detection Of XSS Attack." International Journal Of Network Security, Vol.19, No.5, Pp.761-775, Sept. (2017).
18. Likarish, Peter, Eunjin Jung, Insoon Jo, "Obfuscated Malicious Javascript Detection Using Classification Techniques.", IEEE 4th International Conference On Malicious And Unwanted Software, (2009).
19. Sheet, XSS Filter Evasion Cheat, “https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_