A Google Chromium Browser Extension for Detecting XSS Attack in HTML5 Based Websites

2018 IEEE International Conference on Electro/Information Technology (EIT) Pub Date : 2018-05-03 DOI:10.1109/EIT.2018.8500284

Arun Prasath Sivanesan, A. Mathur, A. Javaid

{"title":"A Google Chromium Browser Extension for Detecting XSS Attack in HTML5 Based Websites","authors":"Arun Prasath Sivanesan, A. Mathur, A. Javaid","doi":"10.1109/EIT.2018.8500284","DOIUrl":null,"url":null,"abstract":"The advent of HTML 5 revives the life of cross-site scripting attack (XSS) in the web. Cross Document Messaging, Local Storage, Attribute Abuse, Input Validation, Inline Multimedia and SVG emerge as likely targets for serious threats. Introduction of various new tags and attributes can be potentially manipulated to exploit the data on a dynamic website. The XSS attack manages to retain a spot in all the OWASP Top 10 security risks released over the past decade and placed in the seventh spot in OWASP Top 10 of 2017. It is known that XSS attempts to execute scripts with untrusted data without proper validation between websites. XSS executes scripts in the victim's browser which can hijack user sessions, deface websites, or redirect the user to the malicious site. This paper focuses on the development of a browser extension for the popular Google Chromium browser that keeps track of various attack vectors. These vectors primarily include tags and attributes of HTML 5 that may be used maliciously. The developed plugin alerts users whenever a possibility of XSS attack is discovered when a user accesses a particular website.","PeriodicalId":188414,"journal":{"name":"2018 IEEE International Conference on Electro/Information Technology (EIT)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-05-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE International Conference on Electro/Information Technology (EIT)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EIT.2018.8500284","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

The advent of HTML 5 revives the life of cross-site scripting attack (XSS) in the web. Cross Document Messaging, Local Storage, Attribute Abuse, Input Validation, Inline Multimedia and SVG emerge as likely targets for serious threats. Introduction of various new tags and attributes can be potentially manipulated to exploit the data on a dynamic website. The XSS attack manages to retain a spot in all the OWASP Top 10 security risks released over the past decade and placed in the seventh spot in OWASP Top 10 of 2017. It is known that XSS attempts to execute scripts with untrusted data without proper validation between websites. XSS executes scripts in the victim's browser which can hijack user sessions, deface websites, or redirect the user to the malicious site. This paper focuses on the development of a browser extension for the popular Google Chromium browser that keeps track of various attack vectors. These vectors primarily include tags and attributes of HTML 5 that may be used maliciously. The developed plugin alerts users whenever a possibility of XSS attack is discovered when a user accesses a particular website.

查看原文本刊更多论文

用于检测基于HTML5网站的XSS攻击的Google Chromium浏览器扩展

HTML 5的出现使跨站点脚本攻击(XSS)在网络上复活了。跨文档消息传递、本地存储、属性滥用、输入验证、内联多媒体和SVG成为严重威胁的可能目标。各种新标签和属性的引入可以被潜在地操纵来利用动态网站上的数据。XSS攻击在过去十年发布的所有OWASP十大安全风险中都占据了一席之地，并在2017年OWASP十大安全风险中排名第七。众所周知，XSS试图在没有正确验证的情况下执行带有不可信数据的脚本。XSS在受害者的浏览器中执行脚本，这些脚本可以劫持用户会话、破坏网站或将用户重定向到恶意网站。本文的重点是为流行的谷歌Chromium浏览器开发一个浏览器扩展，该扩展可以跟踪各种攻击向量。这些向量主要包括可能被恶意使用的HTML 5的标签和属性。当用户访问特定网站时发现XSS攻击的可能性时，开发的插件会提醒用户。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 IEEE International Conference on Electro/Information Technology (EIT)

自引率

0.00%

发文量