ŞERİF BAHTİYAR, BERAAT BUZ, BERKE GÜLÇİÇEK

A Hybrid Machine Learning Model to Detect Reflected XSS Attack

Since web technologies are getting more advanced with longer codes, the number of vulnerabilities has increased considerably. Cross-site scripting (XSS) attacks are one of the most common attacks that use vulnerabilities in web applications. There are three types of cross-site scripting attacks namely, reflected, stored, and DOM-based attacks. Reflected XSS attacks are the most common type that is usually implemented by injecting a malicious code into the URL and then sending the URL to the targeted system by using phishing methods, which is a significant threat for recent web applications. Our motivation is the lack of a high-performance detection method of reflected XSS attacks with high accuracy. In this paper, we propose a hybrid machine learning model to detect vulnerabilities related to reflected XSS attacks for a given URL of a website. Our model uses a scanner to discover vulnerabilities in a web site and convolutional neural networks to predict the most common vulnerabilities that may be used for reflected XSS attacks, which makes the proposed model hybrid. We analyzed the model experimentally. Analyses results show that the proposed model is able to detect vulnerable attack surfaces with 99 % accuracy.

PDF

___

[1] “Web Applications vulnerabilities and threats: statistics for 2019.” [Online]. Available: https://www.ptsecurity.com/ww-en/analytics/ webvulnerabilities-2020/
[2] S. Gupta and B. B. Gupta, “Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art,” International Journal of System Assurance Engineering and Management, vol. 8, no. S1, pp. 512–530, Jan. 2017. [Online]. Available: http://link.springer.com/10.1007/s13198-015-0376-0
[3] “OWASP Top Ten Web Application Security Risks | OWASP.” [Online]. Available: https://owasp.org/www-project-top-ten/
[4] V. Nithya, S. L. Pandian, and C. Malarvizhi, “A Survey on Detection and Prevention of Cross-Site Scripting Attack,” International Journal of Security and Its Applications, vol. 9, no. 3, pp. 139–152, Mar. 2015.
[5] U. Sarmah, D. Bhattacharyya, and J. Kalita, “A survey of detection methods for XSS attacks,” Journal of Network and Computer Applications, vol. 118, pp. 113–143, Sep. 2018. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1084804518302042
[6] M. Liu, B. Zhang, W. Chen, and X. Zhang, “A Survey of Exploitation and Detection Methods of XSS Vulnerabilities,” IEEE Access, vol. 7, pp. 182004–182016, 2019. [Online]. Available: https://ieeexplore.ieee.org/document/8935148/
[7] G. E. Rodr´ıguez, J. G. Torres, P. Flores, and D. E. Benavides, “Crosssite scripting (XSS) attacks and mitigation: A survey,” Computer Networks, vol. 166, p. 106960, Jan. 2020. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1389128619311247
[8] E. Galan, A. Alcaide, A. Orfila, and J. Blasco, “A multi-agent scanner´ to detect stored-xss vulnerabilities,” in 2010 International Conference for Internet Technology and Secured Transactions, 2010, pp. 1–6.
[9] L. Li and L. Wei, “Automatic XSS Detection and Automatic Anti-AntiVirus Payload Generation,” in 2019 International Conference on CyberEnabled Distributed Computing and Knowledge Discovery (CyberC). Guilin, China: IEEE, Oct. 2019, pp. 71–76. [Online]. Available: https://ieeexplore.ieee.org/document/8945988/
[10] S. Syaifuddin, D. Risqiwati, and H. A. Sidharta, “Automation Snort Rule for XSS Detection with Honeypot,” in 2018 5th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI). Malang, Indonesia: IEEE, Oct. 2018, pp. 584– 588. [Online]. Available: https://ieeexplore.ieee.org/document/8752961/
[11] X.-Y. Hou, X.-L. Zhao, M.-J. Wu, R. Ma, and Y.-P. Chen, “A Dynamic Detection Technique for XSS Vulnerabilities,” in 2018 4th Annual International Conference on Network and Information Systems for Computers (ICNISC). Wuhan, China: IEEE, Apr. 2018, pp. 34–43. [Online]. Available: https://ieeexplore.ieee.org/document/8842866/
[12] G. Habibi and N. Surantha, “XSS Attack Detection with Machine Learning and n-Gram Methods,” in 2020 International Conference on Information Management and Technology (ICIMTech). Bandung, Indonesia: IEEE, Aug. 2020, pp. 516–520. [Online]. Available: https://ieeexplore.ieee.org/document/9210946/
[13] G. Dong, Y. Zhang, X. Wang, P. Wang, and L. Liu, “Detecting cross site scripting vulnerabilities introduced by HTML5,” in 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE). Chon Buri: IEEE, May 2014, pp. 319–323. [Online]. Available: https://ieeexplore.ieee.org/document/6841888/
[14] L. Lei, M. Chen, C. He, and D. Li, “XSS Detection Technology Based on LSTM-Attention,” in 2020 5th International Conference on Control, Robotics and Cybernetics (CRC). Wuhan, China: IEEE, Oct. 2020, pp. 175–180. [Online]. Available: https://ieeexplore.ieee.org/document/ 9253484/
[15] D. M. W. Powers, “What the F-measure doesn’t measure: Features, Flaws, Fallacies and Fixes,” arXiv:1503.06410 [cs, stat], Sep. 2019, arXiv: 1503.06410. [Online]. Available: http://arxiv.org/abs/1503.06410