SlideShare a Scribd company logo

XSS filter on Server side

Download as PPT, PDF
C
cuteboysmith

The seminar discusses mitigating Cross-Site Scripting (XSS) attacks through a server-side, signature-based model that employs both positive and negative signatures to block recognized attacks. It emphasizes the use of modules to prevent XSS and the introduction of a validator parser to identify and categorize harmful input based on prohibited tags and attributes. The approach aims to enhance web application security while maintaining performance efficiency, with plans for future enhancements to address other forms of web application attacks.

EducationTechnology
1 of 19
Downloaded 79 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
MITIGATION OF XSS USING SIGNATURE BASED MODEL ON SERVER SIDE SEMINAR BY Dhanashree Waikar Abhijeet Kate Shailesh Khachane GUIDED BY Mrs. M.A. Pradhan (Head Of Department)
XSS ? ? ? ? (Cross Site Scripting) Allow code injection by malicious web users XSS attacks the end user -- it runs arbitrary code in their browser. The browser is behind your firewall and is acting within the user’s security context
JavaScript power JavaScript can control what appears on screen. JavaScript has access to your history. Sites often store session tokens in GET request. JavaScript can intercept cookies. JavaScript can enumerate your network.
EXAMPLE Code:- <script>alert(&quot;/XSS&quot;/)</script> <script>alert(&quot;XSS&quot;)</script> <script>alert(&quot;XSS&quot;)</script>; <script>alert(String.fromCharCode(88,83,83))</script> Effect
Available options to prevent XSS attacks Signature Based Positive signature Negative signature Behavior based Client side or server side
Signature based model Prevention using negative signature based model Configurable black listed tags Placed at the top most layer of the web application. Recognized attacks are blocked
Modules for xss prevation Blocker Parser Validator Tag cluster
Blocker Checks for the existence of special characters For example ‘<’, ‘>’, ‘%’, ‘&’, ‘\\’, ‘&#’ are few of the special characters used to embed JavaScript functions in the tags Blocker is responsible to allow or to reject the input string from the user According to the status which it receives from validator
Parser Called by the Blocker Breaks the input into multiple tokens, as tags and attributes Stores it as a element in a vector object The vector object created by the parser component which invokes the validator For <img src=http://www.sample.com/image1.gif> The vector elements are img, src=http://www.sample.com/image1.gif
Validator Checks input for vulnarability by executing the rules using the tag cluster Compares tags or attributes of input script If mached then marked as vulnabrable Verifier() detectMalicious()
Tag cluster The prohibited tags and the prohibited attributes of tags are categorized as black listed cluster Rules for vulnerability identification
Flow diagram
Future Enhancements modular based . Modules for Other web application attacks can be added easily. E.g. sql injection, Buffer-overflow attacks Updates can be provided for the tag cluster
Limitations Only known attacks can be blocked Web application’s response performance is reduced.
Conclusion The presented server side solution approach meets the need to protect the web Applications with the perspective to improve the response time while addressing the XSS attacks
References 1. G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, P. Tramontana, &quot;Identifying Cross Site Scripting Vulnerabilities in Web Applications,&quot; Sixth IEEE International Workshop on Web Site Evolution(WSE'04) , pp. 71-80, , 2004. 2. M. M. Burnett and J. C. Foster, “Hacking the Code: ASP.NET Web Application Security,” Chapter 5 - Filtering User Input, Syngress Publishing © 2004 3. Scott, D., Sharp, R. “Developing Secure Web Applications.” IEEEInternet Computing, 6(6), pp. 38-45, Nov 2002. 4. Jin-Cherng Lin, Jan-Min Chen, &quot;An Automatic Revised Tool for Anti-Malicious Injection,&quot; cit, p. 164, Sixth IEEE International Conference on Computer and Information Technology (CIT'06), 2006. 5. Zhendong Su, Gary Wassermann, “The essence of command injection attacks in web applications,” Annual Symposium on Principles of Programming Languages, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles 6. Christopher Krugel, G.Vigna, William Robertson, “A multimodel approach to the detection of web based attacks,”Computer Networks 48 (2005) pp.717-738 – ELSEVIER, 2005.
Thank you We would like to specially thank Mrs. M. A. Pradhan madam , Mrs. Vaishali Vairale madam, and all respected teachers for their continuous help and support.
THANK YOU
QUESTIONS

More Related Content

PPTX
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
PPTX
Sql injection
Manjushree Mashal
 
PDF
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
Atlassian
 
PPT
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
PPTX
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
PPT
Web Application Security
Colin English
 
PPTX
Introduction to security testing
Nagasahas DS
 
PPTX
Hacker Halted Miami , USA 2010
Aditya K Sood
 
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
Sql injection
Manjushree Mashal
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
Atlassian
 
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Web Application Security
Colin English
 
Introduction to security testing
Nagasahas DS
 
Hacker Halted Miami , USA 2010
Aditya K Sood
 

What's hot (20)

PPT
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
DOCX
Resume
santukumar12
 
PDF
Understanding CSRF
Potato
 
PDF
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
vivatechijri
 
PPTX
A7 Missing Function Level Access Control
stevil1224
 
PDF
Security testing presentation
Confiz
 
PPTX
Web tools ppt
Tamara Pia Agavi
 
PPT
Security for javascript
Hữu Đại
 
PPT
Common hacking practices
Marian Marinov
 
PPTX
Phishing Detection using Machine Learning
Arjun BM
 
DOC
Analysis of field data on web security vulnerabilities
Papitha Velumani
 
PPTX
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
PPTX
Root conf digitalskimming-v4_arjunbm
Arjun BM
 
PDF
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
PDF
Detecting Phishing using Machine Learning
ijtsrd
 
PDF
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
PDF
Cross Site Scripting Attacks and Preventive Measures
IRJET Journal
 
PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PPTX
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
PPTX
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
Resume
santukumar12
 
Understanding CSRF
Potato
 
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
vivatechijri
 
A7 Missing Function Level Access Control
stevil1224
 
Security testing presentation
Confiz
 
Web tools ppt
Tamara Pia Agavi
 
Security for javascript
Hữu Đại
 
Common hacking practices
Marian Marinov
 
Phishing Detection using Machine Learning
Arjun BM
 
Analysis of field data on web security vulnerabilities
Papitha Velumani
 
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
Root conf digitalskimming-v4_arjunbm
Arjun BM
 
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
Detecting Phishing using Machine Learning
ijtsrd
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
Cross Site Scripting Attacks and Preventive Measures
IRJET Journal
 
Security Testing Training With Examples
Alwin Thayyil
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Ad

Similar to XSS filter on Server side (20)

PPTX
RSA Conference 2010 San Francisco
Aditya K Sood
 
PPTX
Cross-Site Scripting (XSS)
Daniel Tumser
 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
PDF
Neoito — Secure coding practices
Neoito
 
PDF
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
PROIDEA
 
PDF
Web Security Threats and Solutions
Ivo Andreev
 
PDF
Session7-XSS & CSRF
zakieh alizadeh
 
PPT
CROSS SITE SCRIPTING.ppt
yashvirsingh48
 
PPT
Cross site scripting (xss)
Manish Kumar
 
PDF
Technical Architecture of RASP Technology
Priyanka Aash
 
PDF
Locking the Throneroom 2.0
Mario Heiderich
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
PPT
Xss.e xopresentation from eXo SEA
Thuy_Dang
 
PDF
Zane lackey. security at scale. web application security in a continuous depl...
Yury Chemerkin
 
PPTX
04. xss and encoding
Eoin Keary
 
PPTX
Dom XSS: Encounters of the3rd kind
Bishan Singh
 
PPTX
Cross Site Scripting (XSS)
Barrel Software
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PPT
Examining And Bypassing The IE8 XSS Filter
kuza55
 
RSA Conference 2010 San Francisco
Aditya K Sood
 
Cross-Site Scripting (XSS)
Daniel Tumser
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Neoito — Secure coding practices
Neoito
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
PROIDEA
 
Web Security Threats and Solutions
Ivo Andreev
 
Session7-XSS & CSRF
zakieh alizadeh
 
CROSS SITE SCRIPTING.ppt
yashvirsingh48
 
Cross site scripting (xss)
Manish Kumar
 
Technical Architecture of RASP Technology
Priyanka Aash
 
Locking the Throneroom 2.0
Mario Heiderich
 
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Xss.e xopresentation from eXo SEA
Thuy_Dang
 
Zane lackey. security at scale. web application security in a continuous depl...
Yury Chemerkin
 
04. xss and encoding
Eoin Keary
 
Dom XSS: Encounters of the3rd kind
Bishan Singh
 
Cross Site Scripting (XSS)
Barrel Software
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Examining And Bypassing The IE8 XSS Filter
kuza55
 
Ad

Recently uploaded (20)

PPTX
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PDF
2.Reshaping-Indias-Political-Map.ppt/pdf/8th class social science Exploring S...
Sandeep Swamy
 
DOCX
Action Plan_ARAL PROGRAM_ STAND ALONE SHS.docx
Levenmartlacuna1
 
PPTX
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
PDF
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
PPTX
Care of patients with elImination deviation.pptx
AneetaSharma15
 
PPTX
How to Apply for a Job From Odoo 18 Website
Celine George
 
PPTX
BASICS IN COMPUTER APPLICATIONS - UNIT I
suganthim28
 
PPTX
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
PDF
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
PPTX
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
PDF
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
PPTX
Tips Management in Odoo 18 POS - Odoo Slides
Celine George
 
PPTX
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PDF
Biological Classification Class 11th NCERT CBSE NEET.pdf
NehaRohtagi1
 
PDF
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
PPTX
Basics and rules of probability with real-life uses
ravatkaran694
 
DOCX
Unit 5: Speech-language and swallowing disorders
JELLA VISHNU DURGA PRASAD
 
PDF
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
2.Reshaping-Indias-Political-Map.ppt/pdf/8th class social science Exploring S...
Sandeep Swamy
 
Action Plan_ARAL PROGRAM_ STAND ALONE SHS.docx
Levenmartlacuna1
 
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
Care of patients with elImination deviation.pptx
AneetaSharma15
 
How to Apply for a Job From Odoo 18 Website
Celine George
 
BASICS IN COMPUTER APPLICATIONS - UNIT I
suganthim28
 
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
Tips Management in Odoo 18 POS - Odoo Slides
Celine George
 
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
Biological Classification Class 11th NCERT CBSE NEET.pdf
NehaRohtagi1
 
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
Basics and rules of probability with real-life uses
ravatkaran694
 
Unit 5: Speech-language and swallowing disorders
JELLA VISHNU DURGA PRASAD
 
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 

XSS filter on Server side

  • 1. MITIGATION OF XSS USING SIGNATURE BASED MODEL ON SERVER SIDE SEMINAR BY Dhanashree Waikar Abhijeet Kate Shailesh Khachane GUIDED BY Mrs. M.A. Pradhan (Head Of Department)
  • 2. XSS ? ? ? ? (Cross Site Scripting) Allow code injection by malicious web users XSS attacks the end user -- it runs arbitrary code in their browser. The browser is behind your firewall and is acting within the user’s security context
  • 3. JavaScript power JavaScript can control what appears on screen. JavaScript has access to your history. Sites often store session tokens in GET request. JavaScript can intercept cookies. JavaScript can enumerate your network.
  • 4. EXAMPLE Code:- <script>alert(&quot;/XSS&quot;/)</script> <script>alert(&quot;XSS&quot;)</script> <script>alert(&quot;XSS&quot;)</script>; <script>alert(String.fromCharCode(88,83,83))</script> Effect
  • 5. Available options to prevent XSS attacks Signature Based Positive signature Negative signature Behavior based Client side or server side
  • 6. Signature based model Prevention using negative signature based model Configurable black listed tags Placed at the top most layer of the web application. Recognized attacks are blocked
  • 7. Modules for xss prevation Blocker Parser Validator Tag cluster
  • 8. Blocker Checks for the existence of special characters For example ‘<’, ‘>’, ‘%’, ‘&’, ‘\\’, ‘&#’ are few of the special characters used to embed JavaScript functions in the tags Blocker is responsible to allow or to reject the input string from the user According to the status which it receives from validator
  • 9. Parser Called by the Blocker Breaks the input into multiple tokens, as tags and attributes Stores it as a element in a vector object The vector object created by the parser component which invokes the validator For <img src=http://www.sample.com/image1.gif> The vector elements are img, src=http://www.sample.com/image1.gif
  • 10. Validator Checks input for vulnarability by executing the rules using the tag cluster Compares tags or attributes of input script If mached then marked as vulnabrable Verifier() detectMalicious()
  • 11. Tag cluster The prohibited tags and the prohibited attributes of tags are categorized as black listed cluster Rules for vulnerability identification
  • 13. Future Enhancements modular based . Modules for Other web application attacks can be added easily. E.g. sql injection, Buffer-overflow attacks Updates can be provided for the tag cluster
  • 14. Limitations Only known attacks can be blocked Web application’s response performance is reduced.
  • 15. Conclusion The presented server side solution approach meets the need to protect the web Applications with the perspective to improve the response time while addressing the XSS attacks
  • 16. References 1. G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, P. Tramontana, &quot;Identifying Cross Site Scripting Vulnerabilities in Web Applications,&quot; Sixth IEEE International Workshop on Web Site Evolution(WSE'04) , pp. 71-80, , 2004. 2. M. M. Burnett and J. C. Foster, “Hacking the Code: ASP.NET Web Application Security,” Chapter 5 - Filtering User Input, Syngress Publishing © 2004 3. Scott, D., Sharp, R. “Developing Secure Web Applications.” IEEEInternet Computing, 6(6), pp. 38-45, Nov 2002. 4. Jin-Cherng Lin, Jan-Min Chen, &quot;An Automatic Revised Tool for Anti-Malicious Injection,&quot; cit, p. 164, Sixth IEEE International Conference on Computer and Information Technology (CIT'06), 2006. 5. Zhendong Su, Gary Wassermann, “The essence of command injection attacks in web applications,” Annual Symposium on Principles of Programming Languages, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles 6. Christopher Krugel, G.Vigna, William Robertson, “A multimodel approach to the detection of web based attacks,”Computer Networks 48 (2005) pp.717-738 – ELSEVIER, 2005.
  • 17. Thank you We would like to specially thank Mrs. M. A. Pradhan madam , Mrs. Vaishali Vairale madam, and all respected teachers for their continuous help and support.