JS‐SAN: defense mechanism for HTML5‐based web applications against javascript code injection vulnerabilities. Issue 11 (19th February 2016)
- Record Type:
- Journal Article
- Title:
- JS‐SAN: defense mechanism for HTML5‐based web applications against javascript code injection vulnerabilities. Issue 11 (19th February 2016)
- Main Title:
- JS‐SAN: defense mechanism for HTML5‐based web applications against javascript code injection vulnerabilities
- Authors:
- Gupta, Shashank
Gupta, B. B. - Abstract:
- Abstract: This paper presents an injection and clustering‐based sanitization framework, i.e. JS‐SAN (JavaScript SANitizer) for the mitigation of JS code injection vulnerabilities. It generates an attack vector template by performing the clustering on the extracted JS attack vector payloads corresponding to their level of similarity. As a result, it then sanitizes the extracted JS attack vector template by an automated technique of placement of sanitizers in the source code of generated templates of web applications. We have also performed the deepest possible crawling of web pages for finding the possible user‐injection points and injected the latest HTML5‐based XSS attack vectors for testing the mitigation capability of our framework. The implementation of our design was done on the browser‐side JavaScript library and tested as an extension on the Google Chrome. The attack mitigation capability of JS‐SAN was evaluated by incorporating the support from a tested suite of open source web applications that are vulnerable to JS code injection vulnerabilities. The proposed framework validates its novelty by producing a less rate of false negatives and tolerable runtime overhead as compared to existing sanitization‐based approaches. Copyright © 2016 John Wiley & Sons, Ltd. Abstract : This article presents a Google Chrome extension‐based framework i.e. JS‐SAN (JavaScript SANitizer) that detects and alleviates the effect of JavaScript code injection vulnerabilities from theAbstract: This paper presents an injection and clustering‐based sanitization framework, i.e. JS‐SAN (JavaScript SANitizer) for the mitigation of JS code injection vulnerabilities. It generates an attack vector template by performing the clustering on the extracted JS attack vector payloads corresponding to their level of similarity. As a result, it then sanitizes the extracted JS attack vector template by an automated technique of placement of sanitizers in the source code of generated templates of web applications. We have also performed the deepest possible crawling of web pages for finding the possible user‐injection points and injected the latest HTML5‐based XSS attack vectors for testing the mitigation capability of our framework. The implementation of our design was done on the browser‐side JavaScript library and tested as an extension on the Google Chrome. The attack mitigation capability of JS‐SAN was evaluated by incorporating the support from a tested suite of open source web applications that are vulnerable to JS code injection vulnerabilities. The proposed framework validates its novelty by producing a less rate of false negatives and tolerable runtime overhead as compared to existing sanitization‐based approaches. Copyright © 2016 John Wiley & Sons, Ltd. Abstract : This article presents a Google Chrome extension‐based framework i.e. JS‐SAN (JavaScript SANitizer) that detects and alleviates the effect of JavaScript code injection vulnerabilities from the platforms of real world HTML5 Web applications. The framework performs the clustering on the malicious/untrusted JavaScript code and accordingly performs the sanitization on such code. Experimental results indicate that JS‐SAN is capable of detecting this malicious code with low false positive and false negative rate and enhances the runtime sanitization process on such code. … (more)
- Is Part Of:
- Security and communication networks. Volume 9:Issue 11(2016)
- Journal:
- Security and communication networks
- Issue:
- Volume 9:Issue 11(2016)
- Issue Display:
- Volume 9, Issue 11 (2016)
- Year:
- 2016
- Volume:
- 9
- Issue:
- 11
- Issue Sort Value:
- 2016-0009-0011-0000
- Page Start:
- 1477
- Page End:
- 1495
- Publication Date:
- 2016-02-19
- Subjects:
- javascript (JS) code injection vulnerabilities -- cross‐site scripting (XSS) attack -- sanitization -- HTML5 -- clustering
Computer networks -- Security measures -- Periodicals
Computer security -- Periodicals
Cryptography -- Periodicals
005.805 - Journal URLs:
- http://onlinelibrary.wiley.com/journal/10.1002/(ISSN)1939-0122 ↗
https://www.hindawi.com/journals/scn/ ↗
http://onlinelibrary.wiley.com/ ↗ - DOI:
- 10.1002/sec.1433 ↗
- Languages:
- English
- ISSNs:
- 1939-0114
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library HMNTS - ELD Digital store
- Ingest File:
- 1896.xml