Abstract image of a woman sitting on books and studying on a laptop

XSS filter on Server side

Download as PPT, PDF
C
cuteboysmith

The seminar discusses mitigating Cross-Site Scripting (XSS) attacks through a server-side, signature-based model that employs both positive and negative signatures to block recognized attacks. It emphasizes the use of modules to prevent XSS and the introduction of a validator parser to identify and categorize harmful input based on prohibited tags and attributes. The approach aims to enhance web application security while maintaining performance efficiency, with plans for future enhancements to address other forms of web application attacks.

EducationTechnology
1 of 19
Downloaded 79 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
MITIGATION OF XSS USING SIGNATURE BASED MODEL ON SERVER SIDE SEMINAR BY Dhanashree Waikar Abhijeet Kate Shailesh Khachane GUIDED BY Mrs. M.A. Pradhan (Head Of Department)
XSS ? ? ? ? (Cross Site Scripting) Allow code injection by malicious web users XSS attacks the end user -- it runs arbitrary code in their browser. The browser is behind your firewall and is acting within the user’s security context
JavaScript power JavaScript can control what appears on screen. JavaScript has access to your history. Sites often store session tokens in GET request. JavaScript can intercept cookies. JavaScript can enumerate your network.
EXAMPLE Code:- <script>alert(&quot;/XSS&quot;/)</script> <script>alert(&quot;XSS&quot;)</script> <script>alert(&quot;XSS&quot;)</script>; <script>alert(String.fromCharCode(88,83,83))</script> Effect
Available options to prevent XSS attacks Signature Based Positive signature Negative signature Behavior based Client side or server side
Signature based model Prevention using negative signature based model Configurable black listed tags Placed at the top most layer of the web application. Recognized attacks are blocked
Modules for xss prevation Blocker Parser Validator Tag cluster
Blocker Checks for the existence of special characters For example ‘<’, ‘>’, ‘%’, ‘&’, ‘\\’, ‘&#’ are few of the special characters used to embed JavaScript functions in the tags Blocker is responsible to allow or to reject the input string from the user According to the status which it receives from validator
Parser Called by the Blocker Breaks the input into multiple tokens, as tags and attributes Stores it as a element in a vector object The vector object created by the parser component which invokes the validator For <img src=http://www.sample.com/image1.gif> The vector elements are img, src=http://www.sample.com/image1.gif
Validator Checks input for vulnarability by executing the rules using the tag cluster Compares tags or attributes of input script If mached then marked as vulnabrable Verifier() detectMalicious()
Tag cluster The prohibited tags and the prohibited attributes of tags are categorized as black listed cluster Rules for vulnerability identification
Flow diagram
Future Enhancements modular based . Modules for Other web application attacks can be added easily. E.g. sql injection, Buffer-overflow attacks Updates can be provided for the tag cluster
Limitations Only known attacks can be blocked Web application’s response performance is reduced.
Conclusion The presented server side solution approach meets the need to protect the web Applications with the perspective to improve the response time while addressing the XSS attacks
References 1. G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, P. Tramontana, &quot;Identifying Cross Site Scripting Vulnerabilities in Web Applications,&quot; Sixth IEEE International Workshop on Web Site Evolution(WSE'04) , pp. 71-80, , 2004. 2. M. M. Burnett and J. C. Foster, “Hacking the Code: ASP.NET Web Application Security,” Chapter 5 - Filtering User Input, Syngress Publishing © 2004 3. Scott, D., Sharp, R. “Developing Secure Web Applications.” IEEEInternet Computing, 6(6), pp. 38-45, Nov 2002. 4. Jin-Cherng Lin, Jan-Min Chen, &quot;An Automatic Revised Tool for Anti-Malicious Injection,&quot; cit, p. 164, Sixth IEEE International Conference on Computer and Information Technology (CIT'06), 2006. 5. Zhendong Su, Gary Wassermann, “The essence of command injection attacks in web applications,” Annual Symposium on Principles of Programming Languages, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles 6. Christopher Krugel, G.Vigna, William Robertson, “A multimodel approach to the detection of web based attacks,”Computer Networks 48 (2005) pp.717-738 – ELSEVIER, 2005.
Thank you We would like to specially thank Mrs. M. A. Pradhan madam , Mrs. Vaishali Vairale madam, and all respected teachers for their continuous help and support.
THANK YOU
QUESTIONS

More Related Content

PPTX
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
PPTX
Sql injection
Manjushree Mashal
 
PDF
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
Atlassian
 
PPT
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
PPTX
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
PPT
Web Application Security
Colin English
 
PPTX
Introduction to security testing
Nagasahas DS
 
PPTX
Hacker Halted Miami , USA 2010
Aditya K Sood
 
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
Sql injection
Manjushree Mashal
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
Atlassian
 
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Web Application Security
Colin English
 
Introduction to security testing
Nagasahas DS
 
Hacker Halted Miami , USA 2010
Aditya K Sood
 

What's hot (20)

PPT
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
DOCX
Resume
santukumar12
 
PDF
Understanding CSRF
Potato
 
PDF
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
vivatechijri
 
PPTX
A7 Missing Function Level Access Control
stevil1224
 
PDF
Security testing presentation
Confiz
 
PPTX
Web tools ppt
Tamara Pia Agavi
 
PPT
Security for javascript
Hữu Đại
 
PPT
Common hacking practices
Marian Marinov
 
PPTX
Phishing Detection using Machine Learning
Arjun BM
 
DOC
Analysis of field data on web security vulnerabilities
Papitha Velumani
 
PPTX
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
PPTX
Root conf digitalskimming-v4_arjunbm
Arjun BM
 
PDF
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
PDF
Detecting Phishing using Machine Learning
ijtsrd
 
PDF
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
PDF
Cross Site Scripting Attacks and Preventive Measures
IRJET Journal
 
PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PPTX
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
PPTX
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
Resume
santukumar12
 
Understanding CSRF
Potato
 
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
vivatechijri
 
A7 Missing Function Level Access Control
stevil1224
 
Security testing presentation
Confiz
 
Web tools ppt
Tamara Pia Agavi
 
Security for javascript
Hữu Đại
 
Common hacking practices
Marian Marinov
 
Phishing Detection using Machine Learning
Arjun BM
 
Analysis of field data on web security vulnerabilities
Papitha Velumani
 
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
Root conf digitalskimming-v4_arjunbm
Arjun BM
 
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
Detecting Phishing using Machine Learning
ijtsrd
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
Cross Site Scripting Attacks and Preventive Measures
IRJET Journal
 
Security Testing Training With Examples
Alwin Thayyil
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Ad

Similar to XSS filter on Server side (20)

PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
PDF
A26001006
IJERA Editor
 
PDF
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Eswar Publications
 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PPT
Intro to Web Application Security
Rob Ragan
 
DOC
Attackers Vs Programmers
robin_bene
 
PDF
A security note for web developers
John Ombagi
 
PDF
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
cscpconf
 
PDF
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
PDF
ieee
Radheshyam Dhakad
 
PPT
Penetration Testing Basics
Rick Wanner
 
PDF
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
PDF
Security Awareness
Lucas Hendrich
 
PPTX
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
PPT
Web Application Security
Abdul Wahid
 
PPT
Examining And Bypassing The IE8 XSS Filter
kuza55
 
PDF
Routine Detection Of Web Application Defence Flaws
IJTET Journal
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PDF
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
A26001006
IJERA Editor
 
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Eswar Publications
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
Intro to Web Application Security
Rob Ragan
 
Attackers Vs Programmers
robin_bene
 
A security note for web developers
John Ombagi
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
cscpconf
 
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
ieee
Radheshyam Dhakad
 
Penetration Testing Basics
Rick Wanner
 
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Security Awareness
Lucas Hendrich
 
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Web Application Security
Abdul Wahid
 
Examining And Bypassing The IE8 XSS Filter
kuza55
 
Routine Detection Of Web Application Defence Flaws
IJTET Journal
 
Web Application Penetration Testing Introduction
gbud7
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
Ad

Recently uploaded (20)

PDF
احياء السادس العلمي - الفصل الثالث (التكاثر) منهج متميزين/كلية بغداد/موهوبين
S LS
 
PDF
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
PPTX
Computer Architecture Input Output Memory.pptx
Gunasundari Selvaraj
 
PDF
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
PPTX
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
PDF
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
PPTX
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PPTX
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
PDF
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
PDF
HVAC Specification 2024 according to central public works department
amitrobanipl
 
PPTX
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
PDF
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 1)
CMEmpire
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
PPTX
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
PDF
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
PDF
Trump Administration's workforce development strategy
Mebane Rash
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
احياء السادس العلمي - الفصل الثالث (التكاثر) منهج متميزين/كلية بغداد/موهوبين
S LS
 
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
Computer Architecture Input Output Memory.pptx
Gunasundari Selvaraj
 
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
HVAC Specification 2024 according to central public works department
amitrobanipl
 
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 1)
CMEmpire
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
Trump Administration's workforce development strategy
Mebane Rash
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 

XSS filter on Server side

  • 1. MITIGATION OF XSS USING SIGNATURE BASED MODEL ON SERVER SIDE SEMINAR BY Dhanashree Waikar Abhijeet Kate Shailesh Khachane GUIDED BY Mrs. M.A. Pradhan (Head Of Department)
  • 2. XSS ? ? ? ? (Cross Site Scripting) Allow code injection by malicious web users XSS attacks the end user -- it runs arbitrary code in their browser. The browser is behind your firewall and is acting within the user’s security context
  • 3. JavaScript power JavaScript can control what appears on screen. JavaScript has access to your history. Sites often store session tokens in GET request. JavaScript can intercept cookies. JavaScript can enumerate your network.
  • 4. EXAMPLE Code:- <script>alert(&quot;/XSS&quot;/)</script> <script>alert(&quot;XSS&quot;)</script> <script>alert(&quot;XSS&quot;)</script>; <script>alert(String.fromCharCode(88,83,83))</script> Effect
  • 5. Available options to prevent XSS attacks Signature Based Positive signature Negative signature Behavior based Client side or server side
  • 6. Signature based model Prevention using negative signature based model Configurable black listed tags Placed at the top most layer of the web application. Recognized attacks are blocked
  • 7. Modules for xss prevation Blocker Parser Validator Tag cluster
  • 8. Blocker Checks for the existence of special characters For example ‘<’, ‘>’, ‘%’, ‘&’, ‘\\’, ‘&#’ are few of the special characters used to embed JavaScript functions in the tags Blocker is responsible to allow or to reject the input string from the user According to the status which it receives from validator
  • 9. Parser Called by the Blocker Breaks the input into multiple tokens, as tags and attributes Stores it as a element in a vector object The vector object created by the parser component which invokes the validator For <img src=http://www.sample.com/image1.gif> The vector elements are img, src=http://www.sample.com/image1.gif
  • 10. Validator Checks input for vulnarability by executing the rules using the tag cluster Compares tags or attributes of input script If mached then marked as vulnabrable Verifier() detectMalicious()
  • 11. Tag cluster The prohibited tags and the prohibited attributes of tags are categorized as black listed cluster Rules for vulnerability identification
  • 13. Future Enhancements modular based . Modules for Other web application attacks can be added easily. E.g. sql injection, Buffer-overflow attacks Updates can be provided for the tag cluster
  • 14. Limitations Only known attacks can be blocked Web application’s response performance is reduced.
  • 15. Conclusion The presented server side solution approach meets the need to protect the web Applications with the perspective to improve the response time while addressing the XSS attacks
  • 16. References 1. G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, P. Tramontana, &quot;Identifying Cross Site Scripting Vulnerabilities in Web Applications,&quot; Sixth IEEE International Workshop on Web Site Evolution(WSE'04) , pp. 71-80, , 2004. 2. M. M. Burnett and J. C. Foster, “Hacking the Code: ASP.NET Web Application Security,” Chapter 5 - Filtering User Input, Syngress Publishing © 2004 3. Scott, D., Sharp, R. “Developing Secure Web Applications.” IEEEInternet Computing, 6(6), pp. 38-45, Nov 2002. 4. Jin-Cherng Lin, Jan-Min Chen, &quot;An Automatic Revised Tool for Anti-Malicious Injection,&quot; cit, p. 164, Sixth IEEE International Conference on Computer and Information Technology (CIT'06), 2006. 5. Zhendong Su, Gary Wassermann, “The essence of command injection attacks in web applications,” Annual Symposium on Principles of Programming Languages, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles 6. Christopher Krugel, G.Vigna, William Robertson, “A multimodel approach to the detection of web based attacks,”Computer Networks 48 (2005) pp.717-738 – ELSEVIER, 2005.
  • 17. Thank you We would like to specially thank Mrs. M. A. Pradhan madam , Mrs. Vaishali Vairale madam, and all respected teachers for their continuous help and support.