Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey

IF 13.3 1区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Abdelhakim Hannousse , Salima Yahiouche , Mohamed Cherif Nait-Hamoud
{"title":"Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey","authors":"Abdelhakim Hannousse ,&nbsp;Salima Yahiouche ,&nbsp;Mohamed Cherif Nait-Hamoud","doi":"10.1016/j.cosrev.2024.100634","DOIUrl":null,"url":null,"abstract":"<div><p>Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its disclosure in late 1999 by Microsoft security engineers, several techniques have been developed with the aim of securing web navigation and protecting web applications against XSS attacks. XSS has been and is still in the top 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks has become one of the major concerns of several web security communities. Despite the numerous studies that have been conducted to combat XSS attacks, the attacks continue to rise. This motivates the study of how the interest in XSS attacks has evolved over the years, what has already been achieved to prevent these attacks, and what is missing to restrain their prevalence. In this paper, we conduct a systematic mapping and a comprehensive survey with the aim of answering all these questions. We summarize and categorize existing endeavors that aim to handle XSS attacks and develop XSS-free web applications. The systematic mapping yielded 157 high-quality published studies. By thoroughly analyzing those studies, a comprehensive taxonomy is drawn out outlining various techniques used to prevent, detect, protect, and defend against XSS attacks and vulnerabilities. The study of the literature revealed a remarkable interest bias toward basic (84.71%) and JavaScript (81.63%) XSS attacks as well as a dearth of vulnerability repair mechanisms and tools (only 1.48%). Notably, existing vulnerability detection techniques focus solely on single-page detection, overlooking flaws that may span across multiple pages. Furthermore, the study brought to the forefront the limitations and challenges of existing attack detection and defense techniques concerning machine learning and content-security policies. Consequently, we strongly advocate the development of more suitable detection and defense techniques, along with an increased focus on addressing XSS vulnerabilities through effective detection (hybrid solutions) and repair strategies. Additionally, there is a pressing need for more high-quality studies to overcome the limitations of promising approaches such as machine learning and content-security policies while also addressing diverse XSS attacks in different languages. Hopefully, this study can serve as guidance for both the academic and practitioner communities in the development of XSS-free web applications.</p></div>","PeriodicalId":48633,"journal":{"name":"Computer Science Review","volume":"52 ","pages":"Article 100634"},"PeriodicalIF":13.3000,"publicationDate":"2024-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Science Review","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1574013724000182","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its disclosure in late 1999 by Microsoft security engineers, several techniques have been developed with the aim of securing web navigation and protecting web applications against XSS attacks. XSS has been and is still in the top 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks has become one of the major concerns of several web security communities. Despite the numerous studies that have been conducted to combat XSS attacks, the attacks continue to rise. This motivates the study of how the interest in XSS attacks has evolved over the years, what has already been achieved to prevent these attacks, and what is missing to restrain their prevalence. In this paper, we conduct a systematic mapping and a comprehensive survey with the aim of answering all these questions. We summarize and categorize existing endeavors that aim to handle XSS attacks and develop XSS-free web applications. The systematic mapping yielded 157 high-quality published studies. By thoroughly analyzing those studies, a comprehensive taxonomy is drawn out outlining various techniques used to prevent, detect, protect, and defend against XSS attacks and vulnerabilities. The study of the literature revealed a remarkable interest bias toward basic (84.71%) and JavaScript (81.63%) XSS attacks as well as a dearth of vulnerability repair mechanisms and tools (only 1.48%). Notably, existing vulnerability detection techniques focus solely on single-page detection, overlooking flaws that may span across multiple pages. Furthermore, the study brought to the forefront the limitations and challenges of existing attack detection and defense techniques concerning machine learning and content-security policies. Consequently, we strongly advocate the development of more suitable detection and defense techniques, along with an increased focus on addressing XSS vulnerabilities through effective detection (hybrid solutions) and repair strategies. Additionally, there is a pressing need for more high-quality studies to overcome the limitations of promising approaches such as machine learning and content-security policies while also addressing diverse XSS attacks in different languages. Hopefully, this study can serve as guidance for both the academic and practitioner communities in the development of XSS-free web applications.

跨站脚本攻击被揭露已有 22 年:系统映射和全面调查
跨站脚本(XSS)是威胁数据隐私和可信网络应用程序导航的主要威胁之一。自从微软公司的安全工程师于 1999 年底披露了这一漏洞以来,已经开发出了多种技术,旨在确保网络导航安全和保护网络应用程序免受 XSS 攻击。XSS 一直是开放式网络应用安全项目(OWASP)报告的十大网络漏洞之一。因此,处理 XSS 攻击已成为多个网络安全社区关注的主要问题之一。尽管针对 XSS 攻击开展了大量研究,但攻击仍在继续增加。这就促使我们研究 XSS 攻击的兴趣在过去几年中是如何演变的,在防止这些攻击方面已经取得了哪些成果,在抑制其流行方面还缺少哪些东西。在本文中,我们进行了一次系统的摸底和全面的调查,旨在回答所有这些问题。我们对旨在处理 XSS 攻击和开发无 XSS 网络应用程序的现有工作进行了总结和分类。通过系统性映射,我们获得了 157 项高质量的已发表研究。通过对这些研究的深入分析,我们总结出了一个全面的分类法,概述了用于预防、检测、保护和防御 XSS 攻击和漏洞的各种技术。文献研究表明,人们对基本 XSS 攻击(84.71%)和 JavaScript XSS 攻击(81.63%)的兴趣明显偏向于基本 XSS 攻击,而对漏洞修复机制和工具的兴趣却很低(仅为 1.48%)。值得注意的是,现有的漏洞检测技术只关注单页面检测,忽略了可能跨越多个页面的漏洞。此外,这项研究还凸显了现有攻击检测和防御技术在机器学习和内容安全策略方面的局限性和挑战。因此,我们强烈主张开发更合适的检测和防御技术,同时更加关注通过有效的检测(混合解决方案)和修复策略来解决 XSS 漏洞。此外,我们迫切需要进行更多高质量的研究,以克服机器学习和内容安全策略等有前途的方法的局限性,同时解决不同语言的各种 XSS 攻击问题。希望本研究能为学术界和实践界开发无 XSS 网络应用程序提供指导。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Computer Science Review
Computer Science Review Computer Science-General Computer Science
CiteScore
32.70
自引率
0.00%
发文量
26
审稿时长
51 days
期刊介绍: Computer Science Review, a publication dedicated to research surveys and expository overviews of open problems in computer science, targets a broad audience within the field seeking comprehensive insights into the latest developments. The journal welcomes articles from various fields as long as their content impacts the advancement of computer science. In particular, articles that review the application of well-known Computer Science methods to other areas are in scope only if these articles advance the fundamental understanding of those methods.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信