Server-side Cross-site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS Auditor

Abstract

Cross-site Scripting attacks have been a perennial threat to web applications for many years. Conventional practices to prevent cross-site scripting attacks revolve around secure programming and client-side prevention techniques. However, client-side preventions are still prone to bypasses as the inspection is done on the user’s browser, so an adversary can alter the inspection algorithm to come up with the bypasses or even manipulate the victim to turn off the security measures. This decreases the effectiveness of the protection and leads to many web applications are still vulnerable to cross-site scripting attacks. We believe that XSS Auditor, which was pre-installed in Google Chrome browser for more than 9 years, is a great approach in combating and preventing XSS attacks. Hence, in this paper, we proposed a novel approach to thoroughly identify two types of cross-site scripting attacks through server-side filter implementation. Our proposed approach follows the original XSS Auditor mechanism implemented in Google Chrome. However, instead of placing the detection system on the client side, we design a detection mechanism that checks HTTP requests and responses as well as database responses for possible XSS attacks from the server side. From 500 payloads used to evaluate the proposed method, 442 payloads were classified correctly, thus showing that the proposed method was able to reach 88.4% accuracy. This work showed that the proposed approach is very promising in protecting users from devastating Cross-site Scripting attacks.