Server-Side Protection of Web Application Against Cross-Site Scripting Attack

Abstract

Web applications are accessed using the Internet and face risks associated with usage of the Internet. There are different attacking techniques against clients while using Web application. The attack using XSS attack technique is frequent. XSS attack is an attack on the privacy of client, by injecting malicious code to vulnerable Web site and forcing the client to click it. Cross-Site Scripting (XSS) is one of the most common application level attacks that attackers use to sneak into the Web applications today. The goal of the XSS attack is to steal the client cookies, or any other sensitive information, which can identify the client with the Web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site-specifically impersonate the user. In this dissertation/thesis work, the study of different attacking techniques through XSS on the Web application has been shown and addressed some of the prevention techniques, which is related with the filtration (input and output) mechanism through server-side. XSS attack is the attack against Web application and that harms the user or client. Depending on the position of the provided solution for the client in the Web application, solutions are divided into three classes: client-side solution, server-side solution, and third party application fire-wall. Solution has been given through server-side for the client. Different formats for the filtration have defined using regular expression. It has been analyzed to which condition which provided filtering formats are when appropriate. The comparisons have shown among the defined formats within the server-side solution. The comparison is not about the execution efficiency but it’s about the malicious input format filtering situation. If the same domain is used any number of attacking messages according to defined format can be filtered. Since XSS attack is vague subject, it covers some specified condition following the research view.