Detection of Cross-Site Scripting Attacks using Dynamic Analysis and Fuzzy Inference System

Abstract

Many prevalent problems of web applications are induced by injected codes, which pose great security threats. Vulnerabilities found in web applications are commonly typically exploited to perpetrate attacks. With cross-site scripting (XSS), attackers can infuse malevolent contents into website pages, in this way gaining accessprivileges to sensitive page content of the user such as, session cookies, user’s data or credentials and several other information often kept up by the browser on behalf of the users. This paper presents a hybrid mechanism for detecting XSS attacks using Dynamic Analysis and Fuzzy Inference. The approach scans the website for possible points of injection before generating an attack vector launched via an HTTP request to a web application. The analysis of the HTTP response predicts the presence of an attack vector. The detection capability of the system is evaluated using some active world web applications and the results show a high rate of detection.