Script late injection: a framework to introduce JavaScript into web pages

Abstract

Script injection is one type of fault present in web, which mostly utilizes user data to execute code without applying any type of filters. Script injection can impact both client and server making exposing them to vulnerabilities. Security and related products may need to execute logic on the client-side generally in a browser. In order to achieve this, proxy servers inject appropriate JavaScript code into the responses they proxy. Typically, the injection point is at the end of the body element. The framework introduced in this paper rather uses a stack-based approach to determine the injection point in the web page. Ten kilobytes from the end of a web page are given as a string input to the framework, after tokenization and construction of the vector of tokens. A stack is used to determine the injection point. Along with the position of the injection point, a warning flag is also estimated indicating the correctness of the injection point. Different types of web pages were considered for running the unit tests and fuzzy tests on the framework. These classes of pages are determined by crawling most used web pages. The injected scripts are executed once the body content is completely loaded. Hence, it can retrieve maximum information without affecting end-user performance. It also does the job at a low cost.