Research Article
BibTex RIS Cite

A Hybrid Machine Learning Model to Detect Reflected XSS Attack

Year 2021, Volume: 9 Issue: 3, 235 - 241, 30.07.2021
https://doi.org/10.17694/bajece.927417

Abstract

Since web technologies are getting more advanced with longer codes, the number of vulnerabilities has increased considerably. Cross-site scripting (XSS) attacks are one of the most common attacks that use vulnerabilities in web applications. There are three types of cross-site scripting attacks namely, reflected, stored, and DOM-based attacks. Reflected XSS attacks are the most common type that is usually implemented by injecting a malicious code into the URL and then sending the URL to the targeted system by using phishing methods, which is a significant threat for recent web applications. Our motivation is the lack of a high performance detection method of reflected XSS attacks with high accuracy. In this paper, we propose a hybrid machine learning model to detect vulnerabilities related to reflected XSS attacks for a given URL of a website. Our model uses a scanner to discover vulnerabilities in a web site and convolutional neural networks to predict the most common vulnerabilities that may be used for reflected XSS attacks, which makes the proposed model hybrid. We analyzed the model experimentally. Analyses results show that the proposed model is able to detect vulnerable attack surfaces with 99 % accuracy.

References

  • [1] “Web Applications vulnerabilities and threats: statistics for 2019.” [Online]. Available: https://www.ptsecurity.com/ww en/analytics/web-vulnerabilities-2020/
  • [2] S. Gupta and B. B. Gupta, “Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art,” International Journal of System Assurance Engineering and Management, vol. 8, no. S1, pp. 512–530, Jan. 2017. [Online]. Available: http://link.springer.com/10.1007/s13198-015-0376-0
  • [3] “OWASP Top Ten Web Application Security Risks j OWASP.” [Online]. Available: https://owasp.org/www-project-top-ten/
  • [4] V. Nithya, S. L. Pandian, and C. Malarvizhi, “A Survey on Detection and Prevention of Cross-Site Scripting Attack,” International Journal of Security and Its Applications, vol. 9, no. 3, pp. 139–152, Mar. 2015.
  • [5] U. Sarmah, D. Bhattacharyya, and J. Kalita, “A survey of detection methods for XSS attacks,” Journal of Network and Computer Applications, vol. 118, pp. 113–143, Sep. 2018. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1084804518302042
  • [6] M. Liu, B. Zhang, W. Chen, and X. Zhang, “A Survey of Exploitation and Detection Methods of XSS Vulnerabilities,” IEEE Access, vol. 7, pp. 182 004–182 016, 2019. [Online]. Available:https://ieeexplore.ieee.org/document/8935148/
  • [7] G. E. Rodr´ıguez, J. G. Torres, P. Flores, and D. E. Benavides, “Crosssite scripting (XSS) attacks and mitigation: A survey,” Computer Networks, vol. 166, p. 106960, Jan. 2020. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1389128619311247
  • [8] E. Gal´an, A. Alcaide, A. Orfila, and J. Blasco, “A multi-agent scanner to detect stored-xss vulnerabilities,” in 2010 International Conference for Internet Technology and Secured Transactions, 2010, pp. 1–6.
  • [9] L. Li and L. Wei, “Automatic XSS Detection and Automatic Anti-Anti-Virus Payload Generation,” in 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC). Guilin, China: IEEE, Oct. 2019, pp. 71–76. [Online]. Available: https://ieeexplore.ieee.org/document/8945988/
  • [10] S. Syaifuddin, D. Risqiwati, and H. A. Sidharta, “Automation Snort Rule for XSS Detection with Honeypot,” in 2018 5th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI). Malang, Indonesia: IEEE, Oct. 2018, pp. 584–588. [Online]. Available: https://ieeexplore.ieee.org/document/8752961/
  • [11] X.-Y. Hou, X.-L. Zhao, M.-J. Wu, R. Ma, and Y.-P. Chen, “A Dynamic Detection Technique for XSS Vulnerabilities,” in 2018 4th Annual International Conference on Network and Information Systems for Computers (ICNISC). Wuhan, China: IEEE, Apr. 2018, pp. 34–43. [Online]. Available: https://ieeexplore.ieee.org/document/8842866/
  • [12] G. Habibi and N. Surantha, “XSS Attack Detection With Machine Learning and n-Gram Methods,” in 2020 International Conference on Information Management and Technology (ICIMTech). Bandung, Indonesia: IEEE, Aug. 2020, pp. 516–520. [Online]. Available:https://ieeexplore.ieee.org/document/9210946/
  • [13] G. Dong, Y. Zhang, X. Wang, P. Wang, and L. Liu, “Detecting cross site scripting vulnerabilities introduced by HTML5,” in 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE). Chon Buri: IEEE, May 2014, pp. 319–323. [Online]. Available: https://ieeexplore.ieee.org/document/6841888/
  • [14] L. Lei, M. Chen, C. He, and D. Li, “XSS Detection Technology Based on LSTM-Attention,” in 2020 5th International Conference on Control, Robotics and Cybernetics (CRC). Wuhan, China: IEEE, Oct. 2020, pp. 175–180. [Online]. Available: https://ieeexplore.ieee.org/document/9253484/
  • [15] D. M. W. Powers, “What the F-measure doesn’t measure: Features, Flaws, Fallacies and Fixes,” arXiv:1503.06410 [cs, stat], Sep. 2019, arXiv: 1503.06410. [Online]. Available: http://arxiv.org/abs/1503.06410
Year 2021, Volume: 9 Issue: 3, 235 - 241, 30.07.2021
https://doi.org/10.17694/bajece.927417

Abstract

References

  • [1] “Web Applications vulnerabilities and threats: statistics for 2019.” [Online]. Available: https://www.ptsecurity.com/ww en/analytics/web-vulnerabilities-2020/
  • [2] S. Gupta and B. B. Gupta, “Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art,” International Journal of System Assurance Engineering and Management, vol. 8, no. S1, pp. 512–530, Jan. 2017. [Online]. Available: http://link.springer.com/10.1007/s13198-015-0376-0
  • [3] “OWASP Top Ten Web Application Security Risks j OWASP.” [Online]. Available: https://owasp.org/www-project-top-ten/
  • [4] V. Nithya, S. L. Pandian, and C. Malarvizhi, “A Survey on Detection and Prevention of Cross-Site Scripting Attack,” International Journal of Security and Its Applications, vol. 9, no. 3, pp. 139–152, Mar. 2015.
  • [5] U. Sarmah, D. Bhattacharyya, and J. Kalita, “A survey of detection methods for XSS attacks,” Journal of Network and Computer Applications, vol. 118, pp. 113–143, Sep. 2018. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1084804518302042
  • [6] M. Liu, B. Zhang, W. Chen, and X. Zhang, “A Survey of Exploitation and Detection Methods of XSS Vulnerabilities,” IEEE Access, vol. 7, pp. 182 004–182 016, 2019. [Online]. Available:https://ieeexplore.ieee.org/document/8935148/
  • [7] G. E. Rodr´ıguez, J. G. Torres, P. Flores, and D. E. Benavides, “Crosssite scripting (XSS) attacks and mitigation: A survey,” Computer Networks, vol. 166, p. 106960, Jan. 2020. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1389128619311247
  • [8] E. Gal´an, A. Alcaide, A. Orfila, and J. Blasco, “A multi-agent scanner to detect stored-xss vulnerabilities,” in 2010 International Conference for Internet Technology and Secured Transactions, 2010, pp. 1–6.
  • [9] L. Li and L. Wei, “Automatic XSS Detection and Automatic Anti-Anti-Virus Payload Generation,” in 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC). Guilin, China: IEEE, Oct. 2019, pp. 71–76. [Online]. Available: https://ieeexplore.ieee.org/document/8945988/
  • [10] S. Syaifuddin, D. Risqiwati, and H. A. Sidharta, “Automation Snort Rule for XSS Detection with Honeypot,” in 2018 5th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI). Malang, Indonesia: IEEE, Oct. 2018, pp. 584–588. [Online]. Available: https://ieeexplore.ieee.org/document/8752961/
  • [11] X.-Y. Hou, X.-L. Zhao, M.-J. Wu, R. Ma, and Y.-P. Chen, “A Dynamic Detection Technique for XSS Vulnerabilities,” in 2018 4th Annual International Conference on Network and Information Systems for Computers (ICNISC). Wuhan, China: IEEE, Apr. 2018, pp. 34–43. [Online]. Available: https://ieeexplore.ieee.org/document/8842866/
  • [12] G. Habibi and N. Surantha, “XSS Attack Detection With Machine Learning and n-Gram Methods,” in 2020 International Conference on Information Management and Technology (ICIMTech). Bandung, Indonesia: IEEE, Aug. 2020, pp. 516–520. [Online]. Available:https://ieeexplore.ieee.org/document/9210946/
  • [13] G. Dong, Y. Zhang, X. Wang, P. Wang, and L. Liu, “Detecting cross site scripting vulnerabilities introduced by HTML5,” in 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE). Chon Buri: IEEE, May 2014, pp. 319–323. [Online]. Available: https://ieeexplore.ieee.org/document/6841888/
  • [14] L. Lei, M. Chen, C. He, and D. Li, “XSS Detection Technology Based on LSTM-Attention,” in 2020 5th International Conference on Control, Robotics and Cybernetics (CRC). Wuhan, China: IEEE, Oct. 2020, pp. 175–180. [Online]. Available: https://ieeexplore.ieee.org/document/9253484/
  • [15] D. M. W. Powers, “What the F-measure doesn’t measure: Features, Flaws, Fallacies and Fixes,” arXiv:1503.06410 [cs, stat], Sep. 2019, arXiv: 1503.06410. [Online]. Available: http://arxiv.org/abs/1503.06410
There are 15 citations in total.

Details

Primary Language English
Subjects Artificial Intelligence, Computer Software
Journal Section Araştırma Articlessi
Authors

Beraat Buz 0000-0002-9455-1537

Berke Gülçiçek 0000-0002-2282-5404

Şerif Bahtiyar 0000-0003-0314-2621

Publication Date July 30, 2021
Published in Issue Year 2021 Volume: 9 Issue: 3

Cite

APA Buz, B., Gülçiçek, B., & Bahtiyar, Ş. (2021). A Hybrid Machine Learning Model to Detect Reflected XSS Attack. Balkan Journal of Electrical and Computer Engineering, 9(3), 235-241. https://doi.org/10.17694/bajece.927417

All articles published by BAJECE are licensed under the Creative Commons Attribution 4.0 International License. This permits anyone to copy, redistribute, remix, transmit and adapt the work provided the original work and source is appropriately cited.Creative Commons Lisansı