A survey of detection methods for XSS attacks

摘要

Cross-site scripting attack (abbreviated as XSS) is an unremitting problem for the Web applications since the early 2000s. It is a code injection attack on the client-side where an attacker injects malicious payload into a vulnerable Web application. The attacker is often successful in eventually executing the malicious code in an innocent user's browser without the user's knowledge. With an XSS attack, an attacker can perform malicious activities such as cookie stealing, session hijacking, redirection to other malicious sites, downloading of unwanted software and spreading of malware. The primary categories of XSS attacks are: non-persistent and persistent XSS attacks. This survey focuses on studying comprehensively, the detection methods available in the literature for XSS attacks. The detection methods discussed in this study are classified according to their deployment sites and further sub-classified according to the analysis mechanism they employ. Along with discussing the pros and cons of each method, this survey also presents a list of tools that support detection of XSS attacks. We also discuss in detail three preconditions that has to be met in order to successfully launch an XSS attack. One of the prime objectives of this survey is to identify a list of issues and open research challenges. This survey can be used as a foundational reading manual by anyone wishing to understand, assess, establish or design a detection mechanism to counter XSS attack.