Volume 3, No. 5, May 2012 Journal of Global Research in Computer Science TECHNICAL NOTE Available Online at www.jgrcs.info © JGRCS 2010, All Rights Reserved 61 DEFENDING AGAINST WEB VULNERABILITIES AND CROSS-SITE SCRIPTING T.Venkat Narayana Rao *1 , V. Tejsawni *2 ,K..Preethi *3 *1 Professor, Department of Computer Science and Engineering Hyderabad Institute of Technology and Management [HITAM], Hyderabad, A.P, India. tvnrbobby@yahoo.com 2 Student, B.Tech Third Year, Department of Information Technology Hyderabad Institute of Technology and Management [HITAM], Hyderabad, A.P, 4tejaswani@gmail.com 3 Associate Professor, Department of Computer Science and Engineering Hyderabad Institute of Technology and Management [HITAM], Hyderabad, A.P, India Abstract: Researchers have devised multiple solutions to cross-site scripting, but vulnerabilities persists in many Web applications due to developer‟s lack of expertise in the problem identification and their unfamiliarity with the current mechanisms. As proclaimed by the experts, cross-site scripting is among the serious and widespread threats in Web applications these days more than buffer overflows. Recent study shows XSS has ranked first in the MITRE Common Weakness Enumeration (CWE)/SANS Institute list of Top 25 Most Dangerous Software Errors and second in the Open Web Application Security Project (OWASP). However, vulnerabilities continue to exist in many Web applications due to developers‟ lack of understanding of the problem and their unfamiliarity with current guarding strengths and limitations. Existing techniques for defending against XSS exploits suffer from various weaknesses: inherent limitations, incomplete implementations, complex frameworks, runtime overhead, and intensive manual-work requirements. Security researchers can address these weaknesses from two different perspectives. They need to look beyond current techniques by incorporating more effective input validation and sanitization features. In time, development tools will incorporate security frameworks such as ESAPI that implement state-of-the-art technology. This paper focus on program verification perspective, how researchers must integrate program analysis, pattern recognition, concolic testing, data mining, and AI algorithms to solve different software engineering problems and to enhance the effectiveness of vulnerability detection. Focus on such issues would improve the precision of current methods by acquiring attack code patterns from outside experts as soon as they become available. Keywords: XSS, vulnerability, Injection, overhead, markup. WHAT IS CROSS-SITE SCRIPTING (XSS) Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications, such as web browsers which breach the security that enables attackers to infuse client-side script into Web pages viewed by other users [1]. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Several major websites including Face book, Twitter, MySpace, eBay, Google, and McAfee have been the targets of XSS exploits. XSS is the result of limitations inherent in many Web applications‟ security mechanisms i.e. the lack or insufficient refinement of user inputs. XSS flaws exist in Web applications written in various programming languages such as PHP, Java, and .NET where application WebPages reference unrestricted user inputs. Attackers inject malicious code via these inputs, thereby causing unintended script executions through clients‟ browsers. Researchers have proposed multiple XSS solutions ranging from simple static analysis to complex runtime protection mechanisms. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities recorded by Symantec as of 2007. Their effect may range from a petty trouble to a significant overhead of security risk, depending on the value of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. From a development perspective, researchers need to craft simpler, better, and more flexible security alternatives. Cross-site scripting flaws are web-application vulnerabilities which allow attackers to bypass client-side security mechanisms normally imposed on web content by modern web browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf for user. Cross-site scripting attacks are therefore a unique case of code injection [2]. The expression "cross-site scripting" originally referred to the act of inducing the attacked, third- party web application from an distinct attack site, in a manner that executes a section of JavaScript programmed by the attacker in the security framework of the targeted domain. The definition gradually expanded to encompass other modes of code injection, including persistent and non- JavaScript vectors (including Java, ActiveX, VBScript, Flash, or even pure HTML, and SQL Queries), causing some uncertainty to newcomers to the field of information security [3]. XSS vulnerabilities have been reported and exploited since the 1990s. Well-known sites affected in the history include the social-networking sites Twitter, Face book, MySpace, and Orkut. In recent years, cross-site scripting flaws surpassed buffer overflows to become the most common publicly-reported security vulnerability, with some researchers in 2007 viewing as many as 68% of websites as likely open to XSS attacks.