XSSDS: Server-side Detection of Cross-site Scripting Attacks

Cross-site Scripting (XSS) has emerged as one of the most prevalent type of security vulnerabilities. While the reason for the vulnerability primarily lies on the server-side, the actual exploitation is within the victim's web browser on the client-side. Therefore, an operator of a web application has only very limited evidence of XSS issues. XSS-related problems are therefore, often overlooked or recognized rather late. In this paper, XSSDS, a server-side Cross-site Scripting detection system, is proposed to identify successful XSS attacks. The system uses two novel detection approaches that are based on generic observations of XSS attacks and web applications. A prototypical implementation demonstrates the approach's capabilities to reliably detect XSS attacks while maintaining a tolerable false positive rate. A data-set of 500.000 individual HTTP request/response-pairs from 95 popular web applications is compiled for the purpose, in combination with both real word and manually crafted XSS-exploits. The detection approach results in a total of zero false negatives for all tests, while maintaining an excellent false positive rate for more than 80% of the examined web applications. As the approach is completely passive and solely requires reading access to the application's HTTP traffic, it is applicable to a wide range of scenarios and works together with all existing web technologies.