Cross-Site Scripting Attacks Security, Privacy, and Trust in Mobile Communications About the Series Similar to computers, the mobile landscape is also facing various security and privacy related threats. Increasing demand of sophisticated handheld mobile devices including smartphones, tablets, and so forth, is making them an attrac- tive target of security threats. Since these devices store confdential data of the end users, and exploitation of vulnerabilities of the underlying technologies can create a havoc on massive scale, it becomes inevitable to need to understand and address the threats associated with them and to analyze the level of trust that can be established for mobile communication scenarios. Tis series will present emerging aspects of the mobile communication land- scape, and focuses on the security, privacy, and trust issues in mobile communi- cation based applications. It brings state-of-the-art subject matter for dealing with the issues associated with mobile and wireless networks. Tis series is targeted for researchers, students, academicians, and business professions in the feld. If you’re interested in submitting a proposal for a book to be included in the series, please email [email protected] Series Editors: Brij B. Gupta Computer and Cyber Security Principles, Algorithm, Applications, and Perspectives Brij B. Gupta Smart Card Security Applications, Attacks, and Countermeasures B.B.Gupta, Megha Quamara Cross-Site Scripting Attacks Classifcation, Attack and Countermeasures B.B. Gupta and Pooja Chaudhary For more information about this series please visit: https: //www .crcp ress. com/S ecur ity-Pr ivacy -and- Trust -in-M obile -Comm unica tions /book -seri es/SP TMOBI LE Cross-Site Scripting Attacks Classifcation, Attack, and Countermeasures B. B. Gupta and Pooja Chaudhary First edition published 2020 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742 © 2020 Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, LLC International Standard Book Number-13: 978-0-367-36770-1 (hbk) Reasonable eforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. Te authors and publishers have attempted to trace the copyright holders of all mate- rial reproduced in this publication and apologize to copyright holders if permission to pub- lish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, repro- duced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafer invented, including photocopying, microflming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www. copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact [email protected] Trademark notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identifcation and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Dedicated to my parents and family for their constant support during the course of this book —B. B. Gupta Dedicated to my parents, siblings, and my mentor for their guidance and motivation throughout the journey of completion of this book. —Pooja Chaudhary Contents List of Figures, xiii List of Tables, xvii Preface,xix Acknowledgments, xxiii Author Bio, xxv CHAPTER 1 ◾ Security Flaws in Web Applications 1 1.1 WEB APPLICATION VULNERABILITIES 1 1.1.1 Fundamentals of Web Application Architecture 2 1.1.2 Background and Motivation 3 1.1.3 Related Statistics 6 1.2 DIFFERENT DOMAIN-CENTRIC WEB APPLICATION VULNERABILITIES 11 1.3 COMPREHENSIVE DETAIL OF MOST DANGEROUS VULNERABILITIES 13 1.3.1 Overview of Web Application Vulnerabilities 15 1.3.2 Risk Path Assessment 15 1.3.3 Mapping Vulnerabilities with Risk Rating Methods 18 vii viii ◾ Contents 1.4 TOWARD BUILDING SECURE WEB APPLICATIONS 19 1.5 CHAPTER SUMMARY 24 REFERENCES 25 CHAPTER 2 ◾ Security Challenges in Social Networking: Taxonomy and Statistics 29 2.1 INTRODUCTION 29 2.1.1 Statistics of Social Networking 30 2.1.2 Recent Incidences on Social Networking Platform 31 2.2 DISTINCT ATTACK CLASSES OF SOCIAL PLATFORM 35 2.3 SOCIAL NETWORK DESIGN VS. PRIVACY AND SECURITY GOALS 37 2.4 SOLUTIONS TO PREVENT AGAINST SOCIAL MEDIA ATTACKS 45 2.5 CHAPTER SUMMARY 45 REFERENCES 49 CHAPTER 3 ◾ Fundamentals of Cross-Site Scripting (XSS) Attack 53 3.1 OVERVIEW OF CROSS-SITE SCRIPTING (XSS) ATTACK 53 3.1.1 Steps to Exploit XSS Vulnerability 54 3.1.2 Recent Incidences of XSS Attack 55 3.2 EFFECTS OF XSS ATTACK 55 3.3 CLASSIFICATION OF XSS ATTACK 57 3.3.1 Persistent XSS Attack 57 3.3.2 Non-Persistent Attack 59 3.3.3 DOM-Based XSS Attack 60 Contents ◾ ix 3.4 APPROACHES TO DEFEND AGAINST XSS ATTACK 60 3.4.1 Client-Side Approaches 66 3.4.2 Server-Side Approaches 66 3.4.3 Combinational Approaches 66 3.4.4 Proxy-Based Approaches 66 3.5 CHAPTER SUMMARY 68 REFERENCES 71 CHAPTER 4 ◾ C lustering and Context-Based Sanitization Mechanism for Defending against XSS Attack 75 4.1 INTRODUCTION 76 4.1.1 Views 76 4.1.2 Access Control List (ACL) 77 4.1.3 Context-Based Sanitization 77 4.2 PROPOSED APPROACH 78 4.2.1 Abstract Design 78 4.2.2 Detailed Design 79 4.2.2.1 Training Phase 80 4.2.2.2 Recognition Phase 80 4.2.3 Key Modules 84 4.3 EXPERIMENTAL TESTING AND EVALUATION RESULTS 89 4.3.1 Implementation Details 92 4.3.2 Categories of XSS Attack Vectors 92 4.3.3 Detection Outcome 95 4.4 PERFORMANCE ANALYSIS 97 4.4.1 Using F-Measure 97 4.4.2 Using F-test Hypothesis 99