research-article

Detecting Blind Cross-Site Scripting Attacks Using Machine Learning

Authors:

Gurpreet Kaur,

Yasir Malik,

Hamman Samuel,

Fehmi JaafarAuthors Info & Claims

SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine Learning

Pages 22 - 25

https://doi.org/10.1145/3297067.3297096

Published: 28 November 2018 Publication History

Get Access

Abstract

Cross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a persistent manner on target servers. Most of the XSS detection techniques used to detect the XSS vulnerabilities are inadequate to detect blind XSS attacks. In this research, we present machine learning based approach to detect blind XSS attacks. Testing results help to identify malicious payloads that are likely to get stored in databases through web applications.

References

[1]

Isatou Hydara, Abu Bakar Md. Sultan, Hazura Zulzalil, Novia Admodisastro, Current state of research on cross-site scripting (XSS) - A systematic literature review, In 24 Information and Software Technology, Volume 58, 2015, Pages 170-186, ISSN 0950-5849

Crossref

Google Scholar

[2]

J. Choi, H. Kim, C. Choi and P. Kim, "Efficient Malicious Code Detection Using N-Gram Analysis and SVM," 2011 14th International Conference on Network-Based Information Systems, Tirana, 2011, pp. 618--621.

Digital Library

Google Scholar

[3]

M. K. Gupta, M. C. Govil and G. Singh, "Predicting CrossSite Scripting (XSS) security vulnerabilities in web applications," 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE), Songkhla, 2015, pp. 162--167.

Google Scholar

[4]

L. K. Shar, H. Beng Kuan Tan and L. C. Briand, "Mining SQL injection and Cross-site scripting vulnerabilities using hybrid program analysis," 2013 35th International Conference on Software Engineering (ICSE), San Francisco, CA, 2013, pp. 642--651.

Digital Library

Google Scholar

[5]

L. K. Shar, L. C. Briand and H. B. K. Tan, "Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning," in IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 6, pp. 688--707, Nov.- Dec. 1, 2015.

Digital Library

Google Scholar

[6]

Shashank Gupta and B. B. Gupta, "Automated discovery of JavaScript code injection attacks in PHP web applications", International Conference on Information Security & Privacy (ICISP), Nagpur, INDIA, 11-12 December 2015, Elsevier, Procedia Computer Science, vol. 78, pp.82--87, 2016

Digital Library

Google Scholar

[7]

Patents.justia.com. (2018). US Patent for Persistent cross-site scripting vulnerability detection Patent (Patent # 9,948,665 issued April 17, 2018) - Justia Patents Search. {online} Available at: https://patents.justia.com/patent/9948665 {Accessed 14 Jun. 2018}.

Google Scholar

[8]

S. K. Mahmoud, M. Alfonse, M. I. Roushdy and A. B. M. Salem, "A comparative analysis of Cross-site Scripting (XSS) detecting and defensive techniques," 2017 Eighth International Conference on Intelligent Computing and Information Systems (ICICIS), Cairo, 2017, pp. 36--42

Google Scholar

[9]

https://sourceforge.net/projects/mutillidae/ {online} {Accessed: 1 Jun 2018}.

Google Scholar

[10]

GitHub. (2018). swisskyrepo/Payloads All The Things. {online} Available at: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/ master/X SS%20 injection {Accessed:1 Jun. 2018}.

Google Scholar

[11]

GBHackers On Security. (2018). Top 500 Most Important XSS Cheat Sheet for Web Application Pentesting. {online} Available at: https://gbhackers.com/top-500-important-xsscheat-sheet/ {Accessed 1 Jun. 2018}.

Google Scholar

[12]

Cross Site Scripting Payloads ≈ Packet Storm. {online} Available at: https://packetstormsecurity.com/files/112152/Cross-SiteScripting- Payloads.html {Accessed 1 Jun. 2018}.

Google Scholar

Cited By

View all

Idialu OMathews NMaipradit RAtlee JNagappan MSpinellis DConstantinou EBacchelli A(2024)Whodunit: Classifying Code as Human Authored or GPT-4 Generated - A case study on CodeChef problemsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644926(394-406)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644926
Wan SXian BWang YLu J(2024)Methods for Detecting XSS Attacks Based on BERT and BiLSTM2024 8th International Conference on Management Engineering, Software Engineering and Service Sciences (ICMSS)10.1109/ICMSS61211.2024.00008(1-7)Online publication date: 12-Jan-2024
https://doi.org/10.1109/ICMSS61211.2024.00008
Salim SLahcen O(2024)A BERT-Enhanced Exploration of Web and Mobile Request Safety Through Advanced NLP Models and Hybrid ArchitecturesIEEE Access10.1109/ACCESS.2024.340641312(76180-76193)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3406413
Show More Cited By

Index Terms

Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
1. Security and privacy
  1. Software and application security
    1. Web application security
2. Software and its engineering
  1. Software creation and management

Recommendations

Client-side cross-site scripting protection

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Defending against Cross-Site Scripting Attacks

Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers' lack of understanding of the problem and their unfamiliarity with current defenses' strengths and ...
Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey
Abstract
Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its disclosure in late 1999 by Microsoft security engineers, several techniques have been developed with the ...

Comments

Information & Contributors

Information

Published In

SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine Learning

November 2018

177 pages

ISBN:9781450366052

DOI:10.1145/3297067

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 November 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SPML '18

SPML '18: 2018 International Conference on Signal Processing and Machine Learning

November 28 - 30, 2018

Shanghai, China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
519
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)2

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Idialu OMathews NMaipradit RAtlee JNagappan MSpinellis DConstantinou EBacchelli A(2024)Whodunit: Classifying Code as Human Authored or GPT-4 Generated - A case study on CodeChef problemsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644926(394-406)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644926
Wan SXian BWang YLu J(2024)Methods for Detecting XSS Attacks Based on BERT and BiLSTM2024 8th International Conference on Management Engineering, Software Engineering and Service Sciences (ICMSS)10.1109/ICMSS61211.2024.00008(1-7)Online publication date: 12-Jan-2024
https://doi.org/10.1109/ICMSS61211.2024.00008
Salim SLahcen O(2024)A BERT-Enhanced Exploration of Web and Mobile Request Safety Through Advanced NLP Models and Hybrid ArchitecturesIEEE Access10.1109/ACCESS.2024.340641312(76180-76193)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3406413
Hussain SNadeem MBaber JHamdi MRajab AAl Reshan MShaikh A(2024)Vulnerability detection in Java source code using a quantum convolutional neural network with self-attentive pooling, deep sequence, and graph-based hybrid feature extractionScientific Reports10.1038/s41598-024-56871-z14:1Online publication date: 28-Mar-2024
https://doi.org/10.1038/s41598-024-56871-z
Bakır RBakır H(2024)Swift Detection of XSS Attacks: Enhancing XSS Attack Detection by Leveraging Hybrid Semantic Embeddings and AI TechniquesArabian Journal for Science and Engineering10.1007/s13369-024-09140-050:2(1191-1207)Online publication date: 3-Jun-2024
https://doi.org/10.1007/s13369-024-09140-0
Rodríguez-Galán GTorres J(2024)Personal data filtering: a systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealingAnnals of Telecommunications10.1007/s12243-024-01022-879:11-12(763-802)Online publication date: 18-Apr-2024
https://doi.org/10.1007/s12243-024-01022-8
Sethi MVerma JSnehi MBaggan VVirender Chhabra G(2023)Web Server Security Solution for Detecting Cross-site Scripting Attacks in Real-time Using Deep Learning2023 International Conference on Artificial Intelligence and Applications (ICAIA) Alliance Technology Conference (ATCON-1)10.1109/ICAIA57370.2023.10169255(1-5)Online publication date: 21-Apr-2023
https://doi.org/10.1109/ICAIA57370.2023.10169255
Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Kaur JGarg UBathla G(2023)Detection of cross-site scripting (XSS) attacks using machine learning techniques: a reviewArtificial Intelligence Review10.1007/s10462-023-10433-356:11(12725-12769)Online publication date: 23-Mar-2023
https://doi.org/10.1007/s10462-023-10433-3
Ismail MAlrabaee SHarous SChoo K(2023)Empirical Evaluations of Machine Learning Effectiveness in Detecting Web Application AttacksFuture Access Enablers for Ubiquitous and Intelligent Infrastructures10.1007/978-3-031-50051-0_8(99-116)Online publication date: 15-Dec-2023
https://doi.org/10.1007/978-3-031-50051-0_8
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Client-side cross-site scripting protection

Defending against Cross-Site Scripting Attacks

Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations