Injecting malicious script through links, URLs (Unified resource locator) or as user inputs and getting it executed (when inputs are not validated) in the client side is called cross site scripting (XSS) attack. It is called XSS because the script that is executed here is not originated from the same client or from a trusted server. Our solution “Yukti” is devised to detect these application specific XSS attacks at network level by deep packet inspection in the live environment. Existing solutions do static security code review or scans the application for known attack patterns. “Yukti’ is dynamic as the suspect engine in the solution is unique and has the capability to suspect a new attack pattern. If the suspect is analyzed to be true, the rule that would detect the attack is built into rule base dynamically. This paper discusses the design, components, architecture, dependencies, techniques, implementation and analysis of results obtained. Our results show that out of huge test cases (70000- both XSS and Non XSS) the solution is able to detect 28546 numbers of XSS attacks initially (before appending new rules in detection engine). After appending new rules based on recommendations from suspect engine, it is able to detect 32363 XSS. Yukti demonstrates considerable improvement in the performance when analyzed with leading IDS engine SNORT while detecting XSS attacks.

1. E.Kirda, C.Kruegel, G.Vigna, and N.Jovanovic,”Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks”SAC’06 April 23-27,2006, Dijon, France.
2. P.Vogt, “Cross Site Scripting (XSS) attack prevention with dynamic data tainting”, 2006
3. O. Hallaraker and G.Vigna,” Detecting Malicious JavaScript Code in Mozilla “, Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS’05)
4. Y.Huang, C.Tsai, T.Lin, S. Huang, D.T. Kuo’, “A testing framework for Web application, security assessment“, Computer Networks 48 (2005) 739–761, ELSEVIER
5. M.Egele, M.Szydlowski, E. Kirda, and C. Kruegel,”Using Static Program Analysis to Aid Intrusion Detection”, Austrian Science Foundation (FWF) under grant P18368-N04
6. N.Jovanovic, C. Kruegel and E.Kirda,” Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities”, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06)
7. F.Valeur, G.Vigna, C.Kruegel, E.Kirda, ”An Anomaly driven Reverse Proxy for Web Applications", SAC’06 April 2327,2006, Dijon, France, ACM 1595931082/ 06/0004
8. K. Sivakumar & K. Garg “Constructing a “Common Cross Site Scripting Vulnerabilities Enumeration (CXE)” Using CWE and CVE”, Lecture Notes in Computer Science, Springer Berlin / Heidelberg, Volume 4812/2007, 277-291
9. O.Ismaill, M.E.Youki, K.adobayashi, S. Yamaguch, “A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability” Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04)
10. Christopher Kruegel, G. Vigna, William Robertson, “A multi-model approach to the detection of web-based attacks”, Computer Networks 48 (2005) 717–738- ELSEVIER.
11. G.A.Lucca, A.R.Fasolino et all, “Identifying Cross Site Scripting Vulnerabilities in Web Applications”, Proceedings of the Sixth IEEE International Workshop on Web Site Evolution (WSE’04)
12. “The Common Vulnerabilities and Exposures Initiative,” http://cve.mitre.org/cve/
13. “OWASP top ten Security vulnerabilities”, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
14. Department of Homeland Security National Cyber Security Division’s “Build Security In” (BSI) web site, http://buildsecurityin.us-cert.gov
15. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. http://en.wikipedia.org/wiki/Cross-site_scripting
16. National Vulnerability database http://nvd.nist.gov/
17. Real World XSS, http://sandsprite.com/Sleuth/papers/ RealWorld_XSS_1.html
18. XSS cheat sheet, http:// ha.ckers.org/xss.html
19. Whois lookup, domain name search, domain name registration, available domain names, domain whois database information. www.whois.com
20. jpcap -- a network packet capture library for applications written in Java. http://jpcap.sourceforge.net/
21. Sourcefire Vulnerability Research Team™ (VRT) Rules are the official rules of snort.org. https://www.snort.org/snort-rules

Cross Site Scripting Web Application Security Application Intrusion Detection Security Attacks Vulnerability Management