Skip to main content
SpringerLink
Log in

Towards Elimination of Cross-Site Scripting on Mobile Versions of Web Applications

  • Conference paper
  • First Online:
Information Security Applications (WISA 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8267))

Included in the following conference series:

Abstract

In this paper, we address the overlooked problem of Cross-Site Scripting (XSS) on mobile versions of web applications. We have surveyed 100 popular mobile versions of web applications and detected XSS vulnerabilities in 81 of them. The inspected sites present a simplified version of the desktop web application for mobile devices; the survey includes sites by Nokia, Intel, MailChimp, Dictionary, Ebay, Pinterest, Statcounter and Slashdot. Our investigations indicate that a significantly larger percentage (81 % vs. 53 %) of mobile web applications are vulnerable to XSS, although their functionality is drastically reduced in comparison to the corresponding desktop web application.

To mitigate XSS attacks for mobile devices, this paper presents a light-weight, black-list and regular expressions based XSS filter for the detection of XSS on mobile versions of web applications, which can be deployed on client or server side. We have tested our implementation against five different publicly available XSS attack vector lists; none of these vectors were able to bypass our filter. We have also evaluated our filter in the client-side scenario by adding support in 2 open source mobile applications (WordPress and Drupal); our experimental results show reasonably low overhead incurred due to the small size of the filter and computationally fast regular expressions. We have contributed an implementation of our XSS detection rules to the ModSecurity firewall engine, and the filter is now part of OWASP ModSecurity Core Rule Set (CRS) https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Type Etsy.com into your mobile browser on your phone and you’ll find a simple and optimized version of the Etsy site http://www.etsy.com/”.

  2. 2.

    http://modernizr.com/

  3. 3.

    Flip the pref to turn on the CSP 1.0 parser for Firefox for Android: https://bugzilla.mozilla.org/show_bug.cgi?id=858780.

  4. 4.

    http://www.w3.org/TR/CSP/

  5. 5.

    http://noscript.net/

  6. 6.

    http://jquerymobile.com/

  7. 7.

    https://www.trustwave.com/modsecurity-rules-support.php

  8. 8.

    The complete list of surveyed mobile sites is available at http://pastebin.com/MabbJWWL.

  9. 9.

    http://en.wikipedia.org/wiki/Pinterest

  10. 10.

    XSS is now fixed, see http://i.imgur.com/oWwpc1e.jpg

  11. 11.

    http://www.jobmail.co.za/mobile/employerLogin.php

  12. 12.

    http://m.moneycontrol.com/mcreg.php

  13. 13.

    http://portal.motribe.mobi/signup

  14. 14.

    http://m.homes.com/index.cfm?action=myHomesLogin#signin

  15. 15.

    Nokia has sent us Nokia Lumia 800 Phone as a part of appreciation and responsible disclosure.

  16. 16.

    For interested readers, we will soon publish a technical report titled — “A Footprint of Third-Party Tracking on Mobile Web”.

  17. 17.

    http://jquerymobile.com/

  18. 18.

    http://m.nlb.gov.sg/theme/default/js/validate.js

  19. 19.

    The url 0x.lv has been developed by Eduardo Vela of Google.

  20. 20.

    We have collected a list of some of the state-of-the-art XSS vectors here http://pastebin.com/BdGXfm0D.

  21. 21.

    http://jsfiddle.net/Nz5ad/

  22. 22.

    http://jsfiddle.net/dDBdP/

  23. 23.

    http://jsfiddle.net/dDBdP/1/

  24. 24.

    http://jsfiddle.net/dDBdP/2/

  25. 25.

    http://jsfiddle.net/dDBdP/3/

  26. 26.

    http://jsfiddle.net/7aUu8/

  27. 27.

    http://jsfiddle.net/GPPB6/

  28. 28.

    http://jsfiddle.net/h2XWN/1/

  29. 29.

    http://jsfiddle.net/xsrDj/

  30. 30.

    http://jsfiddle.net/F58Zd/

  31. 31.

    http://jsfiddle.net/JMEFE/

  32. 32.

    http://jsfiddle.net/5X6E6/

  33. 33.

    http://jsfiddle.net/KmQUF/

  34. 34.

    http://jsfiddle.net/Cm7JT/

  35. 35.

    https://www.owasp.org/index.php/DOM_Based_XSS

  36. 36.

    http://en.wikipedia.org/wiki/Cross-site_scripting

  37. 37.

    Galadrim https://twitter.com/g4l4drim

  38. 38.

    http://xss2.technomancie.net/suite/47/run and http://xss2.technomancie.net/suite/48/run

  39. 39.

    https://developers.google.com/chrome/mobile/docs/debugging

  40. 40.

    https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/base_rules

References

  1. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE 2008. http://dl.acm.org/citation.cfm?id=1368112

  2. Controlling the XSS filter. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-/protection-http-header.aspx

    Google Scholar 

  3. Cook, S.: A web developer’s guide to cross-site scripting (January 2003). http://www.giac.org/practical/GSEC/Steve_Cook_GSEC

  4. WhiteHat Security’s Website Security Statistics Report (May 2013). https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf

  5. Do mobile and desktop interfaces belong together?. http://mobile.smashingmagazine.com/2012/07/19/do-mobile-desktop-interfaces-belong-together/more-130354

  6. Mobile site vs. full site. http://www.nngroup.com/articles/mobile-site-vs-full-site/

  7. Regular expression language – quick reference. http://msdn.microsoft.com/en-us/library/az24scfc.aspx

  8. Regular expression tutorial. http://www.regular-expressions.info/tutorialcnt.html

  9. Regular expressions cheat sheet. http://www.cheatography.com/davechild/cheat-sheets/regular-expressions/

  10. Regular expressions. https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Regular_Expressions

  11. Measuring time with javascript. http://webdesign.onyou.ch/2010/11/30/measure-time-with-javascript/

  12. Accuracy of JavaScript time. http://ejohn.org/blog/accuracy-of-javascript-time/

  13. NoScript anywhere. http://noscript.net/nsa/

  14. redos.js - JavaScript test program for regular expression DoS attacks. http://www.computerbytesman.com/redos/retime_js.source.txt

  15. Regular expression denial of service. http://en.wikipedia.org/wiki/ReDoS

  16. Singh, K.: Can mobile learn from the Web? In: W2SP 2012. http://www.w2spconf.com/2012/papers/w2sp12-final13.pdf

  17. OWASP top 10 mobile risks. https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks

  18. XUL (XML User Interface Language). https://developer.mozilla.org/en-US/docs/XUL

  19. Mozilla developer platforms mobile. https://groups.google.com/group/mozilla.dev.platforms.mobile/browse_thread/thread/ff8d89bfa28383bb?pli=1

  20. Knowyourelements. http://www.knowyourelements.com/#tab=list-view&date=2013-01-24

  21. A complete guide of jQuery mobile for beginners. http://www.webappers.com/2013/03/15/a-complete-guide-of-jquery-mobile-for-beginners/

  22. Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proceedings of the 2010 USENIX Conference on Web Application Development (2010)

    Google Scholar 

  23. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)

    Google Scholar 

  24. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: WWW (2010). http://www.collinjackson.com/research/xssauditor.pdf

  25. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM (2006)

    Google Scholar 

  26. Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In: AINA (2004)

    Google Scholar 

  27. Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS (2009)

    Google Scholar 

  28. Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pp. 283–298. USENIX Association, Berkeley (2009)

    Google Scholar 

  29. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS)

    Google Scholar 

  30. Barth, A., Jackson, C., Mitchell, J.C.: Securing browser frame communication. In: 17th USENIX Security (2008)

    Google Scholar 

  31. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: WWW (2010)

    Google Scholar 

  32. Oda, T., Wurster, G., van Oorschot, P., Somayaji, A.: SOMA: mutual approval for included content in web pages. In: CCS (2008)

    Google Scholar 

  33. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser enforced embedded policies. In: WWW (2007)

    Google Scholar 

  34. OWASP modSecurity core rule set project. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

  35. Apache module \({\rm {mod}}\_{\rm {proxy}}\). http://httpd.apache.org/docs/2.2/mod/ \({\rm mod}\_{\rm proxy}\).html

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank @0x6D6172696F, @insertScript, @ryancbarnett, @garethheyes, @ma1, @avlidienbrunn, @mathias, @secalert, @g4l4drim and many more from Twitter “infosec community” for their help and anonymous reviewers for their comments. This work has been supported by the Ministry of Economic Affairs and Energy of the State of North Rhine-Westphalia (Grant 315-43-02/2-005-WFBO-009).

Author information

Authors and Affiliations

  1. Chair for Network and Data Security, Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Bochum, Germany

    Ashar Javed & Jörg Schwenk

Authors
  1. Ashar Javed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ashar Javed .

Editor information

Editors and Affiliations

  1. KAIST, Daejeon, Korea, Republic of (South Korea)

    Yongdae Kim

  2. Korea University, Seoul, Korea, Republic of (South Korea)

    Heejo Lee

  3. CyLab Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Adrian Perrig

Appendix

Appendix

Table 3. Top sites whose mobile-version are vulnerable to XSS
Full size table
Table 4. Regular expression (RE) syntax description [7].
Full size table
Table 5. Miscellaneous regular expression (RE) classes along with respective XSS vectors.
Full size table
figure p

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Javed, A., Schwenk, J. (2014). Towards Elimination of Cross-Site Scripting on Mobile Versions of Web Applications. In: Kim, Y., Lee, H., Perrig, A. (eds) Information Security Applications. WISA 2013. Lecture Notes in Computer Science(), vol 8267. Springer, Cham. https://doi.org/10.1007/978-3-319-05149-9_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05149-9_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05148-2

  • Online ISBN: 978-3-319-05149-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation