S2MXS2: Server Side Approach to Mitigating XSS Attacks Using Regular Expression

Abstract

The most dreaded web application attack called Cross Site Scripting (XSS) attacks are still on the increase despite the research efforts being made. Usually, hackers upload XSS vectors into any vulnerable web site and wait for innocent victims who visit these sites. These victims are then attacked and exploited by the hacker’s XSS vectors. Several existing techniques require technical adjustments on client side browsers and server side environment variables, while other techniques try to nullify the effects of XSS on users viewing dynamic contents. Mitigating XSS from server side can guarantee a better result than any other technique because users are not required to make any configurations on their browsers and no XSS vector will find its way to the client side. In this research, a framework was developed, which is based on pattern matching using regular expressions. This framework will detect any occurrence of XSS vectors within the data collected from users and nullify them before passing it over to the web application for further processing. This implies that the web application may not store or process any XSS vectors. This framework was implemented using a PHP objectoriented prototype model that can be easily integrated into existing web application. Evaluation of the framework was done using a web based PHP social network application and the results of our experiment shows that the proposed system is highly efficient in mitigating XSS attacks while maintaining a negligible runtime overhead on the web server. The purpose of this research is to design a simple XSS attack Filter framework that can be easily integrated into an existing web application which gives this research the potentials of generally reducing the rate of occurrences of XSS attacks on web applications.